KBox 1000 Series Administrator Guide Ver 4.3

A D M I N G U I D E
Administrator Guide for KBOXTM 1000 Series
Version 4.3 - 1200

© 2004-2009 KACE Networks, Inc. All rights reserved.
Welcome to KBOX 1000 ownership!
Welcome to version 4.3 of the KBOXTM 1000 Series appliance. This Administrator Guide is designed to
help you install, configure, use, and maintain your KBOX 1000 Series appliance. KACETM is dedicated to
customer success with our primary goal being your ability to quickly utilize your KBOX 1000 Series appli-
ance to save time and eliminate the tedious task of manual inventory, software, and desktop management.
If at any time you experience a problem, or have a question regarding your KBOX 1000 Series appliance,
please contact our support representatives for assistance.
Support Contact:
KACE Technical Support

(888) 522-3638 for support select option 2
http://www.kace.com/support
Company Contact:
Kace Networks, Inc.

1616 North Shoreline Blvd.
Mountain View, California 94043
(888) 522-3638 office for all inquiries
(650) 649-1806 fax
Contents
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
How this Guide is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii
Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
KBOX 1000 Series JumpStart Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
KACE Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xviii
Ch. 1 Getting Started ......................................................1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
KBOX Appliance Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Hardware Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Organizational Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Software Deployment Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Setting Up the KBOX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

The KBOX Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Home Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The KBOX Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Client Check-In Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Software Threat Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
License Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Clients Connected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Managed Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Tasks in Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
KBOX Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Computer Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Software Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Software Distribution Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Alert Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Patch Bulletin Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
OVAL Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Network Scan Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Global Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Setting Up KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Alternative Options to Deploy KBOX Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Key Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring General Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring Network Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
List of Open Ports Required for KBOX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 i

Configuring Security Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
SSL Certificate Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring AMP Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Configuring Date & Time Settings of the KBOX Server . . . . . . . . . . . . . . . . . 26
Ch. 2 Agent Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Overview of Agent Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

System Requirements for the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Single Machine Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Advanced Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Provisioned Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Provisioning Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
KBOX Agent Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
KBOX Agent Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
KBOX Agent Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
AMP Message Queue. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Ch. 3 Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Overview of the Inventory feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Using Advanced Search for Computer Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating Search Filters for Computer Inventory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating Computer Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Filtering Computers by Organizational Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Computers Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Inventory Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Adding Computers to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Adding Computers automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Adding Computers manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Using Advanced Search for Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Creating Search Filters for Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Adding Software to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Adding Software Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Adding Software Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Custom Inventory ID (rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Creating Software Asset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Custom Data Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Attaching a Digital Asset to a Software Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 ii

Software Metering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Adding a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Editing Software Meter Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Deleting a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Configuring the Software Metering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
AppDeploySM Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Enabling AppDeploy Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Viewing AppDeploy Live content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Monitoring Out-Of-Reach Computers (MIA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring the MIA Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Creating Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Viewing Computer Details by Label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Deleting labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Ch. 4 Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Overview of Asset Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Managing Asset Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Asset Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Managing Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Monitoring licenses of a Software family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Importing Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Ch. 5 IP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
IP Scan Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Viewing Scheduled Scans list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Creating an IP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Scan Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Ch. 6 Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Distribution feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Types of Distribution Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Distributing Packages through the KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Distributing Packages through an Alternate Location . . . . . . . . . . . . . . . . . . . . . . . . . 105
Difference between Replication Share and Alternate Download Location . . . . . . . . . 105
Managed Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Installation Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 iii
Creating a Managed Installation for Windows Platform . . . . . . . . . . . . . . . . . . . . . . . 107
Examples of Common Deployments on Windows . . . . . . . . . . . . . . . . . . . . . 110

Standard MSI Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Standard EXE Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Standard ZIP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Examples of Common Deployments on Linux . . . . . . . . . . . . . . . . . . . . . . . . . 115

Standard RPM Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Examples of Common Deployments on Solaris™ . . . . . . . . . . . . . . . . . . . . . . 120

Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Examples of Common Deployments on Macintosh® . . . . . . . . . . . . . . . . . . 124

File Synchronizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Creating a file synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Creating a Replication Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Viewing Replication Share Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Replication enhancements in the KBOX version 4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . 130
iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Setting up Administrative Access to iPhone Profile Management . . . . . . . . . . . . . . . . 131
Creating Configuration Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Adding an iPhone Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
To view or edit profile details: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Configuring Collection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
iPhone Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Configuring iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Ch. 7 Wake-on-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Wake-on-LAN feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Issuing a Wake-on-LAN request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Troubleshooting Wake-on-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Ch. 8 Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Scripting Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Using Scripts that are installed with the KBOX . . . . . . . . . . . . . . . . . . . . . . . . 144
Creating and Editing Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Adding Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Editing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Importing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Duplicating Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Token Replacement Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Using the Run Now function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Run Scripts using the Run Now tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Run Now from the Script Detail page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Monitoring Run Now Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Run Now Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 iv

Searching Scripting Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Configuration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Enforce Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Remote Desktop Control Troubleshooter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Enforce Desktop Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Desktop Shortcuts Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Event Log Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
MSI Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
UltraVNC Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Un-Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Windows Automatic Update Settings policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Ch. 9 Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Overview of the Patch Management feature . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Patch Quality Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Patching enhancements in 4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Patching Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Subscription Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Patch Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Using Advanced Search for Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Detect and Deploy Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Patching Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Creating a Replication Share for Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Create New Windows Update Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Ch. 10 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Security Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

About OVAL and CVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Running OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
OVAL Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
OVAL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Vulnerability Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Computer Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Creating Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Enforce Internet Explorer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Enforce XP SP2 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Enforce Disallowed Programs Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Enforce McAfee AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
McAfee SuperDAT Updater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Enforce Symantec AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Quarantine Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Lift Quarantine Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 v

Ch. 11 User Portal and Help Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Overview of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

End User View of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Administrator View of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Understanding the Software Library feature . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Creating a software library to deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Using the Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Adding Knowledge Base Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Editing and Deleting Knowledge Base Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Adding Users Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Adding Users automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Importing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Creating and Editing Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Overview of the Help Desk Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Helpdesk Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Customizing Help Desk fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Help Desk E-mail Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Ticket Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Creating and Editing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Submitting Help Desk Tickets through E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Setting Ticket Attributes via E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Editing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Searching Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Managing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Understanding the Escalation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
About the Satisfaction Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Running Help Desk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Ch. 12 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
The KBOX Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Creating and Editing Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Previewing SQL report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Creating Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
E-mail Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Creating E-mail Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Exporting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 vi

Importing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Ch. 13 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
LDAP Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

LDAP Easy Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
LDAP Browser Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
LDAP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Ch. 14 KBOX Settings - System Admin . . . . . . . . . . . . . . . . . . . . . . . 255
Configuring General Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

List of Open Ports required for the KBOX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Configuring Network Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Managing System Console Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Configuring Security Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . 262
SSL Certificate Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Configuring AMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Configuring Date & Time Settings of the KBOX Server . . . . . . . . . . . . . . . . 268
Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Linking KBOX Appliances Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Manage Linked KBOX Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
The KBOX Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Client Check-In Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Web Server Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Tasks in Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
KBOX Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Computer Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Software Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Software Distribution Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Alert Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Patch Bulletin Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
OVAL Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Network Scan Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Ch. 15 Organizations - System Admin . . . . . . . . . . . . . . . . . . . . . . . . 277
Overview of Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Default Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Creating and Editing Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Organizational Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Default Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Creating and Editing Organizational Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Organizational Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 vii
Creating and Editing Organizational Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
KBOX Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Test Organization Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Refiltering Computer(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Redirecting Computer(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Understanding Computer Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Ch. 16 Server Maintenance - System Admin . . . . . . . . . . . . . . 293
The KBOX Maintenance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Upgrading the KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Backing up the KBOX Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Backing up the KBOX Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Downloading Backup Files to another location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Restoring the KBOX Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Restoring from most recent backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Uploading Files to Restore Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Restoring to Factory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Updating the KBOX Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Verifying Minimum Server Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Updating the license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Applying the server update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Verifying the update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Patch Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Updating Patch Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Deleting Patch files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Enhanced Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Rebooting and shutting down the KBOX appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Updating OVAL Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Troubleshooting the KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Accessing the KBOX Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Downloading Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Understanding Disk Log Status Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Ch. 17 Reporting - System Admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
The KBOX Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Creating and Editing Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Previewing SQL report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Exporting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Importing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Appendix A Macintosh® Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 viii
Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Examples of Common Deployments on Macintosh® . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
User Portal and Help Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
AppDeploy Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Appendix B Adding Steps to a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Adding Steps to Task Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Appendix C Database Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
The KBOX Database Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Appendix D Manual Deployment of the KBOX Agent . . . . . . . . . . . . . . 342
Manual Deployment of the KBOX Agent on Linux . . . . . . . . . . . . . . . . . . . . . 343

Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Upgrading the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Manual Deployment of the KBOX Agent on Solaris . . . . . . . . . . . . . . . . . . . . 345

Manual Deployment of the KBOX Agent on Macintosh® . . . . . . . . . . . . . . 347

Appendix E Agent Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Agent Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Appendix F Understanding the Daily Run Output . . . . . . . . . . . . . . . . . . 354
Appendix G Warranty, Licensing, and Support . . . . . . . . . . . . . . . . . . . . . . 360
Warranty and Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Third Party Software Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 ix

OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Exim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
OVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
#ZipLib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Other Copyrights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 x

P R E F A C E
About this Guide

This chapter provides an overview of the Administrator
Guide and links to resources that will help you better
administrate your KBOX.
“How this Guide is Organized,” on page xii

“Conventions,” on page xiii
“Additional Resources,” on page xiv
“Support,” on page xiv
xi
How this Guide is Organized
This Administrator Guide contains detailed information about the KBOX 1000 Series Systems Management
appliance, and is intended for system administrators. This guide provides detailed step-by-step instructions
on deployment, configuration, and upgrades on the KBOX 1000 Series Systems Management Appliance.
This guide is organized into the following sections:
Orientation and Setup
Chapter 1,“Getting Started,” starting on page 1
Chapter 2,“Agent Provisioning,” starting on page 28
Chapter 3,“Inventory,” starting on page 54
Chapter 4,“Asset Management,” starting on page 86
Chapter 5,“IP Scan,” starting on page 96
Chapter 6,“Distribution,” starting on page 102
Configuration
Chapter 7,“Wake-on-LAN,” starting on page 139
Chapter 8,“Scripting,” starting on page 142
Chapter 9,“Patching,” starting on page 166
Chapter 10,“Security,” starting on page 178
Maintenance and Support
Chapter 11,“User Portal and Help Desk,” starting on page 193
Chapter 12,“Reporting,” starting on page 225
Chapter 13,“LDAP,” starting on page 242
Chapter 14,“KBOX Settings - System Admin,” starting on page 255
Chapter 15,“Organizations - System Admin,” starting on page 277
Chapter 16,“Server Maintenance - System Admin,” starting on page 293
Chapter 17,“Reporting - System Admin,” starting on page 307
Reference
Appendix A,“Macintosh® Users,” starting on page 322
Appendix B,“Adding Steps to a Task,” starting on page 330
Appendix C,“Database Tables,” starting on page 336
Appendix D,“Manual Deployment of the KBOX Agent,” starting on page 342
Appendix E,“Agent Customization,” starting on page 350
Appendix F,“Understanding the Daily Run Output,” starting on page 354
Appendix G,“Warranty, Licensing, and Support,” starting on page 360
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 xii
Conventions
The KBOX 1000 application and guide uses the following formatting conventions:
Format Description
Bold Represents buttons, tab labels, and menu selections.

| (pipe) Represents the selection order. For example, Inventory | Computers. Here
Inventory is the module and Computers is the tab under the Inventory module.
Table ii-1: Formatting Conventions
Text in a blue box represents a note. A note can include configuration questions, specific
KBOX behavior, or instructions of additional importance.
Edit Mode Link

This convention is used on the application and thus reflected in the guide. Certain screens of the Admin or
System consoles are write-protected to restrict unintentional changes to the current settings. To make
these pages editable, click [Edit Link].
Modules:
Click the module
names to view tabs
under it.
Tabs:
Displays the tabs
within the selected
module. Click the
tab to view its
contents.
Sub tabs:
Displays the sub
tabs within the
selected module.
Click to perform
tasks like Creating a
Filter, Creating a
Figure ii-2: Conventions
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 xiii
Additional Resources
You can refer to the following resources to install, configure, and maintain the KBOX:
Silent Mode Installation Tips and Tricks - http://www.kace.com/support/customer/doc/
SilentInstallationWhitepaper.pdf
Installation and Scripting resources - http://www.kace.com/support/customer/
additional_resources.php
Tutorial Videos - http://www.kace.com/support/customer/training.php
Contact Kace Support if you do not have a user name and password to access these
resources.
Support
The KBOX 1000 Series pack includes software updates, telephone support, and access to an on-line
support portal, which includes:
Software and documentation - Software updates for all purchased KBOX components (Operating
System, Middleware and applications) and their upgrade information on www.kace.com/support
portal
Knowledge base of frequently asked questions
Details on the most common software package installation switches
Other IT management information - Information like white papers, video tutorials for configuring the
KBOX Server as per customer requirements, and others
To access the Support portal:
1. Select KBOX Settings| Support or click on the modules toolbar. The KBOX Settings: KACE
Support page appears.
2. The Support page displays the following links:
KBOX Administrator Guide - Link to the KBOX 1000 Series Administrator Guide that includes
steps to install and operate KBOX 1000.
KACE Customer Support - Link to the KACE Support page on the KACE website. It displays
Updates, Video Tutorials, FAQs, Current News, and Customer Forums.
AppDeploy.com - Link to open the AppDeploySM website. AppDeploy is an Online community of IT
professionals sharing information about the deployment of thousands of applications.
New KACE Ticket - Link to the New KACE Support Ticket page. This page helps you to raise a
ticket, send a bug report, or submit a feature request.
View KACE Tickets - Link to the Tickets page on support.kace.com, where you can track your
ticket status.
Contact KACE - Link to the your default e-mail client to send an e-mail to support@kace.com.
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 xiv
Troubleshooting Tools - Link opens the KBOX Support: Troubleshooting Tools page. This page
contains tools to help the KBOX administrators and KACE Technical Support to troubleshoot problems
with this KBOX. You can use Network Utilities to test various aspects of this KBOX's network
connectivity, see page xvi.
To create a new support ticket:
1. Select Settings | Support or click on the modules toolbar. The KBOX Settings: KACE
2. Click New KACE Ticket. The New KACE Support Ticket page appears.
3. Enter the following details:
From Enter a valid e-mail address for creating the ticket. This is a mandatory field.
Name Enter name of the person who is creating the ticket. For example, Jim.
To A read-only field that displays the KACE support e-mail address.
CC Enter the e-mail address of a recipient, to send them a copy of the message.
Subject Enter the subject of the ticket to identify the problem addressed in the ticket.
Ticket Type Select the Ticket Type from the drop-down list. The Ticket Type list includes:
Help Request - Is selected for any issues regarding the KBOX Server
Feature Request - Is selected for additional features to enhance the
KBOX Server functionality
Bug Report - Is selected for bugs found in the KBOX Server and further
sending report to KACE Support
Impact Select the impact of the problem from this list:
Many people can't work
Many people inconvenienced
1 person can't work
1 person inconvenienced
Priority Select the priority from the drop-down list, which can be:
High - A ticket with this priority is responded on the same day
Medium - A ticket with this priority is responded within 24 hours
Low - A ticket with this priority is responded within 24 hours
Category Select the category of the ticket from the drop-down list. This selection helps
you to segregate the tickets based on the issue. For example, “Windows KBOX
Agent not functioning properly.”
Phone Number Enter the phone number on which the KACE support team can contact you.
Please Respond by Enter the method by which KACE should respond to this request. You can select
either e-mail or phone.
Steps to Reproduce Enter the steps you performed to discover this issue. This is a mandatory field.
Additional Details This is a read-only field that displays the KBOX 1000 Series Server Version,
Server Serial Number and the KBOX Model name.
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 xv

4. Click Send to support@kace.com.
Your request is automatically entered into the ticketing system and you receive an e-mail confirmation
with additional information based on the ticket you created. This comprises of a direct link to view the
ticket details for tracking purposes.
To use Network Utilities:
You can use Network Utilities to test various aspects of the KBOX's network connectivity.
1. Select KBOX Settings | Support or click on the modules toolbar. The KBOX Settings:
KACE Support page appears.
2. Click Troubleshooting Tools. The Troubleshooting Tools page appears.
3. Click the [Edit Mode] link.
a Enter the IP Address in the text box, on which you want to execute a network command.
b Select the appropriate network command from the drop-down list. The commands are as follows:
Command Description
ping This command helps in determining IP addresses and issues with the network, and
assists in resolving them.
arp This command displays the arp information from network devices. (IP Address-MAC
Address)
dig This command performs DNS lookups and displays the answers that are returned from
queried name server(s).
ifconfig This command allows you to view information about the configured network interfaces
on the KBOX Server.
iostat This command monitors the KBOX Server's system input/output (I/O) device loading,
by observing the time the physical disks are active in relation to their average transfer
rates.
netstat This command displays the TCP/IP network protocol statistics and information for the
KBOX Server.
smbstatus This command lists the current Samba connections to the KBOX Server.
top This command displays system summary information and a list of tasks currently
managed on the KBOX Server.
email sending This command tests if the KBOX server can send e-mail to the specified recipient(s).
services This command lists the various services running on KBOX Server and their status.
Table ii-3: Network Utilities

4. Click Test. The test details pertaining to the command you selected is displayed.
Click the “click here” link in “To download logs, click here” to download the KBOX
Troubleshooting Logs. This contains a variety of logs like Access logs, KBOX Server updates, and
so on. These help the support team in troubleshooting the issues.
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 xvi
To view details on KBOX Agent Messaging, click the “tasks” link in “See status of KBOX Agent
tasks” under KBOX Agent Messaging. For more details, see section “KBOX Agent Tasks,” on
page 43.
Click the “message queue” link in “See list of pending communications in the KBOX Agent message
queue”. For more details, see section “AMP Message Queue,” on page 51.
Select the Enable Tether check box under KACE Support Tether to allow KACE Technical Support
access to your KBOX.
KACE Support sends a tether key to the user when they observe issues such as, Admin cannot login,
Database getting corrupted, and others in the KBOX Server. This tether key, when uploaded, creates
a secure connection with the user’s KBOX and enables KACE Support to access the affected KBOX
Server at the user interface and SSH level.
KBOX 1000 Series JumpStart Program

The KBOX 1000 Series JumpStart Program guarantees that your KBOX 1000 Series appliance is correctly
installed and configured. It provides you with a customizable, hands-on training to familiarize you with the
products. The KBOX Systems Management Appliance JumpStart Program activities and training are
focused specifically on the systems management and end-point security capabilities of the KBOX Systems
Management Appliance.
The JumpStart Program includes the following:
Installation Assistance - Your KBOX appliance is installed and configured.
Best Practices - Includes training on best practices such as how to organize devices into groups
(labels) for management and reporting purposes, automating the KBOX backups, setting up alerts, and
so on.
Reporting - Provides walkthroughs for creating new reports and customizing existing reports with the
KBOX wizard-based authoring tool. If you are already standardized on an ODBC compliant reporting
tool and want to use that tool to generate reports, the JumpStart Program shows you how to make the
connection to the KBOX database.
Agent Deployment Assistance - Provides a customized roll out plan that includes deployment of up
to 150 agents on your network and the capturing of the initial computer inventory.
Software Distribution & Patch Management Assistance - Provides customized training and one
managed installation created and deployed using remote administration.
Directory Services Integration - Assistance with LDAP or Active Directory integration.
Scripting and Policy - Provides walk throughs for creating and deploying scripts and policies.
Security Audit and Enforcement Module (standard with KBOX 1200, optional with KBOX
1100) - Includes training on how to set up OVAL vulnerability scans, and configure security policies
such as enforcing XP firewall and Internet Explorer settings. Refer Security Audit and Enforcement
Module for more details.
Help Desk Module (optional with both KBOX 1100 & KBOX 1200) - Includes training on
configuring the Help Desk module with custom escalation and routing rules, using custom fields, and
importing user data via LDAP. Refer Help Desk Module for more details.
For more information on the JumpStart program, you can refer the following resources:
KBOX Jumpstart Datasheet
Contact the KACE Customer Support for more information on the support services.
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 xvii
KACE Professional Services
KACE professional services are delivered by KACE partners or KACE engineers, tailored to match your
specific needs, and improve your organization's IT efficiency, compliance, and security. Some common
KBOX 1000 Series services include the following:
1. Leverage more functionality of your KACE appliances - KACE has created a collection of the
most requested services offerings using the knowledge gained from hundreds of the KBOX
deployments. This service is designed to help you leverage all the sophisticated functionality of your
KBOX.
2. Optimize your interactions with KACE experts - This service compliments your JumpStart
training, and provides more in depth instructions related to specific capabilities of your KBOX and
associated modules.
3. Obtain quick and economical practical functionalities - This service helps you in implementing
the KBOX features quickly and economically.
4. Help Desk Configuration Offering - This service is designed to offer detailed guidance in
implementing the following:
a Ticket Assignment Workflow
b Ticket Escalation Workflow
c Ticket Notification Workflow
d Custom Field Creation
e Custom Ticket Reporting
5. Scripting for Advanced Deployment Offering - This service provides expert assistance in creating
managed deployments using:
a Custom Script Creation
b Advanced Managed Installs
c Advanced Inventory Tracking
6. Customer Report Offering - This service provides customized KBOX reports created as per your
requirements:
a Custom Inventory Reporting
b Custom Asset Reporting
c Custom Deployment Reporting
d Any Custom Reporting
7. JumpStart Refresher - This service is designed for a new administrator taking over an existing KBOX
configuration. It is a condensed version of our standard Jump Start and includes:
a Review Existing KBOX Configuration Settings
b Review Agent Deployment
c Review Software Packaging and Deployment
d Review Script Creation
e Reviewing Patching
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 xviii
To learn more about professional services, refer Professional Services and contact your Kace account
manager.
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 xix
C H A P T E R 1
Getting Started
This chapter guides you to install and set up the KBOX

1000 Series System Management appliance to work in
your environment.
“Introduction,” on page 2
“Setting Up the KBOX Server,” on page 4
“Setting Up KBOX Agent,” on page 14
“Alternative Options to Deploy KBOX Agents,” on page 15
“Key Configuration Settings,” on page 16
“Configuring General Settings for the Server,” on page 16
“Configuring Network Settings for the Server,” on page 19
“Configuring Security Settings for the Server,” on page 21
“Configuring AMP Settings for the Server,” on page 24
“Configuring Date & Time Settings of the KBOX Server,” on page 26
1
Introduction
This section provides an introduction to your KBOX 1000 Series Systems Management Appliance and an
overview of the total system management workflow.
This section also lists the basic administrative procedures and the best practices for system management.
KBOX Appliance Components

The KBOX Appliance consists of the following components:
1. Server Console—It is used by the KBOX administrator only to change the network settings. At the
login prompt enter:
Login ID: konfig
Password: konfig
Using UP and DOWN arrows, modify the static IP address, subnet mask, default gateway, and DNS
settings to match your network
2. KBOX Agent—It is the KBOX 1000 Series technology that sits on each desktop that the KBOX 1000
Series manages. It includes an application component that manages downloads, installations, and
desktop inventory. The KBOX Agent also includes the KBOX Agent Management Service that initiates
scheduled tasks such as inventory or software updates.
Hardware Specifications
The KBOX 1000 Series Systems Management Appliance includes high-performance server with the
following hardware configuration:
Hardware KBOX 1100 KBOX 1200
CPU in Gigahertz (GHz) 2 Xeon Quad Core (2 GHz) 2 Xeon Quad Core (2 GHz)
Memory in Gigabyte (GB) 2 GB 4 GB
Ethernet Ports Dual Gigabit Ethernet Ports Dual Gigabit Ethernet Ports
Redundant Disk Array RAID 1 configuration RAID 5 configuration
Hard Drives 3 X 250 GB SATA 3 X 147 GB SAS
7.2K RPM hot-swappable 15K RPM & 500 GB SATA
7.2K RPM hot-swappable
Table 1-1: Hardware Specifications
User Interfaces
The KBOX 1000 Series solution is comprised of the following primary user interfaces accessed by the
system administrators:
System Console—It is designed primarily to enforce the policies across the organizations. It is
accessible by browsing to http://kbox/system.
Administrator Console—It is a web-based interface to access and direct the functionality and
capabilities within your organizations. It is accessible by browsing to http://kbox/admin. The
administrator console supports five primary modules:
Administrator Guide for KBOX 1000 series, version 4.3 - 1200 2

Inventory Management
Software Distribution
User Portal
Reporting
Settings
In addition it can also include the following additional components:
Asset
Scripting
Security
Help Desk
Virtual Kontainers
User Portal—It is used to make software titles available to users on a self-service basis. The end-user
portal is not intended to replace traditional push software distribution (as is handled by the
Administrator Console and the KBOX Agent). However, the User Portal provides a repository for
software titles that are not required by all users. If you have installed the optional Help Desk module,
the User Portal also provides a way for users to submit and track help desk tickets. It is also designed to
help users in routine tasks like software installation, and getting help through Knowledge base. It is
accessible by browsing to http://kbox/.
For more information on sales, purchase and evaluate how KACE can save you time and money, contact
the KACE sales team at sales@kace.com or via phone at 1-888-522-3638.
Organizational Components
The KBOX 1000 Series supports a flexible data model for managing computers, software, users, and
license keys:
LDAP Support—The KBOX 1000 Series enables you to automatically discover information via the KBOX
Agent or to interface with Active Directory or LDAP organizational units.
Filters—The KBOX 1000 Series provides filters that enable you to apply labels to users and computers
by saving searches on inventory data or LDAP servers. They work much like Search Folders in Outlook,
or Smart Folders in Mac OS X.
Labels—The KBOX 1000 Series offer advanced labeling capabilities that put ad-hoc organizational
capabilities in the hands of the software administrator. You can apply labels either dynamically or
manually. For more information on how to manually apply labels, Refer to Chapter 3,“Adding Computers
to Inventory,” starting on page 65.
Dynamic labelling is also referred as "Filters" on either LDAP data sources or computer inventory. For
more information on how to dynamically apply labels, Refer to Chapter 3,“Creating Search Filters for
Computer Inventory,” starting on page 56.
Software Deployment Components

This section describes the packages that can be deployed by the KBOX Server on the agents. The KBOX
supports several types of distribution packages, and this section lists the components used for deployment
of packages:
Managed Installations—That can be configured by the administrator to run silently or in the
forefront of the user’s desktop view. Within a “Managed Installation Definition” the administrator can

define install, uninstall, or command-line parameters. See “Managed Installations,” on page 106 for
detailed information on Managed Installations.
File Synchronization—It is another way to distribute content to computers with the KBOX agent
software. Unlike Managed Installations, File Synchronization is used to distribute files that need to be
placed on a users’ machine without running an installer.
See “File Synchronizations,” on page 124 for detailed information on File Synchronization.
User Portal Packages—They are earmarked by administrators for user self-service. Many KACE
customers use the portal for handling occasional user applications, print drivers, and so on. You also
can use the User Portal to resolve Help Desk issues by allowing users to download and install fixes.
See “Overview of the User Portal,” on page 194 for detailed information on User Portal Packages.
KBOX Agent—It is a special tab to manage the KBOX Agent. See the Chapter 2,“Agent
Provisioning,” starting on page 28 for details on how to configure and carry out these tasks.
MSI Installer Wizard—It creates a policy and helps you set the basic command line arguments for
running msi based installers. The wizard generates a script used for deploying the software.
See the “MSI Installer Wizard,” on page 160 for more details.
The package types are mostly setup.msi or setup.exe files.
The sections that follow describe how to configure the KBOX to meet the needs of your organization.
Setting Up the KBOX Server

While setting up your new KBOX server, perform the following steps:
1. Unpacking the Appliance
Make sure that the box in which the appliance was shipped is unpacked and is undamaged. The box
should include a set of inner and outer rail assemblies and the mounting screws that are needed to
install the system into the rack.
2. Updating DNS
The KBOX requires its own unique static IP address. By default its hostname is "kbox". Whatever name
used should be specified in the appropriate “A” record created in the customer's internal Domain Name
System (DNS) servers. An “MX” record containing the hostname defined by the “A” record is required so
that the users can e-mail tickets to the help desk. A Split DNS is required if the KBOX is connected to
the Internet via a reverse proxy or by being placed in the DMZ (demilitarized zone or Screened
Subnet). The purpose of a DMZ is to add an additional layer of security to an organization's Local Area
Network (LAN).
3. Server Setup Location
Determine the placement of the appliance in the rack before you install the rails. The appliance should
be situated in a clean, dust-free, and well ventilated area. Avoid areas where heat, electrical noise, and
electromagnetic fields are generated. Place the appliance near a grounded power outlet. Use a
regulated Uninterruptible Power Supply (UPS) to protect the server from power surges or voltage
spikes, and to keep your system operational in power failures. Leave approximately 30 inches of
clearance in the back of the rack for sufficient airflow and easy access for maintenance.

4. Server Network Configuration
Attach a power cord, keyboard, and monitor, but do not connect a network cable at this time. Turn on
the KBOX. The KBOX may require 5 to 10 minutes when you boot it for the first time. At the login
prompt enter:
Login ID: konfig
Password: konfig
Using UP and DOWN arrows, modify the static IP address, subnet mask, default gateway, and DNS
settings to match your network.
Field Suggested Value Factory Settings
KBOX Server It is recommended that you add a static IP entry for “kbox” to kbox
(DNS) Hostname your DNS, and use the default Hostname and Web Server
Name. The fully-qualified domain name of the KBOX on your
Web Server kbox
network is the value of Hostname concatenated with Domain
Name
(for example, kbox.kace.com). Clients will connect to KBOX
using the Web Server Name, which can be the hostname, fully-
qualified domain name, or IP address (for example, kbox).
Static IP Address Enter the IP address of the KBOX Server. 192.168.2.100
Domain Enter the domain that the KBOX is situated on. corp.kace.com
Subnet mask Enter your subnet mask. 255.255.255.0
Default gateway Enter the network gateway for the KBOX Server. 192.168.2.1
Primary DNS Enter the IP address of the primary DNS server the KBOX 192.168.2.209
should use to resolve hostnames.
Table 1-2: Server Network Configuration Settings

5. Click Apply after entering all values. The KBOX reboots after the reconfiguration is completed.
While the KBOX reboots, plug the Ethernet cable into the port closest to the KBOX power supply, and
connect it to a router or hub on your network. Check if the KBOX is online by browsing to http://kbox/
admin on any other computer. If this URL does not open the KBOX, try using the http://defaultip/
admin, where the default IP is the static IP address assigned by you to the KBOX.
The EULA (End User License Agreement) page appears when the KBOX UI is opened for the first time after
a fresh installation. Read the terms and conditions carefully, and accept the license agreement. After you
accept the EULA (End User License Agreement), log into the KBOX Server with the following details:
The Login ID is: admin
The Password is: admin
If you can access the KBOX Management Center successfully, it indicates that the KBOX network settings
are entered correctly.
It is recommended that you change the password after your first login. For more
information on how to change the password, Refer to Chapter 11,“Managing
Users,” starting on page 199.

You can restore the factory setting of the KBOX 1000 Series. For more information on how to restore KBOX
settings, Refer to Chapter 16,“Restoring the KBOX Settings,” starting on page 296.
The KBOX Modules

Depending upon the license you purchase, following are the list of modules and tabs available on the
KBOX:
Figure 1-3: The KBOX Modules
The modules are illustrated above and the tabs are as follows:
Admin Console:
1. Home
Summary
Search
2. Inventory
Computers
Software
Processes
Startup
Service
IP Scan
MIA
Label
3. Virtual Kontainers (KBOX Virtual Kontainers module license)
Management
Deployment
Creation
4. Asset (KBOX Asset Management module license)
Assets
Asset Types
Asset Import
Metering
5. Distribution
Managed Installations
File Synchronization

Wake-On-Lan
Replication
iphone (KBOX Mobile Management module license)
6. Scripting (KBOX Policy & Scripting module license)
Scripts
Run Now
Run Now Status
Search Logs
Configuration Policy
Security Policy
7. Security (KBOX Security Enforcement and Audit module license)
Patching
Oval
8. Help Desk (KBOX Help Desk module license)
Tickets
Software Library
Knowledge Base
Users
Roles
Configuration
9. Reporting
Reports
Schedule Reports
Alerts
Email Alerts
Filter
LDAP Filter
Scan Filters
LDAP Browser
10. Settings
Control Panel
KBOX Agent
Support

User Portal:
1. Welcome
2. Software Library
3. My Computer
4. License Keys
5. Help Desk (KBOX Help Desk module license)
6. Knowledge Base
7. Download Log
System Console:
1. Home
Summary
2. KBOX Settings
Control Panel
Logs
Server Maintenance
Support
3. Reports
Reports
Schedule Reports
4. Organizations
Organizations
Roles
Filters
Computers

Home Module
The Home module displays the KBOX Summary and displays the results of Global Search field.
The KBOX Summary

The KBOX Summary page provides information about the configuration and operation of your KBOX. When
you log on to the KBOX Administrator Console, the Home module displaying the Summary tab appears
by default.
To view KBOX Summary:
1. Select Home | Summary. The KBOX Summary page appears.

2. The sections that follow provide a description of the summary information that is displayed.
3. Click Refresh to refresh the information displayed.
Client Check-In Rate

Displays the total number of clients that have checked into the server in an hour.
The counter automatically adjusts if the number increases beyond 100.

Distributions
Displays the number of managed installations, scripts, and file synchronizations that are enabled. This also
displays the number of alerts that you have configured.
The counter automatically adjusts if the number goes beyond 30.
Software Threat Level

Displays the various threat levels for softwares installed on various machines.
The number of machines displayed on the Y axis automatically adjust if the number of
machines found on a particular threat level increase beyond 12.

License Compliance
Displays the number of machines that use a particular licensed software. For example, the following figure
displays a licensed software Adobe flash player 9, which can be installed on 1000 machines. In this
example, this software is used by 12 machines.
Clients Connected
Displays the percentage of clients connected to the server.

Managed Operating Systems
Displays various operating systems present in the inventory in percentage as a pie chart.
Tasks in Progress
Displays the total number of tasks in progress on server.
To view KBOX Summary details:

2. Scroll down, and then click View Details. The KBOX Summary Details page appears.
The sections below provide a description of the summary details. This summary is for a particular
organization only.
As this page is refreshed, the record count information is refreshed. The new KBOX
installations contain mostly zero or no record counts.

KBOX Version
Provides information of the KBOX version that you are currently running.
For example, the KBOX Server build at your end is 4.3.16712.
KACE comes up with a new patch for the server build 4.3.16712. The patch name is 4.3.16800 and it is
pushed to the corporate server.
Login to KBOX System Console. On the KBOX Settings | Server Maintenance page, click the Check
for upgrade button. The latest build is available in the Upgrade KBOX field on the KBOX Server
Maintenance page. Click Upgrade now to upgrade your KBOX Server to the build 4.3.16800 build.
The An upgrade to 4.3.16800 is now available link also appears in the Home | Summary page.
Computer Statistics
Provides a summary of the computers on your network, including a breakdown of the operating systems in
use. In addition, if the number of computers on your network exceeds the number allowed by your KBOX
license key, you are notified of it here.
Software Statistics
Provides a summary of the software in KBOX Inventory. The summary the number of software titles that
have been uploaded to the KBOX.
Software Distribution Summary

Provides a summary of the packages that have been distributed to the computers on your network,
separated out by distribution method. The summary also indicates the number of packages that are
enabled and disabled.
Alert Summary
Provides a summary of the alerts that have been distributed to the computers on your network, separated
by message type. This also indicates the number of alerts that are active and expired.
The IT Advisory refers to the number of Knowledge Base Articles in Help Desk.
Patch Bulletin Information

Provides a summary of the patches received from Microsoft. The summary includes the date and time of
the last patch (successful and attempted), total patches, and total packages downloaded.
OVAL Information
Provides a summary of the OVAL definitions received and the number of vulnerabilities detected on your
network. The summary includes the date and time of the last OVAL download (successful and attempted)
and the number of OVAL tests in the KBOX, in addition to the numbers of computers that have been
scanned.

Network Scan Summary
Provides a summary of the results of Network Scans run on the network. The summary includes the
number of IP addresses scanned, the number of services discovered, the number of devices discovered, as
well as the number of detected devices that are SNMP-enabled.
Global Search
The Search tab in Home module displays the search results of the text typed in Global Search. You can
refine the results by entering a keyword and selecting an criteria from All Items drop-down list to search
in. Click the links displayed to go to the appropriate topic.
Setting Up KBOX Agent

Install the KBOX Agent on the required workstation and servers in your network. This section helps you
install the KBOX Agent.
To enable Agent Provisioning functionality:
1. Go to http://kbox/admin in your web browser to open the KBOX Management Center webpage.
2. Click Settings | Control Panel.
3. Click General Settings. The KBOX Settings: General page appears.
4. Modify the Samba Share Settings. For more information on how to modify samba share settings, Refer
to “Configuring General Settings for the Server,” on page 16.
To set up a Provisioning Configuration for a Windows PC:
2. Click Settings | KBOX Agent.
3. Click Provisioned Configurations. The Provisioned Configurations page appears.
4. Select Create New Configuration from the Choose action drop-down list. The Provisioning Setup
page appears. For detailed information on all of the available options and instructions, Refer to Chapter
2,“Agent Provisioning,” starting on page 28.
5. Under Windows Platform Provisioning Settings, select the Provision this platform check box.
6. Enter appropriate values in the relevant fields.
7. Click Save to save the new configuration.
To set up a Provisioning Configuration for a Linux, Macintosh®, or Solaris PC:
2. Click Settings | KBOX Agent.
4. Select Create New Configuration from the Choose action drop-down list. The Provisioning Setup
page appears. Refer to Chapter 2,“Agent Provisioning,” starting on page 28 for details on all the
available options and instructions.

5. Under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings, select the Provision this
platform check box.
6. For detailed information on all of the available options and instructions, Refer to Chapter 2,“Agent
Provisioning,” starting on page 28.
7. Click Save to save the new configuration. The Provisioning Configuration name is displayed on the
Configurations page.
To provision your machine:
1. Select the check box next to your Provisioning Configuration, and then select Run Select
Configuration(s) Now in the Choose action drop-down list.
2. The machine that you have selected to receive agent is displayed. Click the Refresh button at the
bottom of the page, the status in DNS Lookup column is updated from (unknown) to In
progress… After the installation is completed the status displays the IP address or hostname of the
machine that you selected.
To verify your agent has checked into the KBOX:
1. After the installation is completed, the new KBOX Agent instantly checks into KBOX Server and
provides the inventory information about the machine and its software to the KBOX Server.
2. Click Inventory at the top of KBOX Management Center webpage to view the list of machines checked
into the KBOX Server. The hostname of machines are listed in the order of the checking in time.
You can also deploy multiple machines simultaneously by creating a configuration,

identifying an IP range. For detailed information on different options and other
platforms, Refer to Chapter 2,“Agent Provisioning,” starting on page 28.
Alternative Options to Deploy KBOX Agents

You can install clients using the installer files for all supported platforms on the KBOX at
\\kbox\client\agent_provisioning\
Ensure that you have enabled the file share to access this folder.
You can use the following methods to install the KBOX Agent:
E-mail:
An e-mail notification can be sent to your users either containing either:
Install file
Link to the KBOX 1000 Series
Other Web location to retrieve the required installation file
Users can click on the link and install the appropriate file.

Log-in Script:
Some companies use login scripts that provide a great mechanism to deploy the KBOX Agent while you
log onto a machine. If you use login scripts, simply post the appropriate file in an accessible directory
and create a login script for the KBOX Agents to retrieve it.
Given below is a sample Windows login script that checks for the presence of Microsoft’s .NET
framework on the client machine, and installs the appropriate components in order to deploy the KBOX
Agent:
----------------------------------------------------------------------------------------------------
@echo off
if not exist "%windir%\microsoft.net" goto neednet
echo .NET already installed.
goto end
:neednet
start /wait \\location\ dotnetfx.exe /q:a /c:"install /l /q"
:end
if not exist "C:\Program Files\KACE\KBOX" goto needkbox
echo KBOX Agent already installed.
goto end
:needkbox
MsiExec.exe /qn /l* kbmsi.log /I \\location\KInstallerSetupSilent.msi
ALLUSERS=2
:end
-----------------------------------------------------------------------------------------------
Key Configuration Settings

It is important to properly configure the server on the KBOX Agent before you begin inventorying and
actively managing the software on your network. For details on agent connection settings, Refer to
Chapter 2,“Agent Provisioning,” starting on page 28.
Configuring General Settings for the Server

This section covers the general server configuration settings you should modify before you use the KBOX.
To configure General Settings for the Server:
1. Select Settings | Control Panel.

2. Click General Settings. The KBOX Settings: General page appears.
If fields are grayed out, you may need to click [Edit Mode] before you can edit the field values.
3. In the General Options area, specify the following settings:
Organization Name Enter the name of your organization. For example, KACE Headquarters.
Company-Institution Enter the name of your company. This name appears in every pop-up
Name window or alerts displayed to your users. For example, KACE.
User Email Suffix Enter the domain to which your users send e-mail. For example, kace.com.

Administrator Email Enter the e-mail address of the KBOX administrator. This address will
receive system-related alerts, including any critical messages, and also the
daily run output and security run output.
For information on daily run output, Refer to Appendix F, “Understanding
the Daily Run Output,” starting on page 354.
4. Click Set Options, to save your changes.

5. Specify the following Logo Override settings to use your custom logo. Click [Edit Mode] to edit the
field values.
User Portal (.jpg) Displayed at the top of the User Portal page.
224x50 pixels is the normal size.
104x50 pixels is shorter and doesn't clip the blue highlight around the
'Log Out' link
300x75 pixels is maximum size that does not impact the layout
Report (.jpg) Displayed at the top of reports generated by the KBOX 1000 Series for this
organization. Upload any .jpg file to display the customized logo for the
reports of this Organization. If .jpg file is not uploaded, then the reports of
this organization display the logo uploaded in System UI, under Custom
Report Logo field in General Settings.
The report image dimensions are 120x32 pixels, this is specified in the auto-
generated XML layout. You can adjust the xml report if you need a different
layout size.
KBOXClient (.bmp) Displayed in the KBOX Agent.
The client bmp image is scaled to 20x20 pixels only and cannot be customized
to any other size. It is displayed on snooze pop-ups, install progress pop-ups,
alerts, and message windows created by scripts
The splash screen logo displayed at boot and login is currently not customizable.
6. Click Upload Logos.

7. The Machine Actions allow setting up of a scripted action that you can perform against individual
machines in your environment. They are used to connect to machines remotely, so you can access or
execute a specified task on the target machine directly from the KBOX 1000 Series user interface. You
can configure two actions by selecting them from the Action Item drop-down list. The actions can
execute two different tasks.
The default Machine Action is mstsc.exe (Remote Desktop Connection).
Under the Machine Actions section, associate the appropriate actions and then click Set Actions.
For example:
Select ping.exe -t KACE_HOST_IP from the Action #1 drop-down.
Specify http://KACE_HOST_IP in command line field for Action #2 .
Click Set Actions.
Select Inventory | Computers.

Click besides target machine IP to ping the machine and click besides target machine IP to
launch a web browser. The KBOX substitutes the KACE_HOST_IP variable with the target machine IP
address and open a new browser window with that URL.
There are 16 pre-programmed actions available. The Machine Actions can also be programmed for
other tasks. If the machine action does not include the string ".exe", then KBOX assumes it as a URL,
and opens a new browser window for it. Since it does not require ActiveX, all types of internet browsers
are supported.
Most actions in the Action Icon drop-down list require you to install additional
software for them to function. For example, using TightVNC requires you to install
TightVNC on your machine as well as on the machine you want to access.
Click Action #1 or Action #2 next to the target machine on the Inventory | Computers tab to
execute the Machine Action.
8. In the Optional Ignore Client IP Settings section, enter IP addresses you would like ignored as the
client IP and then click Save List. This might be appropriate in cases where multiple machines could
report themselves with the same IP address, like a proxy address.

Configuring Network Settings for the
Server
You can verify or change the default network settings when you logged into the KBOX Server for the first
time.
Any changes made to the Network settings on this page forces the KBOX to reboot after
saving. Total reboot downtime should be 1 to 2 minutes provided that the changes
result in a valid configuration.
To configure the KBOX Network Settings:
1. Select KBOX Settings | Control Panel.

2. Click Network Settings. The KBOX Network Settings page appears. If fields are grayed out, you may
need to click [Edit Mode] before you can edit the field values.
3. Specify the following network settings:
KBOX Server (DNS) We recommend adding a static IP entry for “kbox” to your DNS, and using the
Hostname default Hostname and Web Server Name. The fully-qualified domain name of
the KBOX on your network is the value of Hostname concatenated with
KBOX Web Server
Domain.
Name
For example, kbox.kace.com.
The clients will connect to KBOX using the Web Server Name, which can be
the hostname, fully-qualified domain name, or IP address.
For example, kbox.
Static IP Address The IP address of the KBOX server.
Note: Be extremely careful when changing this setting. If the IP address is
entered incorrectly, Refer to the KBOX console and use the konfig login to
correct it.
Domain The domain that the KBOX is on. The default value is corp.kace.com
Subnet mask The domain that the KBOX is on. The default value is 255.255.255.0
Default gateway Your default gateway.
Primary DNS The primary DNS server the KBOX should use to resolve hostnames.
Secondary DNS The secondary DNS server the KBOX should use to resolve hostnames. This is
an optional setting.
Network Speed Your network speed. The network speed setting should match the setting of
your local LAN switch. When set to auto negotiate the system automatically
determines the best value. This requires the switch to support auto-negotiate.
Otherwise contact your network administrator for the exact setting to be
used.
4. To set Network Server Options, perform the following steps:

a Set the SMTP Server, enable e-mail notifications. To set SMTP Server, select the Use SMTP Server
check box.
b Enter the SMTP Server name in the SMTP Server box.
The server named here must allow anonymous (non-authenticated) outbound mail transport.

Ensure that network policies allow KBOX to contact the SMTP server directly. The mail server must
be configured to allow relaying of mail from the KBOX without authentication.
You can test the e-mail service by using Network utilities. For more information on how to use
Network Utilities, Refer to “Support,” on page xiv.
c Select the Use Proxy Server check box to set Proxy Server, and then specify the following proxy
settings as required:
Proxy Type The proxy type, either HTTP or SOCKS5
Proxy Server The name of the proxy server
Proxy Port The port for the proxy server, the default port is 8080
Proxy (Basic) Auth Select this check box to use the local credentials for accessing the proxy server
Proxy Username The user name for accessing the proxy server
Proxy Password The password for accessing the proxy server
The KBOX supports a proxy server that requires realm-based authentication. The proxy server prompts
you to enter the user name and password to authenticate the proxy settings as shown in the following
figure.
If your proxy server uses any other kind of authentication you must add the IP address
of the KBOX on the exception list of the proxy server.
5. Click Set Options to set the Network Server options.
List of Open Ports Required for KBOX Server

Ensure that the following ports are not blocked by your firewall. These ports are required to access KBOX
server.
Port Number Use
21 To access backup files through FTP

25 If KBOX SMTP Server is to be used
80 HTTP
Table 1-4: Open Ports List

Port Number Use
443 SSL
3306 To access KBOX database
8080 Connects directly to Tomcat
52230 For KBOX Agent(s) to connect to the KBOX SERVER via AMP
Table 1-4: Open Ports List
Configuring Security Settings for the

Server
Security Settings are not mandatory but are required to enable certain functionalities like Samba Share,
SSL settings, SNMP, SSH, Offbox DB Access, and FTP access on the KBOX Server. To use any of the
Security Settings features, you must enable them. For more information, see section “To configure
Security Settings:,” on page 21.
If you make any changes to the Security Settings, restart the KBOX for them to take
effect.
To configure Security Settings:
1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears..
2. Click Security Settings. The KBOX Security Settings page appears.
3. Click [Edit Mode] to edit the security settings fields.
4. In the General Security Settings area, specify the following security settings:
SSH Enabled Select this check box if you want to permit someone to login to the
KBOX via SSH.
Enable backup via ftp Select this check box if you want to enable backup via ftp. The KBOX
creates a backup of the database and the files stored on it, daily. By
default, these files can be accessed by you via a read-only ftp server. If
you do not need this feature and want to disable the FTP server, clear
this check box.Refer to Chapter 16,“To access the backup files through
ftp:,” starting on page 295.
Secure backup files Select this check box if you want to prevent users from accessing the
KBOX backup files without logging on to the KBOX.
Note: Even if the Secure backup files check box is not selected, you
can still access the KBOX backup files. You can do this by entering the
full URL in the browser without logging on to KBOX.

Enable SNMP monitoring Select this check box if you want to allow SNMP monitoring. The SNMP
is a network or appliance monitoring protocol that is supported by
many third party products.
If you do not want to expose the KBOX SNMP data, clear this check
box.
Enable database access Select this check box if you want to allow the KBOX database access.
The KBOX database is accessible via port 3306, to allow you to run
reports via an off board tool like Access or Excel.
If you do not want to expose the database in this way, clear this check
box.
5. In the Samba Share Settings area, specify the following settings:
Enable Organization File Select this check box if you want to allow each organization to leverage
Shares the KBOX's client share as an install location for the client.
The KBOX has a built-in windows file server that can be used by the
provisioning service to assist in distributing the KBOX Client on your
network. KACE recommends that this file server only be enabled when
performing client software installs.
Require NTLMv2 on KBOX Select this check box if you want to allow NTLMv2 authentication for the
File Shares KBOX files shares. When you enable this option, the clients connecting
to the KBOX File Shares require support for NTLMv2 and have to
authenticate to the KBOX using NTLMv2. Enabling this option disables
"lanman auth" and "ntlm auth" on the samba server.
Note: NTLMv2 is more secure than NTLM and LANMAN, but non-
NTLMv2 configurations are more common, and this option is usually
turned off.
Require NTLMv2 on KBOX Certain functions on the KBOX are supported via samba client functions
Samba Client Usage (e.g. Agent Provisioning). Select this check box if you want to force
these functions to authenticate to off-board network file shares using
NTLMv2. Enabling this option enables the "client ntlmv2 auth" option on
samba client functions.
turned off.
6. In the Optional SSL Settings area, specify the following settings, if required:
Enable port 80 access When you activate SSL, port 80 continues to be active, unless Enable
port 80 access check box is unchecked. By default, the standard
KBOX Agent installers attempt to contact the KBOX via port 80, and
then switch to SSL over port 443, after getting the server configuration.
If you disable port 80, you need to contact KACE Support to adjust the
agent deployment scripts to handle SSL. For ease of agent deployment,
leave port 80 active.

SSL Enabled on port 443 Select this check box if you want to allow the clients check in to the
KBOX server using https. Refer to “SSL Certificate Wizard,” on page 23.
If you have your own SSL certificate and SSL private key, click [Edit
Mode] to edit the field values. In the Set SSL Private Key File field,
browse to the SSL Private Key file and browse to the signed SSL Certifi-
cate, in the Set SSL Certificate File field.
Note: Once you switch over to SSL, this is a one-way automatic shift
for the clients. The clients need to be reconfigured manually, if you later
decide not to use SSL.
7. Click Set Security Options, to save the changes and reboot the KBOX.
8. In the Download New Patch Definitions area, click [Edit Mode] to edit the fields and specify as
follows:
Disable download of new patches Select to disable download of new patches.

Download Every day/specific day Select to download the patches on specified day at the specified
at HH:MM AM/PM time.
Download on the nth of every Select to download the patches on the specified time on the 1st,
month/specific month at HH:MM 2nd or any other date of every month or only the selected
AM/PM month.
9. In the Stop Download Of Patch Definitions area, click [Edit Mode] to edit the field values and
specify the following:
Allow download of patch defini- Select to allow download of the patch definitions to complete.
tions to complete
Stop patch download process by Select to stop the download the patches at the specified time.
at HH:MM AM/PM
10. Click Set Patching Options, to save the changes and reboot the KBOX.
SSL Certificate Wizard

A properly signed SSL Certificate is required to enable SSL. Certificates should be supported by a valid
Certificate Authority. SSL settings should only be adjusted after you have properly deployed the KBOX
1000 Series on your LAN in non-SSL mode. If you are enabling SSL, you will need to identify the correct
SSL Private Key File and SSL Certificate File.
The files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based Web
servers and not in the PCKS-12 format used by some Web servers. It is possible to convert a PCKS-12
certificate into a PEM format using software like the OpenSSL toolkit. Contact KACE Technical Support if
you wish to enable SSL on your KBOX.
To enable SSL, you need the correct SSL Private Key file and a signed SSL Certificate. If
your private key has a password it will prevent the KBOX from restarting automatically.
Contact KACE support if you have this issue.

To generate a SSL certificate using the wizard:
1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears.
3. Click SSL Certificate Wizard. The KBOX Advanced SSL Settings page appears.
4. Click [Edit Mode] to edit the fields and specify the following:
Country Name Enter the name of your country.

State or Province Name Enter the name of your State or Province.
Locality Name Enter your locality name.
Organization Name Enter the name of your organization.
Organization Unit Name Enter the name of unit your organization belongs to.
Common Name Enter a common name of the KBOX you are creating the SSL
certificate for.
e-mail Enter your e-mail address.
5. Click Set CSR Options. Your Certificate Signing Request is displayed in the field below the Set CSR
Options button. You need to copy the text between the lines “-----BEGIN CERTIFICATE REQUEST-----
and -----END CERTIFICATE REQUEST-----” along with these lines, and then send it to the person who
provides your company with web server certificates.
6. Your Private Key is displayed under Private Key field. It will be deployed to the KBOX when you
upload a valid certificate and subsequently click Deploy.
Do not send the private key to anyone. It is displayed here in case you want to deploy
this certificate to another web server.
Click Create Self Signed Certificate and for Deploy to be displayed.
7. Click Create Self Signed Certificate. The SSL certificate is generated. This certificate will not be
accepted by any of the KBOX clients until it is added into the trusted certificate database on every
machine running the KBOX client.
8. Click Deploy to deploy the certificates and turn on SSL on the KBOX. Click OK to reboot the KBOX.
Configuring AMP Settings for the Server

Agent Messaging Protocol (AMP) is the KBOX Communications Protocol used by the KBOX Server with its
respective KBOX Agents.
KACE's AMP includes server, client, and communications components to perform optimized real-time
communications for control of systems management operations.
AMP provides:
Persistent connection between the KBOX Server
Server driven inventory updates
Higher scalability in terms of number of nodes supported on one KBOX 1000 Server

Better scheduling control and reliability
These settings are specific to the AMP infrastructure and do not affect other KBOX configuration settings or
runtime operations. These settings control both the runtime state of the AMP server and also the
operational state of the KBOX Agent.
Changing these settings temporarily interrupts communications between the KBOX

Appliance and the KBOX Agents. Exercise caution when changing these settings and
contact KACE Technical Support for any questions regarding these parameters.
To configure AMP Settings:

2. Click Agent Messaging Protocol Settings. The Agent Messaging Protocol Settings page appears.
3. Specify the AMP General Settings:
Server Port Enter the Server Port.

The AMP Server on the KBOX SERVER will listen on port 52230 by default.
In order for the KBOX AGENT(s) to connect to the KBOX SERVER via AMP, you must
have the AMP Protocol Port 52230 open and available OUTBOUND. (i.e. the KBOX
AGENT must be able to connect through this port number OUTBOUND without
restriction from any OUTBOUND filter/firewall.)
Example of an OUTBOUND restriction:
“Windows XP Firewall blocking outbound port 52230”.
Allow outbound Protocol Port 52230.
This can be configured in your Filter/Firewall Software or Hardware as an allowed
OUTBOUND Exception.
In order for the KBOX SERVER to accept connections via AMP it must have the AMP
Protocol Port 52230 open and available INBOUND to the KBOX IP ADDRESS. (i.e.
the KBOX SERVER must be able to accept connections through this port number
INBOUND without restriction from an INBOUND filter/firewall.)
Example of an INBOUND restriction:
“A NAT Firewall such as Cisco or SonicWall blocking INBOUND port 52230 to the
KBOX IP ADDRESS.”
Allow inbound Protocol Port 52230 to the KBOX SERVER.
This can be allowed through a One-to-One Inbound NAT Policy.
Note: If you change the default AMP Port of 52230 you must update the
ALLOWED OUTBOUND/INBOUND port on your filter/firewall.
Enable Server Select this check box to enable different levels of "server" debug/logging to the
Debug server's log file.

Enable SSL for Select this check box to enable SSL for AMP. The activation of SSL is for AMP Only.
AMP The check box must be selected to activate SSL over AMP even though the General
KBOX settings may have SSL enabled already. This allows the separate configura-
tion of AMP traffic to be un-encrypted even though all other KBOX communication
is SSL encrypted.
Note: Select this check box only if SSL is already enabled on the KBOX and you
want the client to server AMP traffic to be encrypted.
4. Click Save and Restart to the save the settings and restart the AMP Server.
5. You can click Restart to restart the AMP server without saving the settings.
Restarting the AMP Server does not restart the KBOX.
Configuring Date & Time Settings of the

KBOX Server
Ensure that the date and time of the KBOX Server is accurate as most time calculations are made on the
server.
When you update the time zone, the KBOX Server restarts and reflects the date and
time settings. Active connections may be dropped during the restart of the KBOX
Server. After saving the changes, the KBOX Date & Time Settings page will
automatically refresh after 15 seconds.
To configure Date & Time Settings:

2. Click Date & Time Settings. The KBOX Date & Time Settings page appears.
3. Click [Edit Mode] link to edit the field values.
4. Specify the following information:
Last Updated The date and time when the settings were last updated. It is a read-only field.
Current Time The current date and time. It is a read-only field.
Time Zone Select the appropriate time zone from the drop-down list.
Automatically syn- Select this check box to automatically synchronize the KBOX time with an
chronize with an Internet Time Server.
Internet time Enter the time server in the text box. For example, time.kace.com
server
Set the clock on Select this check box to manually set the KBOX clock.
the KBOX manually Select the appropriate time and date from the drop-down lists.
5. Click Set Options to set the date and time settings.

C H A P T E R 2
Agent Provisioning
The Agent Provisioning feature enables you to directly

install the KBOX Agent onto machines in your
environment.
This chapter contains the following sections:
“Overview of Agent Provisioning,” on page 29

“Single Machine Provisioning,” on page 30
“Advanced Provisioning,” on page 31
“Provisioned Configurations,” on page 40
“Provisioning Results,” on page 42
“KBOX Agent Tasks,” on page 43
“KBOX Agent Settings,” on page 44
“KBOX Agent Update,” on page 47
“AMP Message Queue,” on page 51
28
Overview of Agent Provisioning
KBOX Agent Provisioning helps you to easily deploy the KBOX Agent software on your network. You can
deploy the agent on multiple machines simultaneously by creating a configuration that identifies a range of
IPs to target. The procedure for Agent Provisioning varies for Windows and non-Windows operating
systems. A provisioning configuration identifies one or more IP addresses for the first time deployment or
removal of the KBOX Agent. The target IP address is tested for the existence of an agent and if the agent
is not detected, then it will remotely install the agent directly from the KBOX.
The provisioning installers are located on the KBOX in the following network share:
\\KBOX\client\agent_provisioning
Here "KBOX" represents the hostname of your KBOX.
The provisioning files are located in their respective "platform" subdirectories (for example, Windows files
located in the "windows_platform" directory).
IMPORTANT: To activate the provisioning functionality you must enable KBOX's file share via the
Network Settings Page. For Windows platform installations, the following configuration settings are
required:
Turn off 'Simple File Sharing'. KBOX Provisioning requires standard file sharing with its associated
security model. Having "Simple File Sharing" enabled could cause a "LOGON FAILURE" as simple file
sharing does not support administrative file shares and associated access security.
If Windows Firewall is turned ON, "File and Print Sharing" must be enabled in the Exceptions list of the
Firewall Configuration.
Microsoft Windows KBOX agents of version 3.0 or later will work with .NET Framework 2.0.
By default the KBOX will verify the availability of ports 139 and 445 on each target machine before
attempting to execute any remote installation procedures.
System Requirements for the KBOX Agent

System requirements to install the KBOX Agent are:
Windows:
Vista (32-bit and 64-bit)
Windows 2003 (32-bit and 64-bit)
Windows XP (32-bit and 64-bit)
Windows 2000 (32-bit)
Microsoft Windows Server 2008 (32-bit and 64-bit)
All Windows platforms require Microsoft Internet Explorer 5.01 or greater and Microsoft .NET Framework
1.1/2.0, 90 MHz or faster processor, and 128 MB RAM & 10MB free disk space (minimum).

Linux:
Red Hat Enterprise Linux (RHEL) 3, 4, and 5 (32-bit)
Macintosh®:
Mac OS X 10.3 PowerPC
Mac OS X 10.4 Intel and PowerPC
Mac OS X 10.5 Intel and PowerPC
Solaris:
The KBOX Agent 4.3 does not support Solaris. The last client build supported is 4.1.15780.
Upgrades supported:
Supports upgrading from KBOX Client 3.3, 4.0, 4.1, 4.2 GA builds to 4.3
For information on manual deployment of KBOX Agent on Linux, Solaris and

Macintosh® platforms, Refer to Appendix D, “Manual Deployment of the KBOX Agent,
” starting on page 342.
Single Machine Provisioning

Single Machine Provisioning provides an easy way to deploy the KBOX Agent Technologies for the first
time.
The Single Machine Provisioning assumes some default values for settings such as TCP ports, Time outs,
KBOX Server name, and so on.
To deploy KBOX Agent Technologies on a single machine:
1. Select Settings | KBOX Agent. The Agent Provisioning page appears.

2. Click Single Machine Provisioning. The Single Machine Provisioning page appears.
Target IP Enter the IP address of the target machine.

Action Click Install Agent to install the Agent or click Remove Agent to
remove the Agent.
Platform Click the appropriate platform option.
KBOX Agent Version This field displays the KBOX Agent Version number. This is a read-only
field.
Domain (or Workgroup) Enter the domain or workgroup name associated with the credentials you
enter below.
Note: This field is available only if the platform selected is Windows.
User Name (admin level) Enter a user name with the privileges to install the KBOX Agent.
Password Enter the password for the account listed above.

4. Click Run Now, the system saves the configuration with a default name as Simple configuration -
IP Address and then runs the configuration against the targeted IP.
You will be redirected to the Provisioned Configurations page where the newly created configuration is
displayed.
Advanced Provisioning
You can choose between Auto Provisioning, Manual Provisioning by IP, or Manual Provisioning by
Hostnames for provisioning.
Auto Provisioning allows you to provide target IP Range for Provisioning.
Manual Provisioning by IP allows you to specify IP addresses manually and also pick up machines from
IP Scan and Inventory.
Manual Provisioning by Hostnames allows you to enter hostnames manually.
To add a new item using Auto Provisioning:

2. Click Advanced Provisioning. The Advanced Provisioning page appears.
3. Select the Auto Provisioning option under the General Settings section.
4. Enter the following general settings details:
Config Friendly Name Enter a name for your agent provisioning configuration. Use a specific
configuration name, to differentiate between two configurations.
Provisioning IP Range Enter IP or IP range. Use hyphens to specify individual IP class ranges.
For example:
192 168 2-5 1-200.
Configuration Enabled Select the check box to enable the configuration and run scheduled
configurations.
KBOX Server Name This field, by default, displays the name of the KBOX Server. Update this field
if you have multiple KBOX servers. Enter the name of the server where you
wish to install the agent from.
KBOX Client Share The share folder name in KBOX, where the KBOX Agents are located.
Name
DNS Lookup Enabled Select the check box to enable DNS lookup.
Name Server for By default, the field displays KBOX’s primary DNS Server mentioned under
Lookup Network Settings. You can change the default DNS Server to the required
one and also specify the hostname or IP address.
Lookup Time Out Enter the time period in seconds, after which a DNS lookup will time out.

5. Enter the following details under Windows Platform Provisioning Settings section, if the target
machine(s) operate on the Windows platform:
Provision this platform Select the check box to enable provisioning on Windows platform.
KBOX Agent Version This field displays the KBOX Agent Version number. This is a read-only
field.
Agent Identification Port The agent identification port is the default port currently in use by the
agents and indicates that you should not install the agent again. By
default that port number is 52230. If you are using a different port
number for this, you can change the port number listed here.
Required open TCP Ports Enter the list of required open TCP ports separated by commas. These are
the ports KBOX uses to access the target machine for installation of the
KBOX Agent.
Port Scan Time Out Enter time period in seconds, during which KBOX scans the port for
response.
Bypass Port checks Select the check box to avoid port checks while KBOX installs the agent.
Enable Debug Info Select the check box to view debug information in the machine’s provi-
sioning results.
Install .NET 1.1 on x64 Select the check box to install .NET 1.1 on a 64-bit system prior to KBOX
Systems agent installation. The KBOX Agent setup fails, if .NET 1.1 is not available
on the 64-bit system.
Remove KBOX Agent Select the check box to reverse the logic of the provisioning configuration.
Hence, you are using provisioning configuration, to remove the KBOX
agent from machines rather than installing it. This overrides any current
provisioning activity.
Remove Config.xml file Select the check box to remove the Config.xml file while removing the
Agent.
The Config.xml file contains the KBOX name and other server configura-
tions that the target machine checks into.
For example:
If you are using multiple KBOX servers and you remove a KBOX Agent ‘A1’
that was checking into the KBOX server ‘A1’, you do not remove the Con-
fig.xml file.
You then reinstall the KBOX Agent ‘B1’, which was checking into the KBOX
server ‘B1’. This new agent continues to check into the KBOX server ‘A1’ as
you have not removed the Config.xml file. Thus it is advisable to remove
the Config.xml file.
Note: If you want to save your configurations for future use do not
remove the Config.xml file.
6. Enter the following details under Windows Network Administrative Credentials section, if the
target machine(s) operate on the Windows platform:
Domain (or Workgroup) Enter the domain or workgroup name associated with the login credentials
you enter below.
User Name (admin level) Enter a user name with the necessary privileges to install the agent on the
targeted machines.

7. Enter the following details under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings
section, if the target machine(s) operate on the Linux, Macintosh®, or Solaris platform:
Provision this platform Select the check box to enable provisioning on Linux, Macintosh®, or
Solaris platform.
KBOX Agent.
Port Scan Time Out Enter a time period in seconds. Port scan time out indicates the time for
which the KBOX will scan the port for response.
Bypass Port Checks Select the check box to avoid port checks. This indicates that the KBOX
tries the installation, without checking ports.
Remove /var/kace/ files The kace folder has two sub folders, SMMP and kagentd.
The SMMP folder has 4 files; SMMP.conf, agent.log, pid, and pluginRun-
Process.log.
The kagentd folder has 3 files; KBOX_LOG.txt, kbot_config.yaml, and
kuid.txt.
Select the check box to remove the complete ‘kace’ folder. If the check box
is not selected /var/kace/kagentd/kuid.txt file is left behind.
8. Enter the following details under Network Root Credentials section, if the target machine(s) operate
on the Linux or Macintosh® platform:
User Name Under Network Root Credentials for the appropriate platform, enter a
user name that has the necessary privileges to install the agent on the
targeted machines.
KBOX Agent Version This is a read-only field that displays the KBOX Agent version number.
9. Select the appropriate check box under the Scheduling area, and schedule to run the configuration:
Don’t Run on a Schedule Select when you do not want to run the provisioning
configuration on a schedule.
Run Every n minutes/hours Select to run the provisioning configuration at the specified time.
Run Every day/specific day at Select to run the provisioning configuration on specified day at
HH:MM AM/PM the specified time.
Run on the nth of every month/ Select to run the provisioning configuration on the specified time
specific month at HH:MM AM/PM on the 1st, 2nd, or any other date of every month or only the
selected month.
By choosing a regular schedule, the KBOX periodically checks machines in the specified IP range to
make sure that they have the KBOX Agent, and install/reinstall/uninstall as required.

10. Click Save to save the provisioned configuration. The Provisioned Configurations page appears.
The provisioned configuration you just created, appears in the list of configurations.
11. Click the saved provisioned configuration. The Advanced Provisioning page appears.
12. You can edit this provisioned configuration. Click Run Now to save the changes and instantly run the
current configuration against the defined IP range. To cancel the configuration, click Cancel.
You can also deploy the KBOX agent manually. For more information on the manual deployment of the
KBOX agent on Linux, Solaris, and Macintosh®, see Appendix D, “Manual Deployment of the KBOX Agent,
” starting on page 342.
To add a new item using Manual Provisioning by IP:

3. Select the Manual Provisioning by IP option under the General Settings section.
4. Enter the General Settings details as shown in the following table.:
Config Friendly Enter a name for your agent provisioning configuration. Use a specific
Name configuration name, to differentiate between two configurations.
Target IPs Enter the IP address of the target machine or click Help me pick
machines.
Note: Multiple IP addresses should be comma-separated.
Click Help me pick machines to enable following:
Provisioning IP Enter IP or IP range. Use hyphens to specify individual IP
Range class ranges.
For example:
192 168 2-5 1-200.
Click Add All to add all the IP addresses displayed in the
list.
IP Scan Select a machine from the IP Scan Computers drop-down
Computer list, to add to the Target IPs list. This list is populated from
the Network Scan Results. You can filter the list by entering
any filter options.
Click Add All to add all machines displayed in the list.
Inventory Select a machine from Inventory Computers drop-down
Computers list, to add to the Target IPs list. This list contains all the
computers in the inventory. You can filter the list by
entering any filter options.
Click Add All to add all machines displayed in the list.
Configuration Select the check box to enable the configuration.
Enabled Note: Scheduled configurations will run only if this check box is selected.
KBOX Server This field, by default, displays the name of the KBOX Server. Update this field
Name if you have multiple KBOX servers. Enter the name of the server where you
wish to install the agent from.
KBOX Client Share The share folder name on the KBOX, where the KBOX Agents are located.
Name

DNS Lookup Select the check box to enable DNS lookup.
Enabled
Name Server for By default, the field displays KBOX’s primary DNS Server mentioned under
Lookup Network Settings. You can change the default DNS Server to the required
one and also specify the hostname or IP address.
Lookup Time Out Enter the time period in seconds, after this period has lapsed the DNS lookup
will automatically time out.
KBOX Agent Version This field displays the KBOX Agent version number.
Agent Identification Port The agent identification port is a port that installed agents would already
have open and in use, indicating that you should not install the agent
again. By default that port number is 52230. If you are using a different
port number for this, you can change the port number listed here.
KBOX Agent.
Bypass Port checks Select the check box to avoid port checks. This indicates that the KBOX
Enable Debug Info Select the check box to enable debug info. By enabling this check box
more debug info will be displayed in the machine’s provisioning results.
Agent.
The Config.xml file contains the KBOX name and other server
configurations that the target machine checks into.
For example:
that was checking into the KBOX server ‘A1, you do not remove the
Config.xml file.

you enter below.
targeted machines.
Solaris platform.
KBOX Agent.
Thus, you are using provisioning configuration, to remove the KBOX agent
from machines rather than installing it. This overrides any current
Process.log.
kuid.txt.
Select the check box to remove the complete ‘kace’ folder. If the check
box is not selected /var/kace/kagentd/kuid.txt file is left behind.
targeted machines.

selected month.
To add a new item using Manual Provisioning by Hostname:

3. Select the Manual Provisioning by Hostname option under the General Settings section.
4. Enter the General Settings details as shown in the following table:
Config Friendly Name Enter a name for your agent provisioning configuration. Use a specific
configuration name, to differentiate between two configurations.
Target Hostnames Enter the hostname(s) of the target machine.
Note: Multiple host names should be comma-separated.
Configuration Enabled Select the check box to enable the configuration.
Note: Scheduled configurations will run only if this check box is selected.
KBOX Server Name This field, by default, displays the name of the KBOX Server. Update this
field if you have multiple KBOX servers. Enter the name of the server from
where you wish to install the agent.
KBOX Client Share Name The share folder name on the KBOX, where the KBOX Agents are located.
DNS Lookup Enabled Select the check box to enable DNS lookup.
Name Server for Lookup By default, the field displays KBOX’s primary DNS Server mentioned under
Network Settings. You can change the default DNS Server to the
required one and also specify the hostname or IP address.
Lookup Time Out Enter the time period in seconds, after this period has lapsed the DNS
lookup will automatically time out.

KBOX Agent Version This field displays the KBOX Agent version number.
Agent Identification Port The agent identification port is a port that installed agents would already
have open and in use, indicating that you should not install the agent
again. By default that port number is 52230. If you are using a different
port number for this, you can change the port number listed here.
KBOX Agent.
Bypass Port checks Select the check box to avoid port checks. Selecting this indicates that the
KBOX should simply try to install the agent, without checking the ports.
Enable Debug Info Select the check box to enable debug info. By enabling this check box
more debug info will be displayed in the machine’s provisioning results.
Thus, you are using provisioning configuration, to remove the KBOX agent
from machines rather than installing it. This overrides any current
Agent.
The Config.xml file contains the KBOX name and other server configura-
tions that the target machine checks into.
For example:
that was checking into the KBOX server ‘A1, you do not remove the
Config.xml file.
you enter below.
targeted machines.

Solaris platform.
Required open TCP Ports Enter the list of required open TCP ports. These are the ports KBOX will
use to access the target machine for installation of the KBOX Agent.
Process.log.
kuid.txt.
Select the check box to remove the complete ‘kace’ folder. If the check
box is not selected /var/kace/kagentd/kuid.txt file is left behind.
targeted machines.
selected month.

To run provisioned configurations:

3. Select the check box beside the configuration(s) you want to run.
4. In the Choose action box, choose Run Selected Configuration(s) Now.
To duplicate a configuration:

3. Click the configuration you want to duplicate. The Advanced Provisioning page appears.
4. Scroll down and click Duplicate.
To delete a configuration:

3. Click the configuration you want to delete. The Advanced Provisioning page appears.
4. Scroll down and click Delete.
Deleting a configuration will delete all associated target machines in the provisioning
inventory list. Altering or updating a configuration will reset the data in the associated
target machines list to the default settings until the subsequent provisioning run.
Provisioned Configurations
The Provisioned Configurations page displays:
A list of computers which match Agent Provisioning configurations established in Advanced
Provisioning.
All the provisioning configurations created and their statuses.

The Provisioned Configurations page contains the fields described in the table below:
Field Description
Config Name Displays the configuration name. Click the config name displays the Advanced
Provisioning page.
Total Target Indicates the total number of target machines. Click the total number of target machines
to display the Provisioning Results page.
Running Indicates the total number of target machines on which provisioning is currently run-
ning. Click the total number of target machines to display the Provisioning Results page.
Not Started Indicates the total number of target machines on which provisioning has not yet started.
Click the total number of target machines to display the Provisioning Results page.
Succeeded Indicates the total number of target machines on which provisioning has succeeded.
Click the total number of target machines to display the Provisioning Results page.
Failed Indicates the total number of target machines on which provisioning has failed. Click the
total number of target machines to display the Provisioning Results page.
% Succeeded Indicates in percentage the total number of target machines on which provisioning has
succeeded.
IP Range Indicates the IP range of the target machine.
Schedule Indicates the provisioning schedule run as specified. For example: Every ‘n’ minutes,
Every ‘n’ hours or Never.
Enabled Indicates a blank or a green check in the check box for the configuration name
depending on the provisioning success.
Table 2-1: Configuration List page fields
To create a new configuration:

3. Select Create New Configuration from the Choose action drop-down list. The Single Machine
Provisioning page appears.
For more information, see section Appendix 2, “To deploy KBOX Agent Technologies on a single
machine:, ” starting on page 30.
To delete a configuration:

3. Select the check box beside the configuration(s) you want to delete.
4. In the Choose action drop-down list, select Delete Selected Item(s).
5. Click OK to confirm the deletion.
To enable a configuration:

3. Select the check box beside the configuration(s) you want to enable.
4. In the Choose action drop-down list, select Enable Selected Item(s).
To disable a configuration:

3. Select the check box beside the configuration(s) you want to enable.
4. In the Choose action drop-down list, select Disable Selected Item(s).
Provisioning Results
Provisioning Results page displays a list of computers which match the current Agent Provisioning
Configurations. This list includes all the machines discovered by the configurations created in Advanced
Provisioning and Single Machine Provisioning. You can view target provisioning and configuration
information.
The target’s information results from the most recent provisioning run or execution on that target.
Execution of a Provisioning Configuration targets the IP addresses and for each target (node) the
execution evaluates the availability of IP addresses, agent status, port configuration, and so on. The
results and logs of each provisioning step are displayed.
To view Provisioning Results:

3. Click Total Target/Running/Not Started/ Succeeded/ Failed/IP Range in the Provisioned
Configurations list.
The Provisioning Results page appears.
4. Click the IP Address of the required machine to view the provisioning target information and
provisioning configuration information.
The KBOX Agent Provisioning page appears.
5. Click Printer Friendly Version to see a print view of the page. You can take print outs of this page.
You can also view computer inventory by clicking computer inventory under
Provisioning Target Info section. The provisioning process collects the MAC address
of the target machine and compares to the data associated with the current "KBOX
Computer Inventory". If a match is found, a link to "Computer Inventory" for that
association is displayed next to the MAC Address. For more information on computer
inventory, see “Adding Computers to Inventory,” on page 65.

6. Click the required DNS Lookup Enabled on the Provisioning Results page to view the DNS lookup
details. When selected, live addresses are checked against the DNS Server to see if they have Agent
Provisioning configured.
The Provisioning Results page contains the fields described in the table below:
Field Description
IP Address Indicates the IP address of the target machine.

DNS Indicates the DNS of the target machine.
Action Indicates the appropriate action taken on the target machine. For example, it is ‘I’ for
installing an agent or ‘R’ for removing an agent.
Result Indicates the appropriate result on the target machine. For example, it is ‘S’ for Success
or ‘F’ for Failure.
Error Displays the 16 in-built reasons for failure.
Connect status
A icon indicates that after an agent install, a successful AMP connection was also
established.
Configuration Indicates the configuration name of the target machine.
Last Run Indicates the date and time when the last run was performed.
Table 2-2: Provisioning Results page fields
KBOX Agent Tasks

KBOX Agent Tasks option displays a list of all the KBOX Agent tasks that are currently running or are
scheduled for a machine connected to the KBOX. Each machine displays the computer inventory
information. Client machines connected to the server over AMP (port: 52230), are indicated by a icon
on the Inventory list page.
You can view the KBOX Agent Tasks and Task Types from the Tasks drop-down list, which are described in
the table below:
Tasks All Tasks This selection lists all the agent tasks.
In Progress This selection lists all the agent tasks that are in progress.
Overdue Tasks This selection lists all the agent tasks that are overdue.
Task Type bootstrap The server requests the client to sync up.
inventory The server requests the client to update the computer inventory.
krash upload The server requests the client to upload the dump file to the server
(Windows only)
patching Shows any of the client’s patching tasks, if running (Windows and Mac
only).
scripting update Updates the current status of the scripting tasks.

To view KBOX Agent Tasks:
1. Select KBOX Settings | Support or click on the modules tool bar. The KBOX Settings:
2. Click Troubleshooting Tools. The KBOX Troubleshooting Tools page appears.
3. Click the tasks link in “See status of KBOX Agent tasks”, under the KBOX Agent Messaging area. The
KBOX Agent Tasks page appears.
4. Click the Machine Name from the KBOX Agent Tasks list to view the computer inventory information.
The Computers: Detail Item page appears.
5. Click Printer Friendly Version to see a print view of the page and print it.
The KBOX Agent Tasks page contains the fields described in the table below:
Field Description
Machine Name Indicates the machine name on which some tasks are scheduled/running/in progress.
Task Type Indicates the type of agent task.
Started Indicates the start time of the task type.
Completed Indicates the time when the task type is completed.
Next Run Indicates the next schedule or run time of the agent task type.
Timeout Indicates when the task type has to be timed out.
Priority Indicates the importance or the priority value of the task type.
Table 2-3: KBOX Agent Tasks page fields
KBOX Agent Settings

The KBOX Agent Settings options configure the KBOX to operate in your computing environment. These
options specify how often the client runs on the user desktop and within that run how often a full desktop
computer inventory is performed.
The "KBOX Agent" options specify how often a KBOX Agent checks into the KBOX and how often the KBOX
Agent performs a full computer inventory. For example, a default Run Interval of 30 minutes means that
those computers with KBOX Agents installed will check into the KBOX 1000 Series appliance every 30
minutes.
To configure KBOX Agent:
1. Select Organizations | Organizations. The KBOX Organizations page appears.

2. Click organization for which you want to configure the KBOX Agent. The KBOX Organization: Edit Detail
page appears.
3. To edit agent settings, click [Edit Mode]. The KBOX Organization: Edit Detail page appears with the
current agent setting details. These are the settings that control the schedule and frequency of your
checked-in KBOX agents.

4. Specify the following KBOX Agent options under the KBOX Agent Settings For This Organization
area:
Communications Window The time interval when the KBOX Agent can communicate with the KBOX
1000 Series appliance. For example, to allow the KBOX Agent to connect
between 1:00 AM and 6:00 AM only, select 1:00 AM from the first drop-
down list, and 6:00 AM from the second. The default setting is 12:00 AM
to 12:00 AM.
Agent “Run interval” The interval that the KBOX Agent checks into the KBOX 1000 Series. Each
time a KBOX Agent connects, it resets its connect interval based on this
setting. The default setting is once per hour.
Agent “Inventory Inter- The interval that the KBOX Agent checks into the KBOX 1000 Series. Each
val” time a KBOX Agent connects, it resets its connect interval based on this
setting. The default setting is once per hour.
Agent “Splash Page Text” The message that appears to users when communicating with the KBOX
1000 Series. The default message is KBOX is verifying your PC Configura-
tion and managing software updates. Please Wait.
Scripting Update Interval The KBOX Agent downloads new script definitions after scripting update
interval is over. The default interval is 15 minutes.
Scripting Ping Interval The KBOX Agent tests the connection to the KBOX 1000 Series appliance
after scripting ping interval is over. The default interval is 600 seconds.
Agent Log Retention The Agent Log Retention disallows the server to store the scripting result
information that arises from the agents. By default, this stores all the
results generated and can affect the performance of KBOX. Turn off the
Agent Log Retention to allow the agent checkins to process faster.
5. Click Save to save the KBOX agent settings configuration. The KBOX Agent Settings page appears in
read-only mode. These changes are reflected the next time agent checks into KBOX.
The KBOX Agent normally checks in using the "Run Interval" schedule specified in
KBOX Agent Settings page. For debugging and testing purposes, KACE provides ways
that can be used to force a check-in outside this normal schedule.
You can run the file KBScriptRunner located in C:\program files\kace\kbox to
force the KBOX Agent to check in with the KBOX 1000 appliance.
The KBScriptRunner.exe only forces a check-in (bypassing the "Run Interval") but does
not force an inventory if you have set a non-zero Inventory Interval. You must change
the inventory interval to zero while debugging/testing package deployments.
Also refer Chapter 14,“Configuring General Settings for the Server,” starting on page 256 for Agent-Server
Task settings.

To troubleshoot clients which fail to show up in the inventory:
Sometimes it may happen that your machine does not show up in KBOX Inventory after installing the
KBOX Agent. By default the KBOX Agent communicates with KBOX using http: over port 80. Assuming
network connectivity is in place, the most common reason newly-installed KBOX Agents fail to connect to
the KBOX during first-time setup is a problem with the default "KBOX" host name in DNS.
1. If you set up the KBOX in your DNS using a host name other than the default "kbox", or need agents to
reach KBOX by IP address instead of the DNS name, you must install the KBOX Agent specifying the
SERVER property. For example,
Windows:
c:\>KInstallerSetup.exe -server=mykbox -display_mode=silent
or
c:\>KInstallerSetup.exe -server=192.168.2.100 -display_mode=silent
Macintosh®:
/Library/KBOXAgent/Home/bin/setkbox mykbox
or
/Library/KBOXAgent/Home/bin/setkbox 192.168.2.100
Linux:
/KACE/bin/setkbox mykbox
or
/KACE/bin/setkbox 192.168.2.100
Solaris:
or
2. To correct the server name for an already-installed client:
Windows:
Verify the "ServerHost", "ServerURLPrefix", and "ServerPort" entry values in:
c:\program files\kace\kbox\config.xml
Verify the "ServerHost", and "ServerPort" entry values in:
c:\program files\kace\kbox\smmp.conf
For further debug and troubleshooting, add the following line in smmp.conf:
debug = true
Verify that the connection text in smmp.log indicates a successful connection between the agent and
server is established.
After the successful connection between the agent and server is established, smmp_connected file is
generated.
Macintosh®:
/var/kace/kagentd/kbot_config.yaml

Linux:
/var/KACE/kagentd/kbot_config.yaml
Solaris:
3. Verify that you are able to ping the KBOX and reach it via a web browser at http://kbox.
4. Verify that Internet Options are not set to use proxy, or proxy is excluded for the local network or the
KBOX.
5. Verify that no firewall or anti-spyware software is blocking communication between KBOX and any of
agent components, including:
KBOXManagementService.exe
KBOXClient.exe
KUpdater.exe
kagentd (OS X/ Unix)
6. Verify that the KBOXManagementService (Windows), and KBOXSMMPManagementService or the
kagentd (OS X/ Unix) processes are running. The agent will show up as 'perl' in the OS X Activity
Monitor.
If after verifying these items, you are still unable to get the agent to connect to the KBOX, contact
KACE Support at support@kace.com for further assistance.
KBOX Agent Update

The KBOX Agent Update feature allows you to automatically update the KBOX Agent software for some or
all machines that are checking in your KBOX. KBOX Agent deployments are automatically updated as new
agent updates are posted to this area. The KBOX Agent package that you post to the server from this page
should be an official KBOX Agent Release received from KACE directly.
Before updating the KBOX Agent, ensure that you have downloaded and locally saved the following files:
update_4.3.XXXX.bin for WINDOWS, where XXXX is the build number.
update_mac_4.3.XXXX.bin for Macintosh®, where XXXX is the build number.
update_linux_4.3.XXXX.bin for Linux, where XXXX is the build number.
update_solaris_4.1.15780.bin for Solaris, where XXXX is the build number.
To update KBOX Agent automatically:

2. Click Agent Updates from KACE. The Agent Updates from KACE page appears.
3. Click the [Edit Mode] link under the section that you want to edit.
4. Specify the agent updates as shown in the following table:
Enabled Select the check box to upgrade the KBOX Agent when machines check
into KBOX the next time around.

Update Broken Agents Select the check box to update those machines that are running checking
in with the KBOX for new agent versions, but are unable to successfully
report inventory information to KBOX. This setting overrides the Limit
Update to settings.
For such a broken agent check for a new version of the Agent software by
running kupdater.exe manually.
Limit Updates to Enter a label for automatic upgrades. The upgrades will only be distributed
to machines assigned to those labels, except if they are identified as a
“broken client” above.
Limit Update To Listed Click Remove to limit the listed machines. To add more machines, select
Machines the machine(s) from the Select machine to add drop-down list.
Filter Enter the value to verify machine by filter.
Notes Enter release notes about the agent.
5. To save the new agent updates, click Save.

You can see the version numbers of agent patches currently uploaded to KBOX under the Loaded KBOX
Agent Updates area. Click Delete All Updates to delete all patches that are uploaded to the KBOX.
To upload platform-specific Agent patches:

3. Click the [Edit Mode] link under the Upload KBOX Agent Update Files area.
4. Scroll down and select the Load specific OS.bin file(s) check box.
5. Click the button beside the platform name to upload the patch file for that specific platform.
6. Click Browse and locate the patch file (.bin).
7. The Update Version ID text box displays the version number of the patch file you are uploading.
8. Click Save Windows Patch File to upload the patch file.
You can update agents on all platforms using a client bundle. The client bundle is designed to update the
KBOX Agent deployment files that are stored on the KBOX server via a single file.
This bundle must only be applied to KBOX servers at version 3.2 or greater. This affects two areas of the
KBOX:
1) KBOX Agent Update
2) Advanced Provisioning
When you apply this bin file to your server, the older versions of the clients will be removed and replaced
with the files contained in this bin file.
The KBOX Agent Update settings will be DISABLED after applying the file. You need to
view the settings and confirm the label and settings and ENABLE it again if you want
the agents to deploy to your network.
All the provisioning setups will also be DISABLED and will need to be re-enabled to
deploy the new version of the agent to your network.

To update agents using a client bundle:
1. Download the kbox_patch_agents_xxx.bin file and save it locally.

After you register on the KACE web site, you can download the latest client bundle using the login
credentials from the following link:
http://www.kace.com/support/customer/downloads.php
4. Click the [Edit Mode] link under the Upload KBOX Agent Update Files area.
5. Click Browse beside Bundled Agents File and locate the update file you have downloaded.
6. Click Load Bundle File.
Once the file is uploaded and applied:
Go to the Agent Updates from KACE page and verify if the correct labels have been selected. Now
select the Enabled checkbox to enable this upgrade.
Go to the Advanced Provisioning page and verify if the correct setups have been selected. Now select
the Configuration Enabled check box to enable this upgrade.
To resolve errors when uninstalling or upgrading the KBOX Client:
If you are attempting to manually uninstall an older 1.5/2.0 KBOX client after a failed install or upgrade of
the client, you may receive one or more of the following error messages:
An exception occurred while uninstalling. This exception is ignored and the uninstallation process will
continue. However, the application may not be fully uninstalled after the uninstallation is complete.
The savedState dictionary contains inconsistent data and might be corrupted.
Fatal error during installation.
Troubleshoot the following services to resolve the uninstall errors.

1. KBOX Management Service
2. KBOX SMMP Management Service
To troubleshoot the KBOX Management Service:
1. Delete the *.InstallState files in the c:\program files\kace\kbox folder.

2. Verify that the KBOX Management Service is listed in the services control panel.
3. If KBOX Management Service is not listed, run the following command to reconfigure it:
sc create KBOXManagementService binPath= "c:\program
files\KACE\KBOX\KBOXManagementService.exe" type= interact type= own start=
auto DisplayName= "KBOX Management Service"
4. You can now uninstall the agent from the Add or Remove Programs again.
If you still continue to receive, contact KACE Support at support@kace.com for assistance.
To troubleshoot the KBOX SMMP Management Service
1. Delete the *.InstallState files in the c:\program files\kace\kbox folder.

2. Verify that the KBOX SMMP Management Service is listed in the services control panel.
3. If KBOX SMMP Management Service is not listed, run the following command to reconfigure it:
sc create KBOXManagementService binPath= "c:\program
files\KACE\KBOX\KBOXSMMPManagementService.exe" type= interact type= own
start= auto DisplayName= "KBOX SMMP Management Service"
4. You can now uninstall the agent from the Add or Remove Programs again.
If you still continue to receive, contact KACE Support at support@kace.com for assistance.

AMP Message Queue
AMP Message Queue page displays the list of pending communications with the KBOX Agents such as
pending alerts, patches, scripts, or deleting crash dumps.
To view AMP Message Queue:
3. Click the message queue link in “See list of pending communications in the KBOX Agent message
queue”, under the KBOX Agent Messaging area. The AMP Message Queue page appears.
The pending communications are displayed in this queue only if there is a constant connection between
the KBOX Agent and the KBOX.
For Alerts, the pending communications are displayed in the AMP Message Queue even
if there is no continuous connection between the KBOX Agent and the KBOX. These
messages are displayed till the Keep Alive time interval has elapsed. These messages
are then deleted from the queue and the alerts expire.
The Agent Message Queue page contains the following fields:
Field Description
Machine Name Indicates the machine name that contains the computer inventory information. Click
the machine name to view the Computers Inventory page. A icon indicates a
successful AMP connection and icon indicates a failed AMP connection.
Message Type Indicates the message type. For example, Run Process or Built-in.
[ID, Src ID]
Message Payload Indicates the message payload.
Expires Indicates the date and time when the alert expired.
Status Indicates the status of the AMP message. For example, Completed or Received.
AMP is Agent Messaging Protocol.
Table 2-4: AMP Messages Queue page fields
To view alerts:
1. Select KBOX Settings | Support or click on the modules tool bar The KBOX Settings: KACE

4. Select View Alerts from the Choose action drop-down list. A list of Alerts is displayed under the
Message field.
The View Alerts option is available in the Choose action drop-down list only if AMP
Message Queue has pending or displays alerts.
For creating alerts, see section “Creating Alert Messages,” on page 238.
To delete a message queue:
4. Select the check box beside the message you want to delete.
5. Select Delete Selected Item(s) from the Choose action drop-down list.
6. Click OK to confirm deleting the message. This removes the message queue from the KBOX Agent.

C H A P T E R 3
Inventory
The KBOX Inventory feature enables you to identify and

manage the machines and software on your network and
organize these machines using labels and filters.
“Overview of the Inventory feature,” on page 55

“Computers Inventory,” on page 58
“Software Inventory,” on page 66
“AppDeploySM Live,” on page 76
“Software Metering,” on page 74
“Processes,” on page 77,”
“Startup,” on page 79,”
“Service,” on page 81”
“Monitoring Out-Of-Reach Computers (MIA),” on page 83
“Labels,” on page 84
54
Overview of the Inventory feature
Inventory is collected by the KBOX Agent and reported when computers check in with the KBOX. The data
is then listed on one of the Inventory tabs: Computers, Software, or MIA. The inventory data is collected
automatically according to the Agent Inventory Interval schedule specified in the system console,
under Organizations | Organizations for a specific organization. If this Agent Inventory Interval is
set to zero, the client inventory is performed as per the Agent Run Interval specified in the system
console, under Organizations | Organizations for the specific organization..
Although it is presented under the Inventory tab, the IP Scan feature is discussed in Chapter 5,“IP
Scan,” starting on page 96.
Module Toolbar
Sub tabs Click to create

notification filter
Use drop-down to
filter view by label
Click to create
search filter
The last time the machine checked in
Click to run
The computer’s name and labels to which the computer belongs
Machine Action
Figure 3-1: Inventory - Computers tab
The Computer Search & Filter page displays the computer’s IP address and the user connected to it.
Clicking Action #1 or Action #2 beside the IP address, invokes an Machine Action if specified.
For more details on Machine Actions, Refer to the Chapter 1,“Configuring General Settings for the
Server,” starting on page 16.

From the Computers tab you can:
Search by keyword or invoke an Advanced Search
Create a Filter to apply labels to computers automatically
Create Notifications based on computer attributes
Add/delete new computers manually
Filter the Computer Listing by label
Apply or remove labels
Show or hide labels
To view details about a computer click its name.
Using Advanced Search for Computer Inventory

Although you can search computer inventory using keywords like Windows XP, or Acrobat, those types of
searches might not give you the level of specificity you need. Advanced search, on the other hand, allows
you to specify values for each field present in the inventory record and search the entire inventory listing
for that value. This is useful, for example, if you needed to know which computers had a particular version
of BIOS installed in order to upgrade only those affected computers.
To specify advanced search criteria:
1. Click the Advanced Search tab.

2. Select an attribute from the drop-down list. For example, IP Address.
3. Select the condition from the drop-down list. For example, contains.
4. Enter the Attribute Value. For example, XXX.XX.*
In the above example, machines from the specified IP range will be searched.
Note: You can add more than one criteria.
5. Select the Conjunction Operator from the drop-down list to add more criteria. For example, AND.
6. Click Search. The search results are displayed.
Creating Search Filters for Computer Inventory

Filtering enables you to dynamically apply a label based on a search criteria. It is helpful to define filters by
using inventory attributes. For example, you create a label called “San Francisco Office” and create a filter
based on the IP range or subnet for machines located at the San Francisco office. So whenever a machine
is checked in and meets the above IP range, it be labeled as San Francisco. This functionality is particularly
useful if your network includes laptops that often travel to remote locations.
The table below lists some examples of useful filters that could be applied to a machine based on its
inventory attributes:
Filter Examples
Sample Label Name Sample Condition

XP_Low_Disk Windows XP Machine with less than 1 GB of free hard disk at last connection.
Table 3-2: Filter Examples

Filter Examples
XP_No_HF182374 Windows XP Machine without Hotfix 18237 installed at last connection.

Building 3 Machine connecting to the KBOX is detected in a specified IP range known to
originate in building 3.
CN_sales Computers connecting where computer name contains the letters “sales”.
Table 3-2: Filter Examples
To create a filter:
1. Select Inventory | Computers, then click the Create Filter tab. The Filter criteria fields appear.
2. Specify the search criteria.
3. Choose the label to associate with the filter.
4. To see whether the filter produces the desired results, click Test Filter.
5. Click Create Filter to create the filter.
Now, whenever machines that meet the specified filter criteria check into the KBOX, they will automatically
be assigned to the associated label. You can also add a new machine filter or change the order of machine
filters from the Reporting | Filters tab. Refer to Chapter 12,“Filters,” starting on page 239for more
details.
This feature assumes that you have already created labels to associate with a filter. For
information about creating labels, see “Labels,” on page 84.
Deleting a filter does not delete the label.
Creating Computer Notifications

You can also use the Notification feature to search the inventory for computers that meet certain criteria,
such as disk capacity or OS version, and then send an e-mail automatically to an administrator. For
example, if you wanted to know when computers had a critically low amount of disk space left, you could
specify the search criteria to look for a value of 5 MB or smaller in the Disk Free field, and then notify an
administrator who can take appropriate action.
To create a notification:
1. Select Inventory | Computers, and then click the Create Notification tab.
3. Specify a title for the search.
4. Enter the mail address of the recipient of the notification.
5. To see whether the filter produces the desired results, click Test Notification.
6. Click Create Notification to create the notification.
Now, whenever machines that meet the specified notification criteria check into the KBOX, an mail will
automatically be sent to the specified recipient. You can modify or delete a notification after it has been
created on the Reporting | Email Alerts tab.

Filtering Computers by Organizational Unit
If you want to filter computers based on an Organizational Unit found in LDAP or AD, you can create LDAP
Filters to do this from the Reporting | LDAP Filters tab.
For more information on how to create LDAP Filters, Refer to Chapter 13,“LDAP Filters,” starting on
page 247.
Computers Inventory
From the Computers tab, you can select a computer in the inventory and view its details. The Computer
Detail page provides details about a computer’s hardware, software, install, patch, Help Desk, and Oval
vulnerability history, among other attributes.
Each section on this page is described below. To expand the sections, click Expand All. Click a heading to
expand or collapse it.
Summary
This section provides a brief description of the computer. It displays the following details:
Name Displays the name of the machine.

Model Displays the make of the machine.
IP Address Displays the IP Address of the machine.
MAC Displays Media Access Control Address (MAC) of the machine.
RAM Total Displays the total memory of the machine.
Processors Displays the details of types of processors of the machine.
OS Name Displays the operating system of the machine.
Service Pack Displays the service pack of the machine.
Uptime Displays the elapsed time since the last machine shutdown.
Agent Version Displays the current version of the KBOX Agent installed on the machine.
User Name Displays the user name of the most recent user of the machine.
AMP
Connection A icon indicates a constant connection between the KBOX Agent and the
KBOX, while a icon indicates that the KBOX Agent and the KBOX are not
connected.
Last Inventory Displays the time interval from the last inventory scan executed on the machine and
date and time of this scan.
Record Created Displays the date and time when this inventory record was created.
Disk # Displays the details of all the hard disk drives installed on the machine.

Click Force Inventory Update to synchronize this computer with the server. It requests the agent to
send an inventory to the KBOX.
The Alerts, Patching, and Run Now features work only if there is a constant connection
between the KBOX Agent and the KBOX. For information on how to set up a persistent
connection, Refer to Chapter 1,“Configuring AMP Settings for the Server,” starting on
page 24.
Inventory Information
The inventory information section covers following areas:
Hardware
Printers
Network Interfaces
KBOX Agent
User
Operating System
Notes
Hardware
The hardware section displays following details. These details vary according to the make of the computer:
RAM Total Displays the total memory of the machine.

Ram Used Displays the amount of RAM currently used by the machine. This field is not
displayed on an Apple Machine.
Manufacturer Displays the name of manufacturer. This field is not displayed on an Apple
machine.
Model Displays the model details of the machine.
Domain Displays the domain name of the machine. This field is not displayed on an
Apple machine.
Motherboard Primary
Bus
Displays information about the machine’s motherboard.
Motherboard
Secondary Bus
Processors Displays the details of types of processors on the machine.
CD/DVD Drives Displays the configuration of drives installed on the machine.
Sound Devices Displays the details of the sound card installed on the machine.
Apple Support Info Displays link to the Apple Support website. This field is displayed only on an
Apple machine.
SMC Version Displays the SMC version of the Macintosh® Intel machine. This field is dis-
played only on an Apple machine.
Serial Number Displays the serial number of the Macintosh® machine. This field is dis-

Boot ROM Version Displays the Boot ROM version of the Macintosh® machine. This field is dis-
Video Controllers Displays the details of video controllers installed on the machine.
Dell Service Info Displays link to the Dell website. You can view the support record for the
computer, including the days left on the support agreement, and compare
the original with the current system configurations. This field is displayed
only on a Dell machine.
Monitor Displays the monitor details of the machine.
MPC Service Info Displays link to the MPC Computers Support website. You can locate your
exact system model and original components, as well as drivers, specifica-
tions, manuals and installation guides if available. This field is displayed only
on an Gateway Machine.
BIOS Name
BIOS Version
BIOS Manufacturer Displays the BIOS details of the machine.
BIOS Description
BIOS Serial Number
Disk # Displays the details of all the hard disk drives installed on the machine.
Printers
This section displays the list of configured printers for the computer.
Network Interfaces
This section displays the following details of the machine:
1. Type and version of NIC card installed
2. MAC address
3. IP address
4. DHCP status (Enable or Disabled)
KBOX Agent
This section displays the following details:
Agent Version Displays the version of the KBOX Agent installed on the machine.
AMP Disconnected Displays the date and time when the AMP connection got disconnected. This
field is only displayed if the AMP connection is disconnected.
KACE ID Displays the ID of the machine on which the KBOX Agent is installed. You
can view the machine ID in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\KACE
Database ID Displays the id of the machine as reflected in the machine table.
Last Inventory Displays the time when the inventory for the machine last got uploaded to
the KBOX.
Last Sync Displays the time when the machine last got synched to the KBOX.

User
This section displays the details about the last user logged in.
Operating System
This section displays the following details:
Name Displays the name of the operating system installed on the machine.
Service Pack Displays the service pack of the machine.
Version Displays the version number of the operating system installed on the
machine.
Build Displays the build number of the operating system installed on the machine.
Number Displays the version number of operating system installed.
Architecture Displays the architecture of the machine as 32-bit or 64-bit.
Installed Date Displays the date and time when this operating system was installed on the
machine.
Last System Reboot Displays the date and time when the machine was last rebooted.
Current Uptime Displays the elapsed time since the last machine shutdown.
System Directory Displays the operating system installation path on the machine.
Registry Size Displays the current registry file size of the machine.
Registry Max Size Displays the maximum registry file size of the machine.
Notes
This section displays notes related to the machine. You can enter description in the Notes field. Click
Save to save the description.
Software
The Software section has following areas:
Installed Programs
Custom Inventory Fields
Uploaded Files
Installed Patches via Inventory
Running Processes
Startup Programs
Services
Installed Programs
This section displays the titles and versions of software programs installed on the computer. The programs
listed here are the same as those listed on the computer’s Add/Remove Programs list.

Custom Inventory Fields
This section lists the Custom Inventory fields that were created for the machine.
Uploaded Files
This section displays a list of the files that have been uploaded to the KBOX from the machine using the
Upload a file Script Task. Refer to page 147 describing adding steps to task to a Offline KScript or Online
KScripts in Chapter 8,“To add an Offline KScript or Online KScript:,” starting on page 145. Also Refer to
Appendix B,“Adding Steps to Task Sections,” starting on page 331.
Installed Patches via Inventory

This section lists all of the Microsoft patches that have been installed on the computer via Computers |
Inventory.
Running Processes
This section displays lists of all the processes currently running on the computer. This list is the same as
that displayed on the computer’s Task Manager | Processes tab.
Startup Programs
This section displays a list of programs that are launched automatically when the computer starts. These
programs are the same as those listed in the computer’s Start | All Programs | Startup menu.
Services
This section displays a list of services that are running on the machine. Click any of the services and the
Service : Edit Service Detail page appears. The fields on this page represent the service detail information,
which is automatically captured and communicated from the KBOX Agent.
Activities
The Activities section has the following areas:
Labels
Failed Managed Installs
To Install List
Help Tickets
Labels
This section displays the labels that are currently assigned to the computer. Labels are used to organize
and categorize machines.
Failed Managed Installs

This section displays the list of Managed Installations that failed to install on the machine. To access
details about the Managed Installations, click the Managed Software Installation detail page link.
To Install List
This section lists the Managed Installations that installed on the machine, the next time it connects.
Help Tickets
This section displays the list of the Help Desk Tickets associated with the machine. The Tickets can be
assigned to the machine owner or submitted by the machine owner. To view the details of Help Desk
Ticket, click Ticket ID (for example, TICK:0032). Click the [Create New Ticket] link to create a new

ticket. For more information on how to create a ticket, Refer to Chapter 11,“Creating and Editing Help
Desk Tickets,” starting on page 217.
Security
The Security section has the following areas:
Patching Detect/Deploy Status
Threat Level 5 List
Oval Vulnerabilities
Patching Detect/Deploy Status

Click Patch Schedules to review patches that you want to detect and deploy on the machine. This
section displays following details for the machine:
Scheduled Task Status
Deployment Status
You can sort Deployment Status details by following categories:
Failed Detect Status

Not Patched Detect Date
Patched Deploy Status
All Deploy Date
Patch Name Tries
Threat Level 5 List

This section displays the items that are marked with the threat level as 5. A threat that is harmful to any
software, process, startup item, or services associated with the machine is considered as threat level 5.
Oval Vulnerabilities
This section displays the results of OVAL Vulnerability tests run on the machine. Only tests that fail on the
machine are listed by the OVAL ID and marked as Vulnerable. Tests that pass are grouped together and
marked as Safe.
Logs
The Logs section has the following areas:
KBOX Agent Logs
Portal Install Logs
Scripting Logs
KBOX Agent Logs

This section displays the following logs:
KBOX Management Service Logs - The primary role of KBOX Management Service is to execute
the Offline KScripts. The KBOX Management Service logs display the steps performed by KBOX
Management Service to execute the Offline KScripts. These steps include, downloading the

dependencies and validating the KBOTS file. Any error in the execution of Offline KScript is logged in
the KBOX Management Service logs.
KBOX Boot Strap Logs - The KBOX sends a boot strap request to get the inventory information for
a machine that has checked in for the first time. The logs related to this request are displayed in the
KBOX Boot Strap logs.
KBOX Client Logs - The KBOX sends a request to the KBOX Client to get the inventory information
periodically. A script is executed at the KBOX Client, after which it sends the inventory information to
the KBOX. On successful execution of KBOXClient.exe, the inventory is uploaded to KBOX. The
KBOX Client logs displays these actions.
KBOX Scripting Updater - A request is initiated periodically from the KBOX Client to get the latest
information related to the changes in Offline KScripts. The KBOX Scripting Updater logs displays this
information.
Portal Install Logs

This section provides details about the User Portal packages installed on the machine.
Scripting Logs
This section lists the Configuration Policy scripts that have run on this computer, along with the status of
any scripts in progress.
Asset
The Logs section has the following areas:
Asset Information
Related Assets
Asset History
Asset Information
This section displays the details of the Asset associated with the machine. Details such as the date and
time when the Asset record was created, the date and time when it was last modified, type of the asset,
name of the asset, and machine name are displayed. Click [Edit this asset] link to edit the asset
information. For more information on editing asset information, Refer to Chapter 4,“Managing
Assets,” starting on page 91.
Related Assets
This section displays the list of related assets that are not the parent of this asset.
Asset History
This section displays the changes done to the Asset of the machine. It lists details of the all the changes
along with the date and time when each change was done.

Adding Computers to Inventory
The KBOX provides the convenience of automatically adding computers to inventory. This is especially
useful when you maintain a large number of computers on your network. However, the KBOX also provides
the flexibility to manually add computers to inventory. For example, you can track computers that currently
do not have KBOX Agent support or computers that are not available on your LAN.
Adding Computers automatically

Computers are automatically added to the inventory by provisioning the KBOX agent on the computers on
your network. The computers on which the KBOX agent is installed will check into the KBOX and upload all
the available inventory data. For more information on Agent Provisioning, Refer to Chapter 2,“Agent
Provisioning,” starting on page 28.
Adding Computers manually

You can maintain inventory data of all the machines on your network, but not connected to your LAN, in
one central place. This can be done by adding these computers to the KBOX manually from the Inventory
| Computer tab.
To add a computer to inventory manually:
1. Select Inventory | Computers tab.

2. Select Add New Item from the Choose action drop-down list. The Computer: Edit Computer Detail
page appears.
3. Enter the requested computer details.
For example, the requested computer details can include, view the computer record of a machine that
is already listed in the inventory.
4. If you prefer, you can import the machine.xml file for this computer.
The KBOXClient.exe can take an optional command line parameter-inventory. To configure this, type:
KBOX Agent/exe-inventory
The KBOX Agent collects the inventory data and generates a file called machine.xml, which you can
upload here. If you choose this option, the KBOX ignores all other field values on this screen.
To delete a computer:
1. Select Inventory | Computers.

2. Select the check box beside the computer(s) you want to delete.
4. Click Yes to confirm deleting the computer, or click Cancel to cancel deletion.
To apply a label to a computer:

2. Select the computer you want to apply a label to.
3. Select the appropriate label to apply from the Choose action drop-down list.

To remove a label from a computer:

2. Select the check box beside the computer(s) you want to remove the label from.
3. Select the appropriate label under Remove Label from the Choose action drop-down list.
Software Inventory
In addition to the computers on your network, the KBOX Inventory feature also keeps an inventory of the
software titles installed on each of the computers listed in the inventory. From the Inventory | Software
tab you can see at a glance all the software installed across your network.
By default, the Software List alphabetically lists only the first 100 software titles detected. To view all
software installed, click the Show All link.
From the Software List page you can:
Add or delete software
Add or remove labels
Categorize the Software
Set Threat Level to Software
To view the details of a software title, click the software name link.
Using Advanced Search for Software Inventory

The software inventory can be searched using keywords for softwares like Adobe Flash Player or
ActivePerl. For more refined search result, using Advanced Search is recommended. This feature allows
you to specify values for each field present in the software inventory record and search the entire
inventory for that particular value. This is useful, for example, if you need a list of computers that have
ActivePerl installed on a specific operating system.

2. Select an attribute from the drop-down list. For example, Display Name (Title).
4. Enter the Attribute Value. For example, ActivePerl.
In the above example, machines having ActivePerl software will be searched.
6. Select an attribute from the drop-down list. For example, Supported OS.
8. Enter the Attribute Value. For example, XP.
In the above example, machines which have Windows XP OS and ActivePerl software installed will be
searched.

9. Click Search. The refined search results are displayed.
Creating Search Filters for Software Inventory

Filtering enables you to dynamically apply a label based on a search criteria. It is helpful to define filters by
using inventory attributes.
To create a filter:
1. Select Inventory | Software, then click the Create Filter tab.

The Filter criteria fields appear.
Now, whenever machines that meet the specified filter criteria check into the KBOX, they will automatically
be assigned to the associated label. You can also add a new software filter or change the order of software
filters from the Reporting | Filters tab. Refer to Chapter 12,“Filters,” starting on page 239 for more
details.
This feature assumes that you have already created labels to associate with a filter. For
Software filters are applied in following different ways:

When a specific filter is created on Inventory | Software using Create Filter tab, it can be
applied to all the softwares.
If a specific filter is edited via Reporting | Filters, it will be reapplied to all softwares.
All filters can be applied to a new software in Inventory.
All filters will be reapplied to a new software in Inventory, in case it is updated with a new supported
OS.
All filters will be reapplied to a software, when it is updated on Inventory | Software.

Adding Software to Inventory
As with computers, you can add software to inventory either automatically or manually. The KBOX
provides the convenience of adding software titles to the inventory automatically, which is especially useful
when it is difficult to determine and maintain all the titles installed on all the machines in your network.
Thus, the KBOX also provides you with the flexibility to manually add software titles to the inventory. For
example, you can add a title that is not yet been installed on your network so that you can create a
managed installation from it and deploy it to the computers on your network at one time.
Adding Software Automatically

Software is added automatically to the inventory by provisioning the KBOX agent on the computers on
your network. The computers on which the KBOX agent is installed will check in to the KBOX and upload
all the available software inventory data. For more information on Agent Provisioning, Refer to Chapter
2,“Agent Provisioning,” starting on page 28.
Adding Software Manually

Although the KBOX creates inventory records for the software titles found on your network, there might be
applications you want to add to inventory manually.
To add software to inventory manually:
1. Select Inventory | Software.

2. Select Add New Item in the Choose Action drop-down list. The Software : Edit Software Details
page appears.
3. Enter the general software details.
Be sure to create the Display Version, Vendor, and Software Title information consistently across
software inventory in order to assure proper downstream reporting.
4. Upload or specify links to available information files associated with the software.
5. In the Assign To Label field, select the labels to assign.
6. Enter any other details in the Notes field.
Specify the Custom Inventory ID (rule), for example,
C:\RegistryValueGreaterThan(SOFTWARE\Network Associates\TVD\Shared Components\VirusScan
Engine\4.0.xx,szDatVersion,4.0.44).
Before sending any software to a remote client, the KBOX verifies whether or not that file is present on
the target machine. If it is detected, then it is not sent to the machine a second time. In some
instances, installed programs do not register in add/remove programs or in standard areas of the
registry. In such cases, the KBOX may not be able to detect the presence of the application without
additional information from the administrator and, therefore, the KBOX may repeat the install each time
the client connects.
For more information on Custom Inventory ID (rule), Refer to “Custom Inventory ID

(rule),” on page 69.
7. Select the supported operating systems in the Supported Operating Systems field.
8. In the Custom Inventory ID (rule) field, enter the Custom Inventory ID.

9. Beside the Upload & Associate File, click Browse, and then click Open.
10. Under Metadata, specify the following information:
Category Select the desired category.

Threat Level Select the threat level.
Hide from Software Lookup Select this check box if you want to hide this infor-
Service mation from the Software Lookup Services.
11. Click Save.
The software detail page displays license information for the software. You can also
view the license asset detail by clicking on the license link.
Custom Inventory ID (rule)

The KBOX inventory rules engine supports the following functions. Custom inventory rules are entered in
the Custom Inventory ID (rule)
File System Functions
The FileVersion and ProductVersion functions retrieve the information from the file described in the fullPath
argument.
Use of the term “string” in the function indicates that value to be specified for fullpath
or valueToTest arguments is of type string and not of type like boolean or integer.
Quotation marks need not be specified in the string value.
DirectoryExists(string dirName)
For example:
DirectoryExists(C:\WINDOWS\)
FileExists(string fullPath)
For example:
FileExists(C:\WINDOWS\notepad.exe)
FileVersionEquals(string fullPath, string valueToTest)
For example:
FileVersionEquals(C:\Program Files\Internet Explorer\iexplore.exe, 6.0.2900.2180)
FileVersionLessThan(string fullPath, string valueToTest)
FileVersionGreaterThan(string fullPath, string valueToTest)
ProductVersionEquals(string fullPath, string valueToTest)
ProductVersionLessThan(string fullPath, string valueToTest)
ProductVersionGreaterThan(string fullPath, string valueToTest)

Registry Functions
RegistryKeyExists(string absPath)
RegistryValueEquals(string absPathToKey, string valueName, string valueToTest)
RegistryValueLessThan(string absPathToKey, string valueName, string valueToTest)
RegistryValueGreaterThan(string absPathToKey, string valueName, string valueToTest)
For example:
RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector,IE,6.000)
The syntax must adhere to the following rules:
The syntax must have three values separated by commas.
Commas are not allowed anywhere else in the string.
Do not include single nor double quotes.
Contain a key that exists under LocalMachine.
Failure to follow these specifications will result in the test evaluating to FALSE, and the install would
proceed.
All comparisons happen as strings, testing other registry value types may not work.
White space will be trimmed from the front and back of each variable. Therefore all of the following
syntaxes are the same:
RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector ,IE,6.000)
RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector,IE ,6.000 )
RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector, IE,6.000 )
The following syntaxes are not the same and would be INVALID:
RegistryValueEquals(SOFTWARE\Mic rosoft\Internet Explorer\Vers ion Vector,IE,6.000)
These operators can be used in conjunction with "AND / OR".
If the results of functions in the form described above evaluate to be true, then it is assumed that the
software is installed on the target machine, and there is no reason to install this package again. And, a
corresponding copy of the software is counted in the KBOX database.
Functions of the form *VersionGreaterThan and *VersionLessThan will attempt to do valid comparisons of
version information. Only numeric versions can be compared. For example 1.2.3B would not compare
correctly. The following would all behave normally:
1.2.3 < 1.2.4
1.2.3 < 2.4
1.2.3 > .9.1.9
1 < 1.5
1.0.0.0.5 < 1.1

Functions of the form *Equals will be doing string comparisons, so the supplied value To Test values must
match exactly.
"1.0" does not equal "1.0.0.0"
".9" does not equal "0.90"
Use custom inventory rules when:

The software or item you want to inventory is not listed in add/remove programs.
Different versions of the same software have the same entry in add remove/programs, either with
incorrect or incomplete "Display Version" information.
Example of a custom inventory rule to detect Windows XP Service Pack 2:
Windows XP Service Pack 2 only appears in Add/Remove programs for machines that were originally on
SP1 then upgraded to SP2, so the default KBOX Software inventory for this item will not reflect machines
that are already on SP2 because they were originally imaged at the SP2 level.
When using the KBOX to deploy Windows XP Service Pack 2, you should use the following custom
inventory rule for the Software Inventory item:
RegistryValueEquals(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVe
rsion,CSDVersion,Service Pack 2)
This custom inventory rule will prevent the KBOX from trying to deploy the SP2 install to any machines
already at that level (i.e., SP1 machines which have been upgraded, as well as machines originally imaged
with SP2).
Creating Software Asset

You can create a software asset using the Inventory | Software tab.
To create a software asset:

2. Select the appropriate software and then select Create Asset from the Choose Action drop-down
list. The Assets page appears.
Custom Data Fields

You can create custom data fields in order to read information from a target machine and report it in the
Computer Inventory certificate. This is useful for reading and reporting on information in the registry and
elsewhere on the target machine. For example, DAT file version number from the registry, file created
date, file publisher, or other data.
To create a custom data field:

2. Select Add New Item from the Choose action drop-down list.
3. Enter a Display Name for the field.

4. In the Custom Inventory (ID) rule area, enter the appropriate syntax according to the information you
want to return:
To return a Registry Value, enter RegistryValueReturn(string absPathToKey, string valueName, string
valueType), replacing valueType with either “TEXT”, “NUMBER”, or “DATE”. Note that NUMBER is
specifically an integer value.
Example: RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan
Online,SourceDisk, TEXT)
To return File Information, enter FileInfoReturn(string fullPath, string attributeToRetrieve, string
valueType)
Example: FileInfoReturn(C:\Program Files\Internet Explorer\iexplore.exe, Comments,TEXT)
You can retrieve the following attributes from the FileInfoReport() function:
Comments Language
CompanyName LegalCopyright
FileBuildPart LegalTrademarks
FileDescription OriginalFilename
FileMajorPart PrivateBuild
FileMinorPart ProductBuildPart
FileName ProductMajorPart
FilePrivatePart ProductMinorPart
FileVersion ProductName
InternalName ProductPrivatePart
IsDebug ProductVersion
IsPatclhed SpecialBuild
IsPreRelease CreatedDate
IsPrivateBuild ModifiedDate
IsSpecialBuild AccessedDate
Attaching a Digital Asset to a Software Title

Whether you add the software to inventory automatically or manually, after a particular software title is in
inventory, you will need to associate the files required to install the software before distributing a package
to users for installation. To associate multiple files, create a .zip file and associate the resulting archive file.
To attach digital asset to a software title:

2. Click the linked name of the software title.
The Software: Edit Software Detail page appears.
3. Beside Upload & Associate File, click Browse.
4. Locate the file to upload, then click Open.

5. Modify other details as necessary, then click Save.
The Software-To-Computer Deployment Detail table at the bottom of the

Software | Edit Software Detail page shows which computers have the software title
installed.
To delete a software:

2. Select the check box beside the software(s) you want to delete.
4. Click Yes to confirm deleting the software. Else, click Cancel to cancel deleting the software.
To apply a label to a software:

2. Select the check box beside the software(s) you want to apply a label to.
To remove a label from a software:

2. Select the check box beside the software(s) you want to remove the label from.
To categorize a software:

2. Select the check box beside the software(s) you want to categorize.
3. Select the appropriate category from the Choose action drop-down list.
To set threat level to a software:

2. Select the check box beside the software(s).
3. Select the appropriate threat level from the Choose action drop-down list.

Software Metering
The KBOX Metering feature allows you to keep track of software used across your enterprise.
The Metering feature records and reports the details on the software used across your network. This can
help you to manage license compliance and better negotiate license renewals and upgrades. You can
record and view software usage for the last first, second, third, sixth, or twelfth month. Detail pages
provide information on individual software processes, including the name of the computer that is using the
software, the number of times the software was launched, the total minutes the software was used, and
when the software was last used.
Adding a Software Meter

You can add a software meter to monitor the specified process name on the agent machine.
To add a Software Meter:
1. Select Asset | Metering. The Software Metering page appears.

2. Select Add New Item in the Choose action drop-down list. The Software Metering: Edit Detail page
appears.
3. Enter Software Meter details as follows:
Enabled Select this check box to enable software metering for this software.
Process Name The specified process name will be monitored on the KBOX Agent machine.
Associated Software To track usage only on machines with a specific software version deployed,
choose the related software inventory item. You can filter the list by enter-
ing filter options.
Notes Enter any notes that further describe or explain this software meter.
Licenses Displays license information for the software. To view the license asset
details, click on the license link.
4. Click Save to save your changes or click Cancel to return to the Software Metering Listing page. Your
Software Meter now appears in the Software Metering Listing page.
The results of the software metering can be seen at two places:

On the Software Metering page
On the Software Metering: Edit Detail page
To view Software Metering results:

The software metering page displays useful information such as the Process Name, Enabled, Installed,
Licensed, In Use, and so on.
2. Click the process name. The Software Metering: Edit Detail page appears.
The Month-to-date usage Detail table displays information such as Computer Name, Times
Launched, Minutes Used, and Last Used.

Editing Software Meter Details
You can edit a software meter to monitor the specified process name on the agent machine.
To edit Software Meter details:
2. Click the process name. The Software Metering: Edit Detail page appears.
3. Edit Software Meter details as shown in the following table:
Enabled Select this check box to enable software metering for a software process.
Process Name The specified process name will be monitored on the KBOX Agent machine.
Associated Software Select the related software inventory item, to track the usage only on
machines with a specific software version deployed.
Notes Enter any notes that further describe or explain this software meter.
4. Click Save to save your changes or click Cancel to return to the Software Metering page.
Deleting a Software Meter

You can delete a software meter.
To delete a Software Meter:
1. Select Asset | Metering. The Software Metering page is appears.
2. Select the processes of which software meter or meters you want to delete.
4. Click Yes to confirm deleting the software meter(s). Else, click Cancel to cancel deleting the software
meter(s).
Configuring the Software Metering Settings

You can configure the software metering settings.
To configure Software Metering settings:

2. Select the process name.
3. Select Configure Settings in the Choose action drop-down list. The Software Metering Settings
page appears.
4. Edit configuration settings as shown in the following table:
Enabled Select the check box for metering to run on the target machines.
Allow Run While Select the check box for metering to run even if the machine cannot con-
Disconnected tact the KBOX to report results. The results will be stored on the machine
and will be uploaded once the contact with the KBOX is established.
Allow Run While Select the check box for metering to run even if a user is not logged in. If
Logged Off you clear this check box, the script will run only when a user is logged into
the machine.

5. Edit deployment settings as shown in the following table:
Deploy to All Select the check box if you want to deploy to all the Machines. Click OK in the
Machines confirmation dialog box.
Limit Deploy You can limit deployment to one or more labels. Press CTRL and click
To to select more than one label.
Supported Select the operating system to which you want to limit deployment. Press CTRL
Operating and click to select more than one operating system.
Systems Note: Leave blank to deploy to all operating systems.
6. Click Save to save your changes or click Cancel to return to the Software Metering page.
AppDeploySM Live
AppDeploy.com contains information on installation, deployment, and systems management automation.
By putting all the relevant information in one place, it eliminates the need for searching answers through
vendor sites, discussion boards, and technical publications. It offers computer administrators an easy way
to search for answers and solutions.
Enabling AppDeploy Live

Select the Enable AppDeploy Live! check box in the KBOX Settings: General page, to integrate
community submitted information directly from AppDeploy Live. For more information on how to change
the KBOX General Settings, Refer to Chapter 1,“Configuring General Settings for the Server,” starting on
page 16.
Viewing AppDeploy Live content

You can view AppDeploy Live contents of your KBOX. From the Inventory tab, you can view AppDeploy
Live information on software, processes, startup programs, and services. AppDeploy Live information can
also be viewed from the Distribution | Managed Installations and Distribution | File
Synchronization.
You can visit www.AppDeploy.com for more information.
To view AppDeploy Live information:
1. Select Inventory | Software. The Software page appears, which lists the software installed on client
machines.
2. Select the software title in order to see the associated information from AppDeploy Live. The Software
: Edit Software Detail page appears.
3. Scroll Down to view AppDeploy Live information.
If you have not enabled AppDeploy Live, you cannot view AppDeploy Live
information. Refer to “AppDeploySM Live,” on page 76.

Processes
The KBOX Processes feature allows you to keep track of processes that are running on all agent machines
across your enterprise.
The Processes feature records and reports the processes details information. You can record and view
software usage for the last 1, 2, 3, 6, or 12 months. Detail pages provide information on individual
processes, including the name of the computer running those processes, system description, and the last
user.
Using Processes feature, you can:
View Process details
Delete selected processes
Disallow selected processes
Meter selected processes
Apply labels
Remove labels
The processes are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games,
Internet, Malware, Security, and System Tool.
To view process details:
1. Select Inventory | Processes. The Processes page appears.

2. Click on the process name to view details. The Process Details page appears.
3. Select labels to assign to process in the Assign To Label box.
4. Enter any notes that further describe this process in the Special Notes box.
5. Select the category of the process in the Category drop-down list.
6. Select the threat level of the process in the Threat Level drop-down list.
7. Click Save to save the processes details.
You can read comments on the process submitted by other users by clicking [Read
Comments] on the Process Details page. You can also ask for help from KACE about the
processes by clicking [Ask For Help.] You need KACE user name and password to log in
to the KACE database.
You can also see computers with running the selected process. You can view a printer friendly version of
this page and take print outs of the report.
To delete a process:
1. To delete processes, do one of the following:

From the Processes List view, select the check box beside the process, then select Delete Selected
Item(s) from the Choose action drop-down list.
From the Process detail page, click Delete.
2. Click OK to confirm deleting the selected process.

To disallow processes:
1. Select Inventory | Processes. The Processes page appears.

2. Select the check box beside the process(es) to disallow.
3. Select Disallow Selected Item(s) in the Choose Action drop-down list. The Script : Edit Detail
page appears.
4. Enter the script configuration details, and then click Run Now to run Disallowed Programs Policy.
For more detailed information on scripting and Disallowed Programs Policy, Refer to
Chapter 8,“Scripting,” starting on page 142.
To apply a label to a process:
1. Select Inventory | Processes.

2. Select the check box beside the process(es) you want to apply a label to.
To remove a label from a process:

2. Select the check box beside the process(es) you want to remove the label from.
To categorize a process:

2. Select the check box beside the process(es) you want to categorize.
To set threat level to a process:

2. Select the check box beside the process(es).
To meter a process:

2. Select the check box beside the process(es).
3. Select Meter Selected Items(s) from the Choose action drop-down list.
The process will be added to the list of processes to be monitored in the Metering tab. For more
information on Software Metering, Refer to “Processes,” on page 77.

Startup
The KBOX Startup feature allows you to keep track of startup programs on all agent machines across your
enterprise.
The Startup feature records and reports the startup program detail information. Detail pages provide
information on startup programs, including the name of the computer running those startup programs,
system description, and the last user.
Using Startup feature, you can:
View startup program details
Delete selected startup programs
Apply or remove labels
The startup programs are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games,
Internet, Malware, Security, and System Tool.
To view Startup detail information:
1. Select Inventory | Startup. The Startup Programs page appears.

2. Click on the startup program name to view details. The Startup Programs : Edit Startup Programs
Detail page appears.
3. Select labels to assign to startup program in the Assign To Label box.
4. Enter any notes that further describe this startup program in the Notes box.
5. Select the category of the startup program in the Category drop-down list.
6. Select the threat level of the startup program in the Threat Level drop-down list.
7. Click Save to save the startup program details.
You can read comments on the startup program submitted by other users by clicking
[Read Comments]. You can also ask for help from KACE about the startup programs by
clicking [Ask For Help.] You need KACE user name and password to log in to the KACE
database.
You can also see computers with running the selected startup program. You can view a printer friendly
version of this page and take print outs of the report.
To delete a startup program:
1. To delete startup programs, do one of the following:

From the Startup Programs List view, select the check box beside the startup program, then
select Delete Selected Item(s) from the Choose action drop-down list.
From the Startup Program : Edit Startup Program Detail page, click Delete.
2. Click OK to confirm deleting the selected startup program.
To apply a label to a startup program:
1. Select Inventory | Startup.

2. Select the check box beside the startup program(s) you want to apply a label to.

To remove a label from a startup program:

2. Select the check box beside the startup program(s) you want to remove the label from.
To categorize a startup program:

2. Select the check box beside the startup program(s) you want to categorize.
To set threat level to a startup program:

2. Select the check box beside the startup program(s).

Service
The KBOX Service feature allows you to keep track of services running on all agent machines across your
enterprise.
The Service feature records and reports the services information in detail. Detail pages provide information
on services, including the name of the computer running those services, system description, and the last
user.
Using Services feature, you can:
View services details
Delete selected services
Apply or delete labels
The services are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet,
Malware, Security, and System Tool.
To view service detail information:
1. Select Inventory | Service. The Services page appears.

2. Click the service name to view details. The Service : Edit Service Detail page appears.
3. Select labels to assign to service in the Assign To Label box.
4. Enter any notes that further describe this service in the Notes box.
5. Select the category of the service in the Category drop-down list.
6. Select the threat level of the service in the Threat Level drop-down list.
7. Click Save to save the service details.
You can read comments on the service submitted by other users by clicking [Read
Comments]. You can also ask for help from KACE about the service by clicking [Ask For
Help.] You need KACE username and password to log in to the KACE database.
You can also see computers with running the selected startup program. You can view a printer friendly
version of this page and take print outs of the report.
To delete a service:
1. To delete services, do one of the following:

From the Services List view, select the check box beside the service, then select Delete Selected
From the Process detail page, click Delete.
2. Click OK to confirm deleting the selected service.
To apply a label to a service:
1. Select Inventory | Service.

2. Select the check box beside the service(s) you want to apply a label to.

To remove a label from a service:

2. Select the check box beside the service(s) you want to remove the label from.
To categorize a service:

2. Select the check box beside the service(s) you want to categorize.
To set threat level to a service:

2. Select the check box beside the service(s).

Monitoring Out-Of-Reach Computers (MIA)
The KBOX MIA tab, gives you a way to view the computers that have not checked in to the KBOX in some
time. You can filter the MIA view by computers that have missed the last first, fifth, or tenth syncs, or
which have not communicated with the KBOX in the last 1-90 days. The MIA tab also displays the IP and
MAC Addresses of these computers.
From the MIA tab you can remove the computers from the KBOX inventory, as well as assign them to
labels to group them for management action.
Configuring the MIA Settings

You can configure the MIA Settings to enable the KBOX to automatically delete computers from the
inventory after they have not checked in for a specified number of days. This eliminates the need to
manually delete the computers from the Computers - MIA page.
To configure the MIA settings:
1. Select Inventory | MIA.

2. Select Configure Settings from the Choose action drop-down list.
The MIA Settings page appears.
3. Enter the following information:
Automatically delete MIA Select the check box to enable automatic deleting of MIA com-
computers puters.
Days Enter the period in number of days. Computers that do not com-
municate with the KBOX for the number of days specified here
will be automatically deleted.
4. Click Save.
To delete a computer:

2. Select the check box beside the computer(s) you want to delete.
4. Click Yes to confirm deleting the computer. Else, click Cancel to cancel deletion.
To apply a label to a computer:

2. Select the check box beside the computer(s) you want to apply a label to.

Labels
In many areas of the KBOX you will see a labels select list, which allows you to constrain the action to a
specific label or group of labels. There are several ways to group machines with the KBOX. Once grouped
by a label, software, scripts, reports, or software deployments can all be managed on a per label basis.
The label functionality can be manually applied from the Inventory | Labels tab, or automatically, via
LDAP or Active Directory, (Reporting | LDAP Filters tab), or even applied by machine attribute, as we
saw earlier from the Computers | Create Filter functionality.
On the Label Management page you can add or delete labels, search labels, and also see the total number
of computers that belong to a particular label.
Creating Labels
Labels can be used to organize and categorize software, people, and machines. Labels are intended to be
used in a flexible manner and how you use labels is completely customizable. For example, Labels can
reflect corporate structures, organizations, processes, or geographical locations like "Engineering",
"Staging", "Building A",and so on. Labels can be used to identify deployment groups and target machines
for distribution packages. All items that support "labeling" can have none, one, or multiple labels.
To create a label:
1. Select Inventory | Labels.

2. Select Add New Item from the Choose action drop-down list. The Labels : Edit Detail page appears.
3. Enter a name for the label in the Label Name field.
4. Enter any relevant notes about the label in the Notes field.
5. If necessary, enter a value for KACE_ALT_LOCATION.
This allows you to define what should replace the string in the KACE_ALT_LOCATION in the Alternate
Download Location value in Managed Installs and File Synchronizations.
Alternate Download Locations allow the KBOX Agent to retrieve digital installation files from remote
locations. Specifying a KACE_ALT_LOCATION here will allow you to use this label for specifying the
alternate location globally. If you apply this label to any machine and Managed Installation, the KBOX
will copy digital assets from the Alternate Download location specified in that label instead of
downloading them directly from the KBOX.
Note: You should not have a machine in two labels that both specify an alternate location value.
6. Specify the Username and Password for the KACE_ALT_LOCATION.
7. Click Save.
Viewing Computer Details by Label

After you’ve created a label, you can view details about the computers on your network that belong to that
label. From the Label Detail view you can see:
The IP addresses and machine names of the computers in the label
The number of Managed Installations and File Synchronizations deployed to the label
The number of network scans and scripts run on the machines in the label
The number of alerts, portal packages, and users associated with the label
The number of filters and replication shares associated with the label.

To view label details:
1. Select Inventory | Labels.

2. Click the linked name of the label.
The Labels: Edit Detail page appears.
3. Click the + sign beside the section headers to expand or collapse the view.
Deleting labels
You can delete labels using two ways: from the Label List view, or from the Label: Edit Detail page.
To delete a label:
1. To delete labels, do one of the following:

From the Labels List view, select the check box beside the label, then select Delete Selected
From the Labels: Edit detail page, click Delete.
2. Click OK to confirm deleting the selected label.
You cannot delete a label if it is associated with an item. For Example, a label
associated with a Script or a Managed Installation.

C H A P T E R 4
Asset Management
The KBOX 1000 Series allows you to manage and track

assets in your environment in a flexible and customizable
way.
“Overview of Asset Management,” on page 87

“Managing Asset Types,” on page 87
“Managing Assets,” on page 91
“Licensing,” on page 93
“Importing Asset,” on page 95
86
Overview of Asset Management
The Asset Management feature enables you to identify asset types, objects, and relationships between
asset types and objects. You track existing assets, licensing and cost information and generate reports to
match your environments needs.
While looking at asset management it is important to understand that two types of assets are managed
under the KBOX:
Organizational assets (like Department, Location or Cost Center)
Physical assets (like Computers, Users, Phones or Projectors)
Organizational assets are used as a way to collect similar sets of physical assets. Before you begin to use
assets, you should establish the asset types that will make sense for you, both in terms of the organization
elements you want to use as well as the physical asset types you are hoping to track.
You can view the list of available assets from the Asset | Assets tab.
With the Assets tab you can:
Add or delete assets
Configure Asset types
Add or delete software licenses
Import data
Managing Asset Types

There are several built-in Asset Types:
Computer
Cost Center
Department
Location
License
Software
Vendor
These built-in assets cannot be deleted.
If you delete a custom asset type, then all the assets using that asset type will be
deleted.
You can add an unlimited number of asset types. Asset types can have any number of attributes, for
example, ‘Name’. The ‘Name’ attribute has to be unique and cannot be the same as the built-in asset
name. Asset types can be organized into logical groups or hierarchies to allow for roll up reporting.

Assets can point to other Assets and to Inventory records like Machine, User, and Software. Relationships
can be either one - to - one or one - to - many. Asset fields have a default value that should be used when
filling in a new asset. Changing the default value in the asset type does not change any existing records,
but only affects newly created records.
Asset Association
You can create an assets field and associate it to another asset using the field type. Associations are
defined in Asset Types, and are used in assets.
Assets associations are of following types:
User
Parent
Asset Computer
Asset Cost Center
Asset Department
Asset License
Asset Location
Asset Software
Asset Vendor
Computer Asset
When a machine checks into the KBOX, an Asset with the type as Computer is automatically created.
The Computer Asset is mapped to a machine automatically using the following two fields:
mapped inventory field
mapped asset field
The mapped inventory field enables you to select a field that is checked against the inventory to verify
if the machine that has just checked in is already an asset.
For example:
if the
machine inventory field = IP address
Matching asset field = Name
and a machine with an IP address shows up, the IP is checked against IP of existing assets (machines). If
the same IP is not assigned to any other asset, then a new asset with Name = IP address is created.
If the mapped inventory field is by IP and the matching asset field is different, perhaps an asset field called
IP, then an asset is created with the Name as system name, and the IP as IP.
The matching asset field has to be of type text.

To add a new Asset Type:
1. Select Asset | Asset Types. The Asset Types page appears.

2. Select Add New Item from the Choose action drop-down list. The Asset Type Detail page
appears.
3. Enter a name for the Asset Type in the Name field.
You can not create a new asset type with the same name as a built-in asset type name.
4. You can add associations by adding an asset field. To add asset fields, click the button in the
Asset Fields table.
5. Enter following details depending on the selected Asset Type:
Field Value
Name Enter a relevant name for the custom asset field, such as Asset Code, Purchase
Date, or Building Address Line 1. This name appears on the data entry page
for the asset.
Select Values This field gets enabled when you Single Select or Multiple Select from the
Field Type list. Enter the values for this custom asset. You must type at least one
value in this field.
Note: These values should be entered as comma-separated strings.
Default Enter the default value for this field. If you choose Single Select or Multiple
Select from the Field Type list, you must enter one of the values given in the
Select Values field.
Required Select the check box to make the custom asset field a mandatory field. If you
select the check box, you need to enter a value for this custom asset field before
saving the Asset Type Detail page.

Field Type Select the appropriate field type.
Single Select (single value length 255K, list length 65k).
Multiple Select (single value length 255K, list length 65k)
Text field (length 255K)
Attachment (This field allows you to attach a file to the asset.)
Note: You can create multiple fields of attachment entered per Asset Type.
Notes (length 65K)
Date ('1000-01-01' to '9999-12-31')
Label - This field type allows you to assign a label to this asset.
Number (-9223372036854775808 to 9223372036854775807)
Parent - This field type allows this asset to point to the same type of asset
in a parent-child relationship. For example, you can allow Location Asset
type to have a Parent connection. Thus, allowing 'New York' Location Asset
type to point to a 'North America' Location Asset Type. This can then be used
in the reporting system to show all Assets in North America. This report
contains all the assets in New York and in North America.
User - This field type allows you to associate an asset record with one of the
User records from the Inventory system.
Asset ASSET_TYPE - This field type is similar to the single select field type
and the multiple select field type, but you cannot specify the values for this
custom field type. The values are retrieved from the current list of Assets in
the system.
Allow Multiple This check box is enabled when you select Asset ASSET_TYPE from the Field
Type list. Select this check box to allow this custom field to point to multiple
records. For example, the License Asset type can point to many computers that
are approved for a particular License. A single relationship might have a printer
pointing to a single Department record, indicating that this printer is used by only
one department.
When you rename a custom asset field, the values for that field are retained. However,
when you remove the custom asset field, values for that custom field are removed from
all assets.
When you change the Field Type of a custom asset field, the system tries to retain the
previous values, but you may also lose some data.
If you click Delete for a Custom Asset Type, the Asset Type definition and the assets of
this type are removed from the system. For example, if an Asset Type1 is a custom field
for another Asset Type2, remove this association first before attempting to delete the
Asset Type1.
6. Click Save next to the Allow Multiple column to save the entries in the Asset Fields table.
7. Click Save located at the end of the screen to save the Asset Type you added.

Managing Assets
You can add a new asset, delete an existing asset, or view assets by using the Asset | Assets tab.
You can not delete parent asset if that parent asset has child assets associated with it. Assets can be
viewed by asset type or by the associations. You can view the related assets that are not part of any
particular asset and can duplicate any existing asset.
Changes done to the asset are recorded as part History. Asset History is displayed on the Asset Detail
page.
To add an asset:
1. Select Asset | Assets. The Assets page appears.

2. Select the asset type you want to add from the Choose action drop-down list. The Asset Detail page
appears.
3. Enter the name of the selected asset type in the Name field, and then click Save. All the asset types
have a standard field as Name. If you are adding asset of computer type, then you need to enter the
following information:
a. Select the machine from the Machine list, and then enter the filter criteria in the Filter box.
Machine is a default field that comes with the asset type.
b. Enter the date of asset creation in the Date Created box.
c. Enter additional information on the asset in the notes box.
d. Enter the asset id in the id box.
Date created, notes, and id are the asset fields created for asset of computer type.
4. If you want to add another asset, then click Save and New. Otherwise, click Save to save the asset.
To view assets:

2. To view assets by asset types or association, select the asset type or association from the View by
asset type drop-down list. A list of filtered assets appears.
The Assets page also shows the associated assets.
3. Select the asset title to see detailed information of that asset. The Asset Detail page appears.
4. If you want to duplicate the details of this asset, click Duplicate, and then click Save.
5. After editing the asset information, click Save.

6. In the Related Assets table, you can view the related assets that are not parent of this asset.
Click the asset name to view asset details of this related asset.
For example, if computer A's Location is associated to computer X, then computer A will be listed as a
related asset on computer X's page, but on computer A's page, you will not see computer X. This is
because child assets are shown on the related assets list.
If the asset you are viewing is associated to a software or machine, then click on the
asset name to view the Inventory page.
7. In the History table, you can view changes done to the asset.
To add a software asset:

2. Select the Software asset type from the Choose action drop-down list. The Asset Detail page
appears.
3. Enter the name of the selected asset type in the Name field.
4. Select the software you want to add, from the Software drop-down list and then enter the filter
criteria in the Filter box.
At any point of time, only the first 20 entries for a particular filter will be shown in the Software drop-
down list.
Using the software field, existing Software can be associated with the created Software Asset.
5. Select the software label you want to apply, from the Software Label drop-down list, and then enter
the filter criteria in the Filter box.
6. If you want to add another asset, then click Save and New. Otherwise, click Save to save the asset.

Licensing
You can create, edit, and delete licensed assets with the KBOX. You can assign licenses to software and
computers, specify or view the number of licenses available, and keep track of the expiry date for each
license.
When you assign a license to a software, the license is linked with the software. You can view this license
information in the software details page, the metering page, and the software library admin and user
pages. You can also navigate to the license asset detail page by clicking on the license link in the software
detail page, the metering page, and the software library admin and user pages.
Before you create a licensed asset for any software, make sure that you have the software asset. You have
to first create the software asset and then create a license asset for that particular software asset.
For more information on how to create a software asset, Refer to “Creating Software Asset,” on page 71.
To add new license:

2. Select License from the Choose action drop-down list. The Asset Detail page appears.
Name Enter the name for this license.

Seats Licensed Enter the number of licenses available.
Applies to Software Select the software to which you want to assign this license.
Approved for Computer Select the computer to which you want to assign this license.
License Mode Select the appropriate license mode.
Product Key Enter the license key for the product.
Unit Cost Enter the cost of each license.
Expiration Date Enter the expiration date for this license.
Vendor Select the vendor name for this license.
Filter Enter the filter criteria for the Vendor list.
Purchase Order # Enter the purchase order number for this license.
Purchase Date Enter the date when you purchased this license.
Notes Enter notes about this license.
License Text Enter license text, such as the end-user license agreement.
Custom Field #1 Enter information in the custom fields if necessary.
Custom Field #2
Custom Field #3
Custom Field #4
Custom Field #5
Custom Field #6

4. Click Save to the license asset. To save and add another license asset, click Save and New.
Monitoring licenses of a Software family

This feature enables you to use a single software asset to monitor licenses of software belonging to the
same family.
You buy a software, say for example, ActivePerl with 100 seats licensed. This software has many versions,
but they all belong to same software family, ActivePerl. Each version of the ActivePerl will have an
individual record in Software | Inventory.
To create a software asset:
1. Select Inventory | Software, then click the Create Filter tab. The Filter criteria fields appear.
2. Specify the search criteria as ActivePerl.
3. Create a label named “ActivePerl”. For more details, Refer to Chapter 3,“Labels,” starting on page 84.
4. Choose the ActivePerl label you have created to associate with this filter.
5. To test the filter produces for obtaining the desired results, click Test Filter.
6. Click Create Filter to create the filter. All software meeting this filter criteria are now labeled
“ActivePerl”.
7. Create a software asset. For more details on creating a software asset, Refer to “Managing Assets,” on
page 91
8. Assign the software label “ActivePerl” to this newly created software asset.
Now for all new versions, enter a license record with appropriate details and relate it to above created
software asset.
Thus, you can monitor the number of licenses/software/installed counts for ActivePerl by selecting
Assets | Assets or Reporting | Summary.
Generating Reports
You can run various reports to display information about the licenses assigned to software and computers.
Description of these reports is provided below.
Category Report Description
Compliance Software Compliance Simple Lists the licenses and counts like the License
list page with details such as vendor, PO#, and
Notes.
Compliance Software License Compliance Complete Lists software and computers that are
impacted by each license record.
Compliance Unapproved Software Installation Lists software found on computers that do not
have approved licenses.
Table 4-1: License Reports

Importing Asset
The Asset Import feature allows you to import assets data from the CSV file into the desired asset type.
To import assets data:
1. Select Asset | Asset Import. The Kace Asset Import Wizard - Upload File page appears.
2. In the Select file box, specify the CSV file path or click Browse to select the CSV file.
3. Select Is header name in the file check box if the CSV file contains a header.
4. Click Next. The Kace Asset Import Wizard - Asset Type Selection page appears.
5. Select the asset type from the Asset Type drop-down list, to which data needs to be imported from
the CSV file.
6. Click Next. The Kace Asset Import Wizard - Mapping page appears. This page displays mapping of the
CSV fields against fields of selected Asset Type.
7. Under Standard Fields, perform the following steps:
a. Choose the required CSV field from the CSV Fields drop-down list to match the corresponding
standard field for the Asset Type.
b. Select the PK check box to choose this field as the primary key.
Mapping of Standard fields is mandatory.
8. Under Asset Fields, perform the following steps:

a. Choose the required CSV field from the CSV Fields drop-down list box to match the corresponding
Asset field.
b. Select the PK check box to choose this field as the primary key.
You can select one or more fields as the composite primary key.
If none of the Asset Type records, match with the value of the CSV field chosen as
primary key, then record will be inserted.
If only one Asset Type record, match with value of the CSV field is chosen as primary
key then the record will be updated.
If more than one Asset Type record, match with value of the CSV field chosen as
primary key then the record will be flagged as duplicate.
9. Click Re-Upload File, if you want to upload the file again. Follow the procedure from step 2 above.
10. Click Preview. It will take you to the confirmation page.
11. Click Import Data. The Kace Asset Import Wizard - Result page appears.
12. To import more assets data, click More Import. Otherwise, click Done.

C H A P T E R 5
IP Scan
IP scan is a technology offered with the KBOX that allows you

to scan a range of IP addresses to detect the existence and
attributes of various devices on a network.
“IP Scan Overview,” on page 97

“Viewing Scheduled Scans list,” on page 97
“Creating an IP Scan,” on page 98
96
IP Scan Overview
The KBOX can scan a range of IP addresses for SNMP enabled machines, allowing you to retrieve
information about machines connected to your network. Although IP Scans have their own server-side
scheduling, you can invoke a scan on-demand, or schedule an IP scan to run at a specific time.
IP scan reports a variety of inventory data that lets you monitor the availability and service level of a target
machine. As IP scan, scans ports in addition to IP addresses, you can collect data even without knowing
the IP addresses of the target machines.
It can scan any type of device (as long as the device has an IP address on the network) including
computers, printers, network devices, servers, wireless access points, routers, and switches. You can
create and view IP scans from the Inventory | IP Scan tab.
From the Network Scan Settings page you can:
Add New Item
Delete Selected Item(s)
View Scan Inventory
Scan Selected Items Now
Select View Scan Inventory from the Choose action drop-down list. The Network Scan Results page
appears.
From the Network Scan Results page you can:
Exclude Unreachable Items or Include Unreachable Items
View scan schedules
Schedule new scan
Delete selected items
Apply label or delete label
Create a remote connection to the machine (This can be done only if configured under Machine Action.)
Viewing Scheduled Scans list

By default, the IP Scan tab displays the results of configured Network Scans that have been run. You can
modify this view to show the scans that are scheduled to occur in the future.
To view scheduled scans:
Select Inventory | IP Scan. The Network Scan Settings page opens, which displays the Network Scan
Schedules.

Creating an IP Scan
You can create a network scan that will look for DNS, Socket, and SNMP across a subnet or subnets. You
also define a network scan to look for devices listening on a particular port (for example, Port 80). This
allows you to view devices that are connected to your network even when the KBOX Agent is not installed
on those devices.
When defining a network scan, it’s important to balance scope of the scan (number of IP addresses you
are scanning) with the depth of the probe (number of attributes you are scanning for) so that you do not
overwhelm your network or the KBOX 1000 Series appliance itself. For example, if you needed to scan a
large number of IP addresses frequently, you should keep the number of ports, TCP/IP connections, and
so on, relatively small. As a general rule, KACE recommends scanning a particular subnet no more than
once every few hours.
The KBOX Agent listens to port 52230. To determine which machines on your network
are running the KBOX Agent, define a network scan to report which machines are
listening on that port.
To create an IP scan:
1. Select Inventory | IP Scan. The Network Scan Settings page appears.

2. Select Add New Item in the Choose action drop-down list. The Network Scan Setting page appears.
3. Enter a name for the scan in the Network Friendly Scan Name field.
4. Enter the IP range to scan in the Network Scan IP Range field.
5. Specify the DNS lookup test details:
DNS Lookup Enabled Select to check live addresses against the DNS server to see if they have a
name associated with them. This can help you identify known nodes on
your network.
Name Server for lookup Enter hostname or IP address.
Lookup time out Enter the time out interval (in seconds).
6. Select the Ping Test Enabled check box.

The Ping test must be enabled in order to run other tests. The Ping or Socket tests determine if the
address is alive. If it is, then a SNMP or a Port Scan can be run against it. If the Ping and Socket tests
are disabled, then the other tests will not be run.
7. Specify the Connection test details:
Connection Test Enabled Select the check box to perform connection testing during Network scan.
Connection Test Protocol Enter the protocol to use.
Connection Test Port Enter the port to use for testing the connection.
Connection Time Out Enter the time out interval (in seconds).
8. Specify SNMP test details:
SNMP Enabled Select the check box to enable SNMP scanning.

SNMP Public String Enter Public string.

9. Specify Port scan test details:
Device Port Scan Enabled Select the check box to enable port scanning of device ports.
TCP Port List Displays a comma-separated list of TCP ports to scan.
UDP Port List Displays a comma-separated list of UDP ports to scan.
Port Scan Time Out Enter the time out interval (in seconds).
10. Specify scan schedule:
Don’t Run on a Schedule Select to run the tests in combination with an event rather than
on a specific date or at a specific time.
Run Every n minutes/hours Select to run the tests at the specified time.
Run Every day/specific day at Select to run the tests on specified day at the specified time.
HH:MM AM/PM
Run on the nth of every month/ Select to run the tests on the specified time on the 1st, 2nd, or
specific month at HH:MM AM/PM any other date of every month or only the selected month.
11. Click Save or Scan Now to run scan immediately.
Deleting a Scan Configuration will also delete all associated scan inventory items. So if
you wish to maintain the scan inventory but do not want to "rescan" then you can just
set the schedule of the scan configuration to not run.
To search Network Scan Results on the basis of status fields:
1. Click Inventory | IP Scan. The Network Scan Settings page appears.

2. Select View Scan Inventory from the Choose action drop-down list. The Network Scan Results
page appears.
4. Select an attribute from the drop-down list. For example, Ping Status.
5. Select the condition from the drop-down list. For example, =.
6. Specify the Attribute Value. For example, 1.
In the above example, machines that show successful Ping Status will be searched.
7. Click Search. The search results will be displayed below.
Clicking the IP address of a network device display the values for Ping Status,
Connection Status, and SNMP Status as "Succeeded" or "Failed". However, the
underlying database fields actually contain a 0 for Failed and 1 for Succeeded.
Therefore when using these fields as criteria for advanced search, filters, or
notifications, you must use the numeric values.

Scan Filters
The Network Scan Filter searches for all devices that are detected in the Network Scan, including DNS,
Socket, and SNMP across a subnet or subnets.
Filtering enables you to dynamically apply a label based on a search criteria.
To filter the Network Scan Results:
1. Select Inventory | IP Scan. The Network Scan Result page appears.

2. Click the Create Filter tab. The Filter criteria fields appear.
Now, whenever devices that meet the specified filter criteria are detected in the network scan, they will
automatically be assigned to the associated label. You can modify or delete a filter after it has been
created, from the Reporting | Scan Filters tab.
This feature assumes that you have already created labels to associate with a filter.
You can specify the order in which scan filters will run by editing the Order value for scan filters.
To edit the order value:
1. Select Reporting | Scan Filters. The Scan Filters page appears.

2. Select Order Items in the Choose action drop-down list. The Order Scan Filters page appears.
3. Click the icon beside an order value to modify it.

4. Enter the appropriate order value and click Save.
Scan filters with lower Order values are run before Scan filters with higher Order values. When a new
scan filter is created, it has an Order value of 100.
C H A P T E R 6
Distribution
The KBOX Distribution feature provides various methods for deploying

software, updates, and files to computers on your network.
“Distribution feature Overview,” on page 103

“Types of Distribution Packages,” on page 104
“Managed Installations,” on page 106
“Examples of Common Deployments on Windows,” on page 110
“Examples of Common Deployments on Linux,” on page 115
“Examples of Common Deployments on Solaris™,” on page 120
“Examples of Common Deployments on Macintosh®,” on page 124
“File Synchronizations,” on page 124
“Replication,” on page 127
“iPhone,” on page 131
102
Distribution feature Overview
KACE recommends that customers follow a predefined set of procedures before deploying any software on
their network. The following illustration represents a high-level example of a generic distribution process.
This process can be modified to meet the needs of your organization. However, to avoid distribution
problems, it is important to test various deployment scenarios prior to deployment.
Inventory &
Assess
Test
Target
Deploy
Report
Figure 6-1: Basic Deployment procedure
One of the most important concepts in the deployment procedure is to test each deployment before rolling
it out to a large number of users. The KBOX verifies that a package is designated for a particular system,
machine, or operating system. However, it cannot assess the likelihood that a particular package behaves
well with existing applications on the target machine. Therefore, we strongly suggest that you establish
procedures for testing each piece of software before deploying it on your network.
One of the ways to do this is to develop a test group of target machines and deploy the required software
using the KBOX. This helps you to verify the compatibility of the software with the operating system and
other applications within your test group. You can create a test label and perform a test distribution before
you go live in your environment. You can create a test label from the Inventory | Labels tab. For more
This chapter focuses primarily on the Test, Target, Deploy portions of this flow diagram. For more details
on creating an inventory of computers and software packages in use on your network, see Chapter
3,“Inventory,” starting on page 54.
Types of Distribution Packages
There are three primary types of distribution packages that can be deployed on the computers in your
network:
Managed installations
File synchronizations
KBOX Agent
Distribution packages (whether for managed installation, file synchronization or user portal packages)
CANNOT be created until a digital file is associated with an Inventory Item. This rule applies even if you
are:
Sending a command, rather than an installation or a digital file, to target machines.
Redirecting the KBOX Agent to retrieve the digital asset (for example, .exe, .msi) from an alternate
download location.
To create a distribution:
1. Install the package manually on a machine.

2. Take an inventory of that machine. For more information on how to take an inventory, see “Software
Inventory,” on page 66.
3. Use the item listed in the Software Inventory list for the Managed Installation.
If you need to create packages with different settings, such as parameters, labels, or deployment
definitions, you can create multiple distribution packages for a single Inventory item. However, the
Managed Installation (MI) cannot be verified against more than one inventory item because the MI checks
for the existence of one and only one inventory item.
Although the KBOX Agent tab is listed under the Distribution tab, “Deploying the
KBOX Agent” is discussed as part of the installation and setup process in Chapter
1,“Getting Started,” starting on page 1. For information about updating an existing
version of KBOX Agent, please see Chapter 2,“KBOX Agent Update,” starting on
page 47.
Distributing Packages through the KBOX

Packages distributed through the KBOX are only deployed to target desktops if the Inventory Item is
designated to run on the target operating system. For example, if the Inventory Item is defined for
Windows XP Professional only, the Inventory Item does not deploy on Windows 2000.
Also the package does not deploy if it is designated for a target label for which the target machine is not a
member. For example, if the Deployment Package is set to deploy to a Label called ‘Office A’, it does not
deploy to machines that are not in ‘Office A’. When the KBOX creates a software inventory item, it only
records the operating systems on which the item was installed, in the Inventory detail record.
A Managed Installation must be enabled by selecting a managed action and a deployment window.
The KBOX may attempt to deploy a package repeatedly even though it is already there, if the display name
of the Software Inventory Item does not exactly match the name that the software registers in Add/
Remove programs.
To ensure that the Inventory Item display name exactly matches, it is recommended to first install the
desired package on a target machine and then take an automatic inventory of that machine using the
KBOX. The newly installed package appears in the inventory list. You can then associate a digital file and
create one or more deployment packages.
Distributing Packages through an Alternate Location

The KBOX supports software distribution from alternate locations. The KBOX Agent can retrieve digital
installation files from remote locations, as opposed to the KBOX, including a UNC address, a DFS source,
or an HTTP location. The CIFS and SMB protocols, SAMBA servers, and file server appliances are supported
by the KBOX.
The alternate download feature is used to address many administrative issues, including remote sites with
restricted bandwidth, which might result in difficulties accessing the KBOX. You can also use alternate
download locations, if you don't want to store large packages on the KBOX.
An alternate download location can be any path on the network. Ensure that the alternate location has
files that are required for installing the respective application.
In order to activate this capability, you must enter an Alternate Checksum (MD5) that matches the MD5
checksum on the remote file share (for security purposes). You may use any tool to establish your
checksum. For creating your MD5 hash, you can use the KBOX Admin Utilities tool, which is available on
the KBOX Agent CD. There are other utilities that work equally well.
To create the MD5 Checksum by using the client software.
use: KBOXClient -hash=FILENAME
This displays the MD5 hash for the supplied file.
If no checksum is entered, then the digital asset on the file share must exactly match the digital asset
associated with the Deployment Package on the KBOX 1000 appliance. Also, the target path must include
the complete filename (for example, \\fileserver_one\software\adobe.exe).
When the KBOX is fetching files, the priority for fetching files is as follows:
1. Alternate download location
2. Replication point
3. KBOX
If a replication point is specified in the label, the replication share is always be used
instead of an alternate download location.
If there is no replication point, the KBOX Agent fails over to the KBOX.
Difference between Replication Share and Alternate

Download Location
The difference between a replication share and an alternate download location is that:
Replication share is a full replication of all digital assets and is managed automatically by the KBOX.
Alternate download location can be any path on the network and you have to make sure that the
alternate location has those files that might be needed for a particular application installs.
Whenever a replication share is specified for a label, machines in that label go to that replication share to
get files, as long as it is a member of only one label with a replication share. If a replication share is
specified, that is always be used instead of any other alternate location.
The agent always fails over to the KBOX in following scenarios:
There is no replication share specified for any label it is a member of
There are more than one possible replication shares identified
For more information on replication share, Refer to “Replication,” on page 127.
Managed Installations
Managed Installations enable you to deploy software to the computers on your network that require an
installation file to run. You can create a Managed Installation package from the Distribution | Managed
Installation page.
From the Managed Installations tab you can:
Create or delete Managed Installations
Execute or disable Managed Installations
Specify a Managed Action
Apply or remove a label
Search Managed Installations by keyword
Installation Parameters
The KBOX allows packaged definitions to contain .MSI, .EXE, .ZIP and other file types for software
deployment. A simple litmus test of the KBOX ability to install a package is "Can this file be installed by an
administrator on a local machine either by running a single file or BAT file or VBScript?" If so, the package
can be installed remotely by the KBOX. In order to simplify the distribution and installation process, the
package definition can also contain parameters that are passed to the installer at run time on the local
machine.
Parameters can be used to support custom installation settings. For example, the parameter may instruct
the KBOXClient to install a program with specific install options configured. For example, standard install,
bypass auto-restart, and so on. You can identify which parameters are supported by your .MSI or other
any installer by following the steps given below:
Note: If these steps do not work, you may need to research the parameter options - if any - with the
vendor of the software.
1. Open MS-DOS command prompt.
2. Locate the directory containing the target installer (e.g., c:\...\adobe.exe)
3. Type: filename /? (For example, adobe.exe /?)
4. If parameters are supported for the package, they often appear on-screen (For example, /quiet, /
norestart)
5. Use the parameter definitions identified to update your package definition.
Creating a Managed Installation for Windows Platform
When creating a Managed Installation, you can specify whether you want to interact with the users using
a custom message before or after the installation. You can also indicate whether the package should be
deployed when the user is logged in or not, and limit deployment to a specific label. The following section
provides general steps for creating a managed installation. For specific details on creating a managed
installation for an .MSI, .EXE, or .ZIP file, please Refer to the subsequent sections.
To create a managed installation for Windows platform:
1. Click Distribution | Managed Installations.

2. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit
3. Select the software from the Select software drop-down list. You can filter the list by entering any
filter options.
You can create a Managed Installation, only if it has an associated software.
Also show software Select the check box to display any software without an associated executable
without an Associated uploaded. You can upload a file to the software record directly from this
File Managed Installation page.
Upload & Associate New File:
Click Browse and navigate to the location that contains the new executable
of any software selected or to associate an executable to a software without
an associated file.
Installation Command Select Default option or Configure Manually option.
Default Run Parameters: Specify the installation behavior as follows:
The maximum field length is 256 characters. If your path
exceeds this limit, on the command line, point to a BAT file
that contains the path and the command.
If your Parameters file path includes spaces (for example,
\\kace_share\demo files\share these
files\setup.bat), enclose the complete path in quotes
(for example, “\\kace_share\demo files\share these
files\setup.bat”.
Configure Full Command Line: If desired, specify full command-line
Manually parameters. Please Refer to the MSI Command Line
documentation for available runtime options.
Un-Install using Full Command Line: Select the check box
to uninstall software.
Run Command Only: Select the check box to run the
command line only.
Delete Downloaded Select the check box to delete the package files after installation.
Files
Use Alternate Select the check box to specify details for alternate download. When you
Download select this check box, the following fields appear:
Alternate Download Location: Enter the location where the KBOX
Agent can retrieve digital installation files.
Alternate Checksum: Enter an Alternate Checksum (MD5) that
matches the MD5 checksum on the remote file share (for security
purposes).
Alternate Download User: Enter a user name that has the necessary
privileges to access the alternate download location.
Alternate Download Password: Enter the password for the user
name.
Note: If the target machine is part of a replication label, then the KBOX does
not fetch software from the alternate download location. For more informa-
tion on using an alternate location, Refer to “Distributing Packages through
an Alternate Location,” on page 105.
Here you specify an alternate download location only for a specific managed
installation. You can also edit an existing label or create a new label that can
be used for specifying the alternate location globally. But since that label can-
not be specific to any managed installation, you cannot specify an alternate
checksum for matching the checksum on the remote file share. For more
information on how to create or edit labels, Refer to Chapter
3,“Labels,” starting on page 84.
Notes Enter additional information in this field, if any.
Managed Actions Managed Action allows you to select the most appropriate time for this pack-
age to be deployed.
Available options are:
Disabled
Execute anytime (next available)
Execute before logon (before machine boot)
Execute after logon (before desktop loads)
Execute while user logged on
Execute while user is logged off
5. Specify the deployment details:
Deploy to All Machines Select the check box if you want to deploy the software to all machines.
Limit Deployment To Select a label to limit deployment only to machines belonging to the selected
Selected Labels label. Press CTRL to select multiple labels.
If you have selected a label that has a replication share or an alternate down-
load location, then the KBOX copies digital assets from that replication share
or alternate download location instead of downloading them directly from the
KBOX.
Note: The KBOX always uses a replication share in preference over an
alternate location.
Limit Deployment To You can limit deployment to one or more machines. Select the machines from
Listed Machines the drop-down list to add to the list. You can filter the list by entering filter
options.
Deploy Order Select the order in which software should be installed. The lower deploy order
deploys first.
Max Attempts Enter the maximum number of attempts, between 0 and 99, to indicate the
number of times the KBOX 1000 Series appliance tries to install the package.
If you specify 0, the KBOX enforces the installation forever.
Deployment Window Specify the time (using a 24 hr. clock) to deploy the package. The Deployment
(24H clock) Window times affects any of the Managed Action options. Also, the run inter-
vals defined in the System Console, under Organizations | Organizations
for this specific organization, override and/or interact with the deployment
window of a specific package.
6. Set user interaction details:
Allow Snooze Select the check box to allow snooze. When you select the check box, the
following additional fields appear:
Snooze Message: Enter a snooze message.
Snooze Timeout: Enter the timeout, in minutes, for which the
message is displayed.
Snooze Timeout Action: Select a timeout action that take places at
the end of the timeout period. For example, if the installation is being
carried out when there currently no active users accessing their
desktop. You can select Install now to install the software without any
hindrance to the users or select Install later if the installer needs
some user interaction.
Custom Pre-Install Select the check box to display a message to users prior to installation. When
Message you select the check box, the following additional fields appear:
Pre-Install User Message: Enter a pre-install message.
Pre-Install Message Timeout: Enter a timeout, in minutes, for which
the message is displayed.
Pre-Install Timeout Action: Select a timeout action from the drop-
down list, this action takes place at the end of the timeout period.
Options include Install later or Install now. For example, if the
installation is being carried out when there currently no active users
accessing their desktop. You can select Install now to install the
software without any hindrance to the users or select Install later if
the installer needs some user interaction.
Custom Post-Install Select the check box to display a message to users after the installation is
Message complete. When you select the check box, the following additional fields
appear:
Post-Install User Message: Enter a post install message.
Post-Install Message Timeout: Enter a timeout, in minutes, for
which the message is displayed.
7. Click Save.
Examples of Common Deployments on
Windows
Three of the most common package deployments contain .msi, .exe, and .zip files. This section provides
examples for each type of deployment. For each of these examples, you must have already uploaded the
file to the KBOX prior to creating the Managed Installation package. We recommend that you install the
software on a QA machine, wait till the KBOX Agent connects to the KBOX 1000 series appliance and
creates an inventory item for the software, and then create the Managed Installation package.
Standard MSI Example

Using .MSI files is an easy, self-contained way to deploy software on Windows-based machines. If you
have a .MSI that requires no special transformation or customization, the deployment is simple.
MSI files require a /i switch when using other switches with an install.
The KBOX parameter line does not require the file name or msiexec syntax. The only required inputs are
the /* inputs:
/qn /I (Correct)
msiexec /I /qn (Incorrect)
If you are using parameters with .MSI files, it is important that all your target machines
have the same version of Windows Installer available from Microsoft, as some switches
may not be active on older versions. The most up to date version of Windows Installer
can be distributed to clients via the KBOX. If you are using Windows Installer 3.0 or
later, you can identify the supported parameters by going to start/run/ and then type
msiexec. You should see a pop up which includes the supported parameters list.
To create a managed installation for a .MSI file:
1. Select Distribution | Managed Installations. The Managed Installations page appears.

2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail
page appears.
filter options.
You can create a Managed Installation, only if it has an associated software.
4. Set the following installation details:
Also show software Select the check box to display any software without an associated exe-
without an Associated File cutable uploaded. You can upload a file to the software record directly
from this Managed Installation page.
Upload & Associate New File:
Click Browse and navigate to the location that contains the new exe-
cutable of any software selected or to associate an executable to a soft-
ware without an associated file.
Installation Command Select Default option or Configure Manually option.
Default Run Parameters: Specify the installation behavior as fol-
lows:
The maximum field length is 256 characters. If your
path exceeds this limit, on the command line, point
to a BAT file that contains the path and the
command.
If your Parameters file path includes spaces (for
example, \\kace_share\demo files\share these
files\setup.bat), enclose the complete path in
quotes (for example, “\\kace_share\demo
files\share these files\setup.bat”.
Configure Full Command Line: If desired, specify full command-
Manually line parameters. Please Refer to the MSI Command Line
documentation for available runtime options.
Un-Install using Full Command Line: Select the check
box to uninstall software.
Run Command Only: Select the check box to run the
command line only.
Delete Downloaded Files Select this check box to delete the package files after installation.
User Alternate Download Select this check box to specify details for alternate download. When
you select this check box, the following fields appear:
Alternate Download Location - Enter the location from where
the KBOX Agent can retrieve digital installation files.
Alternate Checksum - Enter an Alternate Checksum (MD5) that
purposes).
Alternate Download User - Enter a user name that has
necessary privileges to access the Alternate Download Location.
Alternate Download Password - Enter the password for the
user name specified above.
Note: If the target machine is part of a replication label, then the KBOX
does not fetch software from the alternate download location. For more
information on using an alternate location, Refer to “Distributing Pack-
ages through an Alternate Location,” on page 105
Here you specify an alternate download location only for a specific man-
aged installation. You can also edit an existing label or create a new
label that can be used for specifying the alternate location globally. But
since that label cannot be specific to any managed installation, you can-
not specify an alternate checksum for matching the checksum on the
remote file share. For more information on how to create or edit labels,
Refer to Chapter 3,“Labels,” starting on page 84.
Notes Enter any additional information in this field, if any.
Managed Actions Managed Actions allows you to select the most appropriate time for this
package to be deployed.
Available options are:
Disabled
Execute anytime (next available)
Execute before logon (before machine boot)
Execute after logon (before desktop loads)
Execute while user logged on
Execute while user logged off
Deploy to All Machines Select the check box if you want to deploy the software to all the
Machines.
Limit Deployment To Select a label to limit deployment only to machines belonging to the
Selected Labels selected label. Press CTRL and click labels to select multiple labels.
If you have selected a label that has a replication share or an alternate
download location, then the KBOX copies digital assets from that repli-
cation share or alternate download location instead of downloading
them directly from the KBOX.
Note: The KBOX always uses a replication share in preference to an
alternate location.
Limit Deployment To Listed You can limit deployment to one or more machines. Select the
Machines machines from the drop-down list to add to the list. You can filter the
list by entering filter options.
Deploy Order Select the order in which software should be installed. The lower deploy
order deploys first.
Max Attempts Enter the maximum number of attempts, between 0 and 99, to indicate
the number of times the KBOX 1000 Series appliance tries to install the
package. If you specify 0, the KBOX enforces the installation forever.
Deployment Window(24H Enter the time (using a 24 hr. clock) to deploy the package. Deployment
clock) Window times affect any of the Managed Action options. Also, the run
intervals defined in the System Console, under Organizations |
Organizations for this specific organization, override and/or interact
with the deployment window of a specific package.
Allow Snooze Select this check box to allow snooze. When you select this check box,
the following additional fields appear:
Snooze Message: Enter a snooze message.
Snooze Timeout: Specify a timeout, in minutes, for which the
message is displayed.
Snooze Timeout Action: Select a timeout action that takes
place at the end of the timeout period. For example, you might
select Install now because you are installing at a time when you
know that the users are away from their desktops. You might
select Install later because the installer needs some user
interaction and it would not work if the users were not at their
desktops.
Custom Pre-Install Message Select this check box to display a message to users prior to installation.
When you select this check box, additional fields appear:
Pre-Install Message Timeout: Enter a timeout in minutes for
Pre-Install Timeout Action: Select a timeout action that take
places at the end of the timeout period. For example, you might
select Install now because you are installing at a time when you
know that the users are away from their desktops. You might
select Install later because the installer needs some user
interaction and it would not work if the users were not at their
desktops.
Custom Post-Install Message Select the check box to display a message to users after the installation
is complete. When you select the check box, the following additional
fields appear:
Post-Install User Message: Enter a post install message.
Post-Install Message Timeout: Enter a timeout, in minutes, for
7. Click Save.
Standard EXE Example
The standard EXE example is identical to the MSI example above with one exception: /I is not required in
the “run parameters” line when using a .exe.
When using an EXE it is often helpful to identify switch parameters for a quiet or silent installation. To do
this, specify /? in the run parameters field.
Standard ZIP Example

Deploying software using a .zip file is a convenient way to package software when more than one file is
required to deploy a particular software title (for example, setup.exe plus required configuration and data
files). For example, if you have a CD-ROM containing a group of files required to install a particular
application, you can package them together in a .zip file, and upload them to the KBOX for deployment.
The KBOX Agent automatically runs deployment packages with .MSI and .EXE
extensions. However, the KBOX also provides a capability for administrators to Zip many
files together and direct the KBOX to unpack the Zip and run a specific file within. If you
intend to deploy a .ZIP file, you must place the name of the file within the .zip that you
would like to run in the Command (Executable) field within the Deployment Package
(for example, runthis.exe).
To create a managed installation for a .zip file:
1. Browse to the location that contains the necessary installation files.

2. Select all files, and create a .zip file using WinZip or other utility.
3. Create an inventory item for the target deployment.
You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX
Agent machine that regularly connects to the KBOX appliance.
4. Associate the .zip file with the inventory item and upload it to the KBOX.
5. Select Distribution | Managed Installation. The Managed Installations page appears.
6. Select Add New Item in the Choose action drop-down list. The Managed Software Installation : Edit
7. Select the software title with which the .zip file is associated from the Select software drop-down list.
8. In the Full Command Line field, please specify the complete command with arguments.
For example,
setup.exe /qn
9. Enter other package details as described in the Creating a Managed Installation procedures.
10. Click Save.
When attempting to deploy a ZIP file created using WinZip maximum compression, the package may fail to
uncompress and you may see an error in the application event viewer or kbxlog.txt with the message:
Unsupported compression mode 9
The KBOX Agent uses a library called SharpZipLib to uncompress zip files.
This library supports Zip files using both stored and deflate compression methods and also supports old
(PKZIP 2.0) style encryption, tar with GNU long filename extensions, gzip, zlib and raw deflate, as well as
BZip2. However, Zip64 and deflate64 are not yet supported.
Compression mode 9 is deflate64, which in WinZip is called "maximum compression".
To resolve the issue, recreate the zip file using WinZip "Normal Compression".

Linux
The supported package deployments are .rpm, .zip, .bin, .tgz, and tar.gz files. This section provides
examples for each type of deployment. For each of these examples, you must have already uploaded the
file to the KBOX prior to creating the Managed Installation package. We recommend installing the software
on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000
series appliance and create an inventory item for the software, and then creating the Managed Installation
package.
Standard RPM Example

You can deploy software on Linux-based machines using .rpm files.
To create a managed installation for a .rpm file:

page appears.
filter options.
4. By default the KBOX Agent attempts to install the .rpm file via the following command. In general, this
should be sufficient to install a new package or update an existing one to a new version:
rpm -U packagename.rpm
5. If you have selected a zip/tgz/tar.gz file, then the content is unpacked and the root directory searched
for all .rpm files. The installation command is run against each of these files. The KBOX finds all rpm
files at the top level of an archive automatically, so you can install more than one package at a time.
You can also create an archive containing a shell script and then specify that script name as the full
command. The KBOX runs that command if it is found and logs an error if is not.
If you want to change the default parameters, you have to specify the Full Command Line. You may
specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if
it contains spaces. The files are extracted into a directory in "/tmp" and it becomes the current working
directory of the command.
On Red Hat Linux, you do not need to include any other files in your archive other than
your script if that is all you wish to execute.
If the PATH environment variable of your root account does not include the current working directory
and you wish to execute a shell script or other executable that you have included inside an archive,
specify the relative path to the executable in the Full Command Line field. The command is executed
inside a directory alongside the files which have been extracted. For example, if you want to run a file
called "installThis.sh", you would package it up alongside a .rpm file and then put the command "./
installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the
Full Command Line field should be "./foo/installThis.sh".
Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If
you're using another scripting language, you may need to specify the full path to the command
processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate
arguments for an unattended, batch script.
If you select the uninstall check box in the MI detail, the KBOX Agent runs the command
//usr/sbin/rpm -e packagename.rpm on either your standalone rpm file or each rpm file it finds in the
archive, removing the package(s) automatically. The uninstallation in this way is performed only if the
archive or package is downloaded to the client. If you select the check box for "Run Command Only",
you should specify a Full Command Line to ensure the correct removal command is run on the correct
package. Since no package is downloaded in this case, you should specify the path in the installation
database where the package receipt is stored.
6. If your package requires additional options, you can enter the following installation details:
Run Parameters You do not need to specify any parameters if you have a .rpm file. If no
Run Parameters are filled in, -U is used by default. Setting a value here
overrides the default “-U” option. For instance, if you set Run Parame-
ters to: “–ivh --replacepkgs”, then the command that would run on the
computer would be:
rpm -ivh –replacepkgs package.rpm
Full Command Line You do not need to specify a full command line if you have a .rpm file.
The server executes the installation command by itself. The Linux
client tries to install this via:
rpm [-U | Run Parameters] "packagename.tgz”
If you do not want to use the default command at all, you can replace
it completely by specifying the complete command line here.
Remember that if you have specified an archive file, this command is
run against all of the .rpm files it can find.
Un-Install using Full Com- Select this check box to uninstall software. If the Full Command Line
mand Line above is filled in, it is run. Otherwise, by default the agent attempts the
command, which is generally expected to remove the package.
Run Command Only Select this check box to run the command line only. This does not
download the actual digital asset.
Managed Action Managed Action allows you to select the most appropriate time for this
package to be deployed. Execute anytime (next available) and
Disabled are the only options available for Linux platform.
Deploy to All Machines Select the check box if you want to deploy to all the machines.
Limit Deployment To Selected Select a label to limit deployment only to machines belonging to the
Labels selected label. Press CTRL to select multiple labels.
download location, then the KBOX copies digital assets from that repli-
cation share or alternate download location instead of downloading
them directly from the KBOX.
alternate location.
Deploy Order The order in which software should be installed. The lower deploy
Max Attempts Enter the maximum number of attempts, between 0 and 99, to
indicate the number of times the KBOX 1000 Series appliance tries to
install the package. If you specify 0, the KBOX enforces the installation
forever.
Deployment Window(24H Enter the time (using a 24 hr. clock) to deploy the package. Deploy-
clock) ment Window times affect any of the Managed Action options. Also,
the run intervals defined in the System Console, under Organizations
| Organizations for this specific organization, override and/or inter-
act with the deployment window of a specific package.
Allow Snooze This option is not available for Linux platform.

Custom Pre-Install Message This option is not available for Linux platform.
Custom Post-Install Message This option is not available for Linux platform.
Use Alternate Download Select this check box to specify details for alternate download. When
Alternate Download Location: Enter the location from where
purposes).
Alternate Download User: Enter a user name that has the
Alternate Download Password: Enter the password for the
Note: If the target machine is part of a replication label, then the
KBOX does not fetch software from the alternate download location.
For more information on using an alternate location, Refer to “Distrib-
uting Packages through an Alternate Location,” on page 105.
Here you specify an alternate download location only for a specific
managed installation. You can also edit an existing label or create a
new label that can be used for specifying the alternate location glo-
bally. But since that label cannot be specific to any managed
installation, you cannot specify an alternate checksum for matching the
checksum on the remote file share. For more information on how to
create or edit labels, Refer to Chapter 3,“Labels,” starting on page 84.
9. Click Save.
Standard TAR.GZ Example
Deploying software using a tar.gz file is a convenient way to package software when more than one file is
required to deploy a particular software title (for example, packagename.rpm plus required configuration
and data files). For example, if you have a CD-ROM containing a group of files required to install a
particular application, you can package them together in a tar.gz file, and upload them to the KBOX for
deployment.
To create a managed installation for a tar.gz file:
1. Use the following two commands to create tar.gz file:

tar –cvf filename.tar packagename.rpm
gzip filename.tar
This creates filename.tar.gz
Agent machine that regularly connects to the KBOX 1000 Series appliance.
3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series.
6. Select the software title with which the tar.gz file is associated from the Select software drop-down
list.
7. This file is uncompressed and searched for all .rpm files. The installation command is run against each
of them.
8. If no Run Parameters are filled in, -U is used by default.
9. You do not need to specify a full command line. The server executes the installation command by itself.
The Linux client tries to install this via:
rpm [-U | Run Parameters] "packagename.tgz”
10. Enter other package details as described in the Creating a Managed Installation procedures for .rpm
file above.
11. Click Save.
The KBOX Agent automatically runs deployment packages with .rpm extensions. However, KBOX 1000
Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000
Series to unpack the Zip and run a specific file within.
Solaris™
The supported package deployments are .pkg, pkg.gz, .zip, .bin and tar.gz. This section provides examples
for each type of deployment. For each of these examples, you must have already uploaded the file to the
KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA
machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series
appliance and create an inventory item for the software, and then creating the Managed Installation
package.
To create a managed installation for a .pkg file:

page appears.
filter options.
4. By default the Kbox Agent attempts to install the .pkg file via the following command. Generally, this
should be sufficient to install a new package or update an existing one to a new version:
pkgadd -n -d "packagename.pkg" [Run Parameters]
5. If you have selected a zip/pkg.gz/tar.gz file, then the contents are unpacked and the root directory
searched for all .pkg files. The installation command is run against each of them. The KBOX finds all
pkg files at the top level of an archive automatically, so you can install more than one package at a
time. You can also create an archive containing a shell script and then specify that script name as the
full command. The KBOX runs that command if it is found and log an error if is not.
If you want to change the default parameters, you have to specify the Full Command Line. You may
specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if
it contains spaces. The files are extracted into a directory in "/tmp" and that becomes the current
working directory of the command.
You can put a zero-byte .pkg file in your archive if all you want to do is execute a shell
command or some other executable.
Ensure that you specify the relative path to the executable in the Full Command Line field, if you wish
to execute a shell script or other executable that you have included inside an archive. The command is
executed inside a directory alongside the files which have been extracted. For example, if you want to
run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the
command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory,
like "foo", the Full Command Line field should be "./foo/installThis.sh".
Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you
are using another scripting language, you may need to specify the full path to the command processor
you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments
for an unattended, batch script.
If you select the uninstall check box in the MI detail, the KBOX Agent runs the command:
/usr/sbin/pkgrm -n packagename.pkg on either your standalone rpm file or each rpm file it finds in the
archive, removing the package(s) automatically. An uninstallation in this way can be performed only if
the archive or package is downloaded to the Agent. If you select the check box for "Run Command
Only", you should specify a full command line to ensure the correct removal command is run on the
correct package. Since no package is downloaded in this case, you should specify the path in the
installation database where the package receipt is stored.
Run Parameters You do not need to specify any parameters if you have a .pkg file. If no Run
Parameters are filled in, all are used by default to install all packages in the
.pkg file. Setting a value here overrides the default option.
Full Command Line You do not need to specify a full command line if you have a .pkg file. The
server executes the installation command by itself. The Solaris client tries
to install this via:
If you do not want to use the default command at all, you can replace it
completely by specifying the complete command line here. Remember that
if you have specified an archive file, this command runs against all the .pkg
files it can find.
Un-Install using Full Select the check box to uninstall software. If the Full Command Line above
Command Line is filled in, it is run. Or else by default the agent attempts the command,
which is generally expected to remove the package.
Run Command Only Select the check box to run the command line only. This does not download
the actual digital asset.
Disabled are the only options available for Solaris platform.
Deploy to All Machines Select the check box if you want to deploy to all the machines.
Limit Deployment To Selected Select a label to limit deployment only to machines belonging to the
Labels selected label. Press CTRL to select multiple labels.
download location, then the KBOX copies digital assets from that
replication share or alternate download location instead of download-
ing them directly from the KBOX.
alternate location.
Deploy Order The order in which software should be installed. The lower deploy
Max Attempts Enter the maximum number of attempts, between 0 and 99, to
indicate the number of times the KBOX 1000 Series appliance tries to
install the
package. If you specify 0, the KBOX enforces the installation forever.
the run intervals defined in the System Console, under Organizations
| Organizations for this specific organization, override and/or inter-
act with the deployment window of a specific package.
Allow Snooze This option is not available for Solaris platform.

Custom Pre-Install Message This option is not available for Solaris platform.
Custom Post-Install Message This option is not available for Solaris platform.
Use Alternate Download Select the check box to specify details for alternate download. When
you select the check box, the following fields appear:
purposes).
Alternate Download User: Enter a user name that has
new label that can be used for specifying the alternate location
globally. But since that label cannot be specific to any managed
installation, you cannot specify an alternate checksum for matching the
9. Click Save.
Standard TAR.GZ Example
Deploying software using a tar.gz file is a convenient way to package software when more than one file is
required to deploy a particular software title (for example, packagename.pkg plus required configuration
and data files). For example, if you have a CD-ROM containing a group of files required to install a
particular application, you can package them together in a tar.gz file, and upload them to the KBOX for
deployment.
To create a managed installation for a tar.gz file:
1. Use the following two commands to create tar.gz file:

tar –cvf filename.tar packagename.pkg
gzip filename.tar
This creates filename.tar.gz.
Agent machine that regularly connects to the KBOX 1000 Series appliance.
3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series.
6. Select the software title with which the tar.gz file is associated from the Select software drop-down
list.
7. This file is uncompressed and searched for .pkg files. The installation command is un against each of
them.
8. If no Run Parameters are filled in, all are used by default to install all packages in the .pkg file.
9. You do not need to specify a full command line. The server executes the installation command by itself.
The Solaris client tries to install this via:
If extension is tar.gz:
tar xzpf “packagename”
If extension is .zip:
unzip “packagename.zip”
If extension is .gz:
gunzip “packagename.gz”
10. Enter other package details as described in the Creating a Managed Installation procedures for .pkg
file above.
11. Click Save.
The KBOX Agent automatically runs deployment packages with .pkg extensions. However, the KBOX 1000
Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000
Series to unpack the Zip and run a specific file within.
Macintosh®
For information on common deployments on Macintosh®, Refer to Appendix A,“Macintosh®
Users,” starting on page 322.
File Synchronizations
File synchronizations enable you to distribute software files to the computers on your network. These can
be any type of file, such as PDF, ZIP files, or EXE files, which are simply downloaded to the user’s machine,
but not installed.
Creating a file synchronization

Using file synchronizations, you can push out any type of file to the computers on your network. You can
choose to install the files from the KBOX 1000 Series, or you can specify an alternate location from where
users download the file. The string KACE_ALT_Download in the Alternate Download Location field is
replaced with the value assigned by the corresponding LABEL. You should not have a machine in more
than one LABEL with an Alternate Download Location specified.
To create a file synchronization:
1. Select Distribution | File Synchronization. The File Synchronizations page appears.

2. Select Add New Item in the Choose action drop-down list. The File Synchronization: Edit Detail
page appears.
3. Select the software title to install in the Software Title to Install drop-down list.
4. Set or modify the following installation details:
Notes Enter any information related to the software title selected.

Location (full directory path) Enter the location on the users machine where you want to upload
this file.
Location User If the Location specified above is a shared location, enter the User
login name.
Location Password If the Location specified above is a shared location, enter the login
password.
Enabled Select the check box to download the file the next time the KBOX
Agent checks into the KBOX appliance.
Create Location (if doesn’t Create the installation location if not has not already been created.
exists)
Replace existing files Select the check box to overwrite existing files of the same name on
the target machines.
Do Not Uncompress Distribu- Select the check box if you are distributing a compressed file and do
tion not want the file uncompressed.
Persistent Select the check box if you want the KBOX to confirm every time that
this package does not already exist on the target machine before
attempting to deploy it.
Create shortcut (to location) Select the check box if you want to create a desktop shortcut to the
file location.
Shortcut name Enter a display name for the shortcut.
Delete Temp Files Select the check box to delete temporary installation files.
Limit Deployment to Enter a label for the package. The file is distributed to the users
assigned to the label, such as operating system affected by the
synchronization.
Pre-Install User Message Select this check box to display a message to users prior to installa-
tion. When you select this check box, additional fields appear:
Pre-Install Message Timeout: Enter a timeout in minutes for
Pre-Install Timeout Action: Select a timeout action that
takes place at the end of the timeout period. For example, if the
installation is being carried out when there currently no active
users accessing their desktop. You can select Install now to
install the software without any hindrance to the users or select
Install later if the installer needs some user interaction.
Post-Install User Message Select the check box to display a message to users after the installa-
tion completes. When you select this check box, message field and
timeout options appear. Enter a message and a timeout value in min-
utes.
Deployment Window Enter the time (using a 24 hr. clock) to deploy the package. Deploy-
ment Window times affect any of the Managed Action options. Also,
the run intervals defined in the System Console, under Organiza-
tions | Organizations for this specific organization, override and/or
interact with the deployment window of a specific package.
Use Alternate Download Select this check box to specify details for alternate download. When
Alternate Checksum: Enter an Alternate Checksum (MD5)
that matches the MD5 checksum on the remote file share (for
security purposes).
Alternate Download User: Enter a user name that has
bally. But since that label cannot be specific to any
managed installation, you cannot specify an alternate checksum for
matching the checksum on the remote file share. For more informa-
tion on how to create or edit labels, Refer to “Labels,” on page 84.
7. Click Save.
To distribute files previously deployed after the deployment window has closed, click
the Resend Files button.
Replication
Replication Share allows a KBOX Agent to replicate software installers, patches, client upgrades, and script
dependencies to a shared folder. This allows the KBOX Agent machines to download software installers,
patches, client upgrades, and script dependencies from the shared folder and not directly from the KBOX.
A replication share is used where it is undesirable to have the KBOX Agent machines downloading
installation files directly from the KBOX over WAN, due to bandwidth or other concerns. In creating a
replication share, you need to identify one machine at each remote location which acts as a "Replication
Machine". The server copies all the replication items such as software installers, patches, client upgrades,
script dependencies to the replication machine at the specified destination path.
From the Replication tab, users can:
Add or delete replication shares
Enable or disable replication shares
Start or restart a halted replication task
Halt a running replication task
Perform a share inventory for the replication share
The priority for copying replication items is as follows:

1. Script dependencies
2. Softwares
3. Client Upgrades
4. Patches
Creating a Replication Share

Replication shares can only be created on one of the machines listed in the KBOX Inventory |
Computers tab. If you want to create a share on a machine not listed there, you need to create an
inventory record for the machine before you continue to create a replication share. For more information,
see Chapter 3,“Inventory,” starting on page 54.
The Replication Machine needs to have write permissions of the destination path to
write the software files.
A Replication Share can only be created on machines having the KBOX Agent
version 4.3 or higher.
To create a replication share:
1. Select Distribution | Replication. The Replication Shares page appears.

2. Select Add New Item in the Choose Action drop-down list. The Replication Share: Edit Detail page
appears.
3. Select the Replication Enabled check box.
4. Select the machine in the Replication Machine drop-down list. The replication share is created on
this machine. The replication share can be created by two methods:
Locally
Shared network drive
5. Specify the replication share destination details:
Destination Path Enter the destination path to copy all the replication items from the
KBOX. All the replication items are first listed in the replication queue
and then copied one at a time to the destination path. Any new replica-
tion item is first listed in the replication queue and then copied after a
default interval of 10
minutes.
Destination Path User Enter the login name for the share. The login account should have
write access of the destination path.
Destination Path Password Enter the password for the share.
6. Select a label for the replication share.

Select a label from the Label drop-down list .You need to verify that the selected label does not have
ALT_KACE_LOCATION specified. The replication share gets a preference over the
ALT_KACE_LOCATION while downloading files to the client machine.
7. Specify the replication share download details:
Download Path Enter the download path for machines in the replication label to copy
the replication items from this path instead of downloading them
directly from the KBOX.
For example, a UNC path,
\\fileservername\directory\kbox\
The client machine needs read permission to copy the replication items
from this shared folder.
Download Path User Enter the login name for accessing the download path.
Download Path Password Enter the password for accessing the download path.
8. Specify the following:
Limit Patch O/S Files This field displays the patches for the platforms subscribed in patch
subscription settings page. Refer to Chapter 9,“Subscription
Settings,” starting on page 169 for more details.
Limit Patch Language Files This field displays the OS languages subscribed in patch subscription
settings page. Refer to Chapter 9,“Subscription Settings,” starting on
page 169 for more details.
Replicate App Patches Select this checkbox to replicate the App patches to the replication
share.
Maintain 4.2 Replication Select this checkbox to replicate softwares and patches to repl1 folder
Share path which is used by 4.2 clients.
For example,
\\machinename\foldername\repl1\replicationitems
folder
Hi Bandwidth Enter the value to specify the maximum bandwidth to be used for
replication. If this field is left blank, the bandwidth used is equal to the
maximum bandwidth available for replication.
Lo Bandwidth Enter the value to specify the restricted bandwidth to be used for
replication. If this field is left blank, the bandwidth used is equal to the
maximum bandwidth available for replication.
Replication Schedule You can specify the Replication Schedule by specifying the colors
displayed in Replication Share page for different days and time slots.
The color scheme that you can specify are:
White - Replication Off
Light Blue - Replication ON with Low Bandwidth
Blue - Replication ON with High Bandwidth
Copy Schedule From Select any existing Replication Schedule from the drop-down list to
replicate the items as per the selected schedule.
9. Enter comments in the Notes field as necessary.

10. Click Save.
Maintain 4.2 Replication Share checkbox is displayed only when Enable

Enhanced Content (EC) checkbox is not selected at KBOX Settings | Server
Maintenance page. Refer to Chapter 16,“Patch Definitions,” starting on page 299 for
more details.
Figure 6-2: Replication Schedule
Viewing Replication Share Details

After creating a replication share and clicking Save, the Replication Shares page opens. The Replication
Shares page displays the list of Replication Shares.
To view a replication share details:
1. Select Distribution | Replication. The Replication Shares page appears.

2. Click a replication share. The Replication Share: Edit Detail page appears.
3. At the bottom of the Replication Share: Edit Detail page, you can also view the following:
Replication Queue: Click Replication Queue to see a list of replication items that are going to be
copied.
Share Inventory: Click Show Share Inventory to see a list of replication items that have been
copied.
Delete Queue: Click Show Delete Queue to see a list of replication items that are marked for
deletion.
Replication enhancements in the KBOX version 4.3

Following is the list of replication enhancements in the KBOX version 4.3:
Bandwidth optimization - You can limit the bandwidth to be used for replication by specifying the
minimum and maximum bandwidth value, while creating a replication share. Refer to “Creating a
Replication Share,” on page 127 for more details.
Destination Path - You can specify either the local machine path or any network path accessible
from the replication machine while creating the replication share.
Schedule Replication - You can create a schedule for replication to optimally use the bandwidth.
This feature helps in conserving the bandwidth at peak hours by halting the replication if needed.
Refer to “Creating a Replication Share,” on page 127 for more details.
Obsolete file deletion - If any replication item is deleted from the KBOX Server, it is automatically
marked for deletion in the delete queue. Any such obsolete file, if available on replication share, gets
automatically deleted from the replication share in the replication task cycle.
Limiting file patching - You can limit the patches to be replicated by selecting the appropriate
platforms. Only patches of selected platforms get replicated. You can also limit the patches to be
replicated by selecting the type of operating system language. Only the patches of selected
operating system type get replicated.
Upgrading client bin - The KBOX Server supports replication of upgrade .bin files.
Replication queue - You can view the files getting replicated with their status in the Replication
queue. To view the replication queue, click on Show Replication Queue link in Replication Share:
Edit Detail page.
Sneaker net share - You can create a new folder, and copy the contents of an existing replication
folder to it. You can then specify this folder as the new replication folder in the KBOX. The KBOX
checks if the new folder has all the replication items present and replicates only the new ones. This
results in conserving the bandwidth by not copying the files twice. You can manually copy the
contents of replication folder to a new folder. The replication folder created in a machine follows
following hierarchy:
\\machinename\foldername\repl2\replicationitems folder
The machine name and folder name is user defined while repl2 is automatically created by the KBOX
Server. The replication items folder includes the folder for patches, kbots, upgrade files, and
softwares.
Restarting file transfer - Replication process automatically restarts if it stops midway due to a
network failure or due to a replication schedule. In this case, the replication process continues
replicating the file from the point at which it stopped.
The replication functionality of the KBOX Server version 4.3 also supports the KBOX
Agent version 4.0 and higher.
iPhone
The iPhone configuration profiles allow an Enterprise to set up e-mail and secure access with VPNs,
certificates and wireless settings for user’s iPhones. The iPhones are then used to access the KBOX user
portal to download their configuration profiles and for general KBOX user portal access. The self-service
user portal allows users to access a flexible knowledge base, see hardware and software inventory
information, install IT controlled software packages, and access support tickets.
This guide assumes familiarity with Apple iPhone products for the enterprise including:
iPhone and iPod Touch running iPhone software 2.0 or later
iPhone Configuration Utility 1.0 - the Apple provided tool for initial creation of the configuration
profiles to be provisioned on user’s iPhones
General Information on the KBOX Appliances features and requirements are available at:
http://www.kace.com/products/systems-management-appliance/computer-management-
software-alternative/index.php
For additional documentation, click Help | Administrator Guide on the KBOX web console.
From the iPhone tab, users can:
Add or delete iPhone profiles
Configure Collection Settings
Setting up Administrative Access to iPhone Profile

Management
Setting up the administrative access to iPhone Profile management enables the ability to create and
manage the iPhone profiles by admin users only.
To set up administrative access to iPhone Profile Management:
1. Select Help Desk | Roles. The User Roles page appears.

2. Choose Add New Item from the Choose action drop-down list. The User Role: Edit Detail page
appears.
3. Enter the Role information as follows:
Record Created The date and time when the Role was first created. This is a read-only field.
Record Last Modified The date and time when the Role was last modified. This is a read-only field.
Role Name Enter a name for the Role. This is a mandatory field.
Description Enter the Role description.
4. Click the Distribution tab link under the Permissions ADMIN Console area, to expand it. You can
also click the [Expand All] link to view the Distribution tab.
5. Select the Custom option, and choose the write permission for the iPhone tab from the drop-down
list.
6. Click Save.
Creating Configuration Profiles
You can use the Apple provided iPhone Configuration Utility 1.0 tool for initial creation of the configuration
profiles to be provisioned to your users' iPhones.
For more information, Refer to http://www.apple.com/support/iphone/enterprise/
Adding an iPhone Profile

The iPhone Profile Management feature fulfills all of the profile management needs through the KBOX.
To create a profile:
1. Select Distribution | iPhone. The iPhone Profiles page appears.

2. Choose Add New Item from the Choose Action drop-down list. The iPhone Profile : Edit Detail page
appears.
3. Create a .mobileconfig file using the separate iPhone Configuration Utility 1.0 from Apple to enable
the profile.
4. Click Browse to select the file you created to import in the Import a .mobileconfig file area.
5. Select the Enabled check box under the Access Control area to allow users to have access after you
create the profile. Access is not activated and no files are accessible, till you select the Enabled check
box.
6. Select a label from the Limit Access To User Labels list to limit the access control to specific users,
if required.
7. Specify the following details under the Send Profile by Email area:
To Enter the recipient’s email address, or choose select user to add from the drop-down
list. You can filter the list by entering any filter options.
Message Enter a description for this e-mail.
8. Click Save. The iPhone Profiles page appears.

9. The XML details for this profile appear under .mobileconfig attributes area, after you click Save and
create this new profile.
To view or edit profile details:

You can view or edit details of an iPhone profile.
2. Double-click the listed profile. The iPhone Profile : Edit Detail page appears.
3. You can edit the iPhone configuration profile details (You can use cut and paste details into another
edit profile page for creating additional profiles).
4. Click Save to save your changes. The Profile Edit Log history is displayed at the bottom of the Edit
page. This page displays all the track changes made to the profile.
5. Click Download to save the .mobileconfig file associated with this profile locally.
6. Click Save to save the changes to this profile. The iPhone Profile page appears.
Configuring Collection Settings
This page configures a script that collects iPhone information from desktop Macintosh® computers. It
records information stored there during the normal backup sync of iPhone devices. When it runs it creates
iPhone Asset records based on the information it finds. Multiple devices synced to a desktop show up as
separate devices.
To configure collection settings:

2. Choose Configure Collection Settings from the Choose Action drop-down list. The iPhone Asset
Collection Settings & Schedule page appears.
3. Specify the following under Deployment area:
Enabled Select this check box to run this script on the target machines. The
script will only run when a user is logged into the machine. You also
may wish to adjust the run interval to something appropriate to your
network.
Deploy to All Machines Select the check box if you want to deploy to all the Machines. Click
OK in the confirmation dialog box.
Limit Deployment To Select a label to limit deployment of this script only to machines
Selected Labels belonging to the selected label. Press COMMAND to select multiple
labels.
Limit Deployment To Listed You can limit deployment of this script to only one or more machines.
Machines Select the machines from the drop-down list to add to the list. You
can filter the list by entering filter options.
Supported Operating Sys- Select an operating system on which the script is to be run. If you
tems selected a label as well, the script only runs on machines with that
label if they are also running the selected operating system.
Note: This script only runs on Mac OS X 10.4 and Mac OS X 10.5. You
should adjust your Supported Operating Systems list to match
properly.
4. Specify the schedule, under Scheduling area:
Don’t Run on a Schedule The script runs in combination with an event rather than on a specific
date or at a specific time.
Run Every nth minutes/hours The script runs on every hour or minutes as specified.
Run Every day/specific day The script runs on the specified time on the specified day.
at HH:MM AM/PM
Run on the nth of every Select to run the script on the specified time on the 1st, 2nd, or any
month/specific month at other date of every month or only the selected month.
HH:MM AM/PM
Custom Schedule This option allows you to set an arbitrary schedule using standard
cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * *
means:
On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21,
23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34,
23:35, 23:59. The KBOX doesn’t support the extended cron format.
5. Click Run Now to immediately push this script to target machines.

6. Click Save save the configuration collection settings.
iPhone Asset
The iPhone asset collection script runs on the Macintosh® machines and generates the iPhone asset.
To view the iPhone asset information:
1. Select Asset | Asset. The Asset page appears.

2. Select iPhone Asset in the View by asset type drop-down list. The iPhone asset created by the
iPhone asset collection script is displayed.
3. Click the iPhone Asset name. The Asset Detail page appears.
4. The following information is displayed:
Name This is a read-only field that displays the name of the asset.
Device name This is a read-only field that displays the device name as iPhone.
Phone number This is a read-only field that displays the iPhone phone number.
Product version This is a read-only field that displays the product version of the
iPhone.
Product type This is a read-only field that displays the product type as iPhone.
Serial number This is a read-only field that displays the serial number of the iPhone.
Build version This is a read-only field that displays the build version of the iPhone.
IMEI This is a read-only field that displays the International Mobile Equip-
ment Id (IMEI).
ICCID This is a read-only field that displays the Integrated Circuit Card ID
(ICCID).
iTunes Version This is a read-only field that displays the iTunes version.
Last Backup Date This is a read-only field that displays the date on which the last
backup was taken.
Unique Identifier This is a read-only field that displays the unique identifier for the
iPhone.
Computer This is a read-only field that displays the computer name on which
the iPhone is synced.
Application ids This is a read-only field that displays the applications running on the
iPhone.
Configuring iPhone
You can set up initial iPhone configuration interacting with Exchange Active sync or via IMAP for e-mails.
The KBOX is positioned in the DMZ (demilitarized zone or Screened Subnet) in order to simplify the initial
iPhone configuration for accessing to the KBOX user portal.
Figure 6-3: iPhone configuration
The KBOX provides a Web (Safari) URL login page to download profiles as an alternative to e-mailing the
configuration profiles to users.
The page requires user authentication in order to present the appropriate list of profiles for download
based on the user access list defined in “Setting up Administrative Access to iPhone Profile Management,”
on page 131.
Figure 6-4: iPhone accessing various profiles for download
The user is prompted to confirm the download.
Figure 6-5: Load Profile confirmation
A message indicates if the download failed or completed successfully.
Figure 6-6: Download message
Customize the download page

To customize the download page with the name of the company or organization, the KBOX provides
download logs displaying which iPhones have downloaded which configuration profiles.
Mobile UI into the KBOX
Select the visit user portal option to provide the authenticated user access to the KBOX user portal from
the iPhone. A message appears indicating the status after the download process.
Figure 6-7: Browsing User Portal
Refer to Chapter 11,“Overview of the User Portal,” starting on page 194 for information
on the User Portal.
C H A P T E R 7
Wake-on-LAN
The KBOX Wake-on-LAN feature provides the ability to “wake up”

computers equipped with network cards that are Wake-on-LAN
compliant.
“Wake-on-LAN feature Overview,” on page 140

“Issuing a Wake-on-LAN request,” on page 140
“Troubleshooting Wake-on-LAN,” on page 141
139
Wake-on-LAN feature Overview
The KBOX Wake-on-LAN feature enables you to remotely power-on device on your network, even if those
machines do not have the KBOX Agent installed. Wake-on-LAN can target a label, or specific MAC-
addressed machine.
Wake-on-LAN is often used to power on machines prior to some IT activity, such as distributing a package
from the KBOX to a subnet, to ensure that the distribution or update reaches as many target machines as
possible. Because many of the updates are performed during off-hours to minimize the impact on your
network, some of the machines targeted for updating might be turned off at the time you are performing
the updates. In such cases, you could issue a Wake-on-LAN call to turn computers on prior to performing
updates, running scripts, or distributing packages.
This feature only supports machines that are equipped with a Wake-On-LAN-enabled
network interface card (NIC) and BIOS.
Using the Wake-on-LAN feature on the KBOX will cause broadcast UDP traffic on your network on port 7.
This traffic should be ignored by most computers on the network. The KBOX sends 16 packets per Wake-
on-LAN request because it must guess the broadcast address that is required to get the "Magic Packet" to
the target computer. This amount of traffic should not have a noticeable impact on the network.
Issuing a Wake-on-LAN request

You can wake multiple devices at once by specifying a label to which those devices belong, or you can
wake computers or network devices individually. If you need to wake devices on a regular basis, for
example to perform monthly maintenance, you could schedule a Wake-on-LAN to go out a specific time.
If the device you want to wake is not inventoried by the KBOX but you still know the MAC (Hardware)
address and its last-known IP address, you can manually enter the information to wake the device.
To issue a Wake-on-LAN request:
1. Click Distribution | Wake-on-LAN. The Wake-on-LAN page appears.

2. To wake multiple devices, select a label from the Labels drop-down list.
3. To wake computers individually, select them from the Wake a Computer list.
Press CTRL, and then click to select multiple computers. You can filter the list by entering any filter
options.
4. To wake a network device, specify the device’s IP address in the Devices field. You can filter the list by
entering any filter options.
5. Specify the MAC address of the device in the MAC Address field.
6. Specify the IP address of the device in the IP Address field.
7. Click Send Wake-on-LAN.
After sending the Wake-on-LAN request, you will see the results at the top of the page indicating the
number of machines that received the request and to which label, if any, those machines belong.
To schedule a Wake-on-LAN request:
1. Click Distribution | Wake-on-LAN.

2. Click the Schedule a routine Wake-on-LAN event link. The Wake-on-LAN page appears.
3. Select Add New Item in the Choose action drop-down list. The Wake-on-LAN Settings page
appears.
4. In the Labels to Wake-on-LAN box, select the labels to include in the request.
Press CTRL, then click to select multiple labels.
5. In the Limit by Operating Systems box, select the operating systems to include in the request.
6. Select the appropriate radio button to schedule Wake-on-LAN scan, in the Scheduling area:
Don’t Run on a Schedule Select to run the tests in combination with an event rather than
on a specific date or at a specific time.
Run Every day/specific day at Select to run the tests every day or only the selected day at the
HH:MM AM/PM specified time.
Run on the nth of every month/spe- Select to run the tests on the 1st, 2nd, or any other date of
cific month at HH:MM AM/PM every month or only the selected month.
7. Click Save.
On clicking Save, you will see the Wake-on-LAN tab with the scheduled request listed. From this view
you can edit or delete any scheduled requests.
Troubleshooting Wake-on-LAN
There can be some cases when a Wake-on-LAN request fails to wake devices. This can be caused due to
the following inappropriate configuration of network devices that causes Wake-on-LAN to fail:
The device does not have a WOL-capable network card or is not configured properly.
The KBOX has incorrect information about the subnet to which the device is attached.
UDP traffic is not routed between subnets or is being filtered by a network device.
Broadcast traffic is not routed between subnets or is being filtered by a network device.
Traffic on Port 7 is being filtered by a network device.
For more assistance with troubleshooting Wake-on-LAN,

see http://support.intel.com/support/network/sb/cs-008459.htm.
C H A P T E R 8
Scripting
The optional Policy and Scripting Module provides a point-and-click

interface for performing tasks that would typically require you to
perform a manual process or advanced programming. This feature
is available for computers that run on the Windows and UNIX
operating systems.
“Scripting Module Overview,” on page 143

“Creating and Editing Scripts,” on page 145
“Using the Run Now function,” on page 154
“Searching Scripting Log Files,” on page 156
“Configuration Policies,” on page 157
142
Scripting Module Overview
If you have purchased the optional the KBOX Policy and Scripting Module, you now have a way to easily
and automatically perform a variety of tasks. These tasks can be performed across your network through
customized scripts that run as per your preferences.
You can automate tasks like:
Installing software
Checking antivirus status
Changing registry settings
Configuring browser settings by creating a custom script
Scheduling deployment to the endpoints on your network
Each script consists of metadata, dependencies (wherever necessary), rules (Offline Kscripts and Online
Kscripts), tasks (Offline Kscripts and Online Kscripts), deployment settings, and schedule settings.
Dependencies are the supporting executable files that are necessary for a script to run.
For example, .zip files.
Rules are tasks performed in a specified order on the target machine.
Tasks are the individual steps that are carried out by a script. In each script, you can have any number of
tasks. Whether or not a task is executed is dependent upon the success or failure of the previous task.
There are three types of scripts you can create:
Offline KScripts: These scripts can execute even when the client machine is not connected to the
KBOX server such as at the time of Machine Boot Up and User Login. They execute at scheduled time
based on the client clock. They are built using a wizard, but execute only on Windows platforms.
Online KScripts: These scripts can execute only when the client machine is connected to the KBOX
server. They execute at scheduled time based on the server clock. They are built using a wizard, but
execute only on Windows platforms.
Online Shell Scripts: These scripts can execute only when the client machine is connected to the
KBOX server. They execute at scheduled time based on the server clock. They are built using simple
text-based scripts (bash, perl, batch, etc.) supported by the target operating system. Batch files are
supported on Windows, along with all manner of shell script formats supported by the specific operating
system of the targeted machines.
Using Scripts that are installed with the
KBOX
The KBOX installs the following scripts by default:
Script Name Description
Force Checkin Runs KBScriptRunner on client to force checkin.

WARNING: Do not run this with more than 50 clients selected as it can
overload the server with requests.
Defragment the C: drive Example script to defragment the c: drive on the computer
DOS-DIR DOS-DIR
Inventory Startup Pro- On some machines, a missing registry entry causes all the contents of the
grams Fix system32 directory to be reported as the Startup Programs. This script fixes
the registry entry if it is missing.
KBOX Remote Control Disables the KBOX Remote Control functionality on Windows XP Professional
Disabler by configuring Terminal Services properly.
KBOX Remote Control Enables the KBOX Remote Control functionality on Windows XP Professional
Enabler by configuring Terminal Services properly.
KBOXClient debug logs If the client is checking in and a problem occurs with the inventory and
Disable deployment, this script disables the debug switch.
KBOXClient debug logs If the client is checking in and a problem occurs with the inventory and
Enable deployment, this script enables the client debug and send the debug back to
the server. This only turns on debug for the inventory and deployment part of
the client. It does not enable debugging of the scheduling service.
Make Removable Drives Removable drives can be mounted only as read-only. This prevents people to
Read-Only abscond with corporate data, although they may transport data to their PC.
Make Removable Drives Removable drives can be mounted read-write.
Read-Write
Message Window Script This is an example script to illustrate use of message window. Your script
Example must have properly paired create/destroy message window commands in
order to work properly. Message Windows remain displayed until user dis-
misses the message, until the script finishes executing, or until the timeout is
reached, whichever comes first.
Reset KUID Deletes the registry keys that identify a machine. You should also delete the
specific machine record from the inventory tab.
Shutdown a Windows sys- It specifies timeout in seconds while the message in quotes is displayed to
tem the user. Omit this script to silently and immediately shutdown machines.
USB Drives Disable Disable complete usage of USB Drives.
USB Drives Enable Enable usage USB Drives may be used.
Table 8-1: Default scripts in the KBOX
Creating and Editing Scripts
There are three ways you can create scripts:
By importing an existing script (in XML format)
By making a copy of an existing script
By creating a new script from scratch
You can perform these actions from the Scripting | Scripts tab.
The process of creating scripts is an iterative one. After creating a script, it is a good idea to deploy the
script to a limited number of machines (you can create a test label to do this). This way you can verify
whether the script is running correctly, before deploying it to all the machines on your network. It is a
good practice to leave a script disabled until you have edited and tested the script and are ready to run the
script.
Adding Scripts
Offline KScripts and Online KScripts are made up of one or more Tasks. Within each Task there are Verify
and Remediation sections where you can further define the script behavior. If a section is left blank, it
defaults to success.
For example, if you leave the Verify section blank, it ends in On Success.
To add an Offline KScript or Online KScript:
1. Select Scripting | Scripts.

2. Select Add New Item from the Choose action drop-down list. The Script: Edit Detail page appears.
3. In the Configuration area, enter the requested details:
Script Type Use this field to select the Offline Kscript or Online Kscript types.
Name Enter a meaningful name for the script to make it easier to distinguish from
others listed on the Scripts tab.
Description Enter a brief description of the actions the script performs. Although this
field is optional like the Name field, it helps you to distinguish one script
from another on the Scripts tab.
Status Use this field to indicate whether the script is in development (Draft) or has
been rolled out to your network (Production). Use the Template status if
you are building a script that is used as the basis for future scripts.
Enabled Select this check box to run the script on the target machines. Do not
enable a script until you are finished editing and testing it and are ready to
run it. Enable the script on a test label before you enable it on all
machines.
Notes Enter notes, if any.
4. Specify the deployment options:
Deploy to All Select this check box if you want to deploy the script to all the machines.
Machines
Limit Deployment To Select a label to limit deployment only to machines grouped by that label.
Selected Labels Press CTRL and click labels to select more than one label.
Limit Deployment To You can limit deployment to one or more machines. From the drop-down
Listed Machines list, select a machine to add to the list. You can add more than one
machine. You can filter the list by entering filter options.
Supported Select an operating system on which the script is to be run.
Operating Systems If you selected a label as well, the script only runs on machines with that
label if they are also running the selected operating system.
Scheduling In the Scheduling area, specify when and how often the script is run.
Don’t Run on a Schedule The test runs in combination with an event
rather than on a specific date or at a spe-
cific time. Use this option in combination
with one or more of the “Also” choices
below. For example, use this option in con-
junction with “Also Run at User Login” to
run whenever the user logs in.
Run Every nth minutes/hours The test runs on every hour or minutes as
specified.
Run Every day/specific day at The test runs on the specified time on the
HH:MM AM/PM specified day.
Custom Schedule This option allows you to set an arbitrary
schedule using standard cron format. For
example, 1,2,3,5,20-25,30-35,59 23 31 12
* * means:
On the last day of year, at 23:01, 23:02,
23:03, 23:05, 23:20, 23:21, 23:22, 23:23,
23:24, 23:25, 23:30, 23:31, 23:32, 23:33,
23:34, 23:35, 23:59. The KBOX doesn’t
support the extended cron format.
Also Run Once at next Client This option runs the Offline KScript once
Checkin (Only for Offline when new scripts are downloaded from the
KScript) KBOX. To set the time interval for down-
loading scripts, go to Organizations |
Organizations.
Also Run at Machine Boot Up This option runs the Offline KScript at
(Only for Offline KScript) machine boot time. Beware that this causes
the machine to boot up slower than it
might normally.
Also Run at User Login (Only This option runs the Offline KScript after
for Offline KScript) the user has entered their Windows login
credentials.
Allow Run While Disconnected Select this option if you want to allow the
(Only for Offline KScript) Offline KScript to run even if the target
machine cannot contact the KBOX 1000
Series to report results. In such a case,
results are stored on the machine and
uploaded to the KBOX 1000 Series until the
next contact.
Allow Run While Logged Off Select this option if you want to allow the
(Only for Offline KScript) Offline KScript to run even if a user is not
logged in. To run the script only when the
user is logged into the machine, clear this
option.
5. Click Run Now to immediately push the script to all machines. Use this option with caution. For more
information about the Run Now button, Refer to “Using the Run Now function,” on page 154.
6. To browse for and upload files required by the script, click Add new dependency, click Browse, and
then click Open to add the new dependency file.
If a Replication Share has being specified and enabled at Distribution | Replication,
Offline Kscripts: The dependencies are downloaded from the specified replication share.
Online Kscripts: They do not support replication. The dependencies are downloaded from the
KBOX Server.
If the replication share is inaccessible, the dependencies get downloaded from the
KBOX Server.
The dependency file if unavailable at replication share gets downloaded from the KBOX
server.
Repeat this step to add additional new dependencies as necessary.

7. Click Add Task Section to add a new task. The process flow of a task in a script is shown below.
IF Verify THEN
Success
ELSE IF Remediation THEN
Remediation Success
ELSE
Remediation Failure
Figure 8-2: Example of Task process flow
An example to verify the presence of Adobe key in HKEY_CURRENT_USER is as follows:
a. Click Add below Verify area and select Verify a registry key exists from Add a new step drop-
down list.
b. Enter the registry key in Key field in correct format as displayed below,
HKEY_CURRENT_USER\Software\Adobe
c. Click Save Changes to save the format.
d. Click Add below On Success area and select Log message from Add a new step drop-down list.
e. Enter a message in the Message field.
f. Click Save.
The message is displayed in the Scripting logs on the successful execution of the script. To view the
scripting logs Refer to Chapter 3,“Scripting Logs,” starting on page 64.
8. Under Policy or Job Rules, set the following options for Task 1:
Attempts Enter the number of times the script should attempt to run.
If the script fails but remediation is successful, you may want to run the
task again to confirm the remediation step. To do this, set the number of
Attempts to 2 or more. If the Verify section fails, it is run the number of
times mentioned in this field.
On Failure Select Break if you want the script to stop running upon failure. Select Con-
tinue if you want the script to perform remediation steps upon failure.
9. In the Verify section, click Add to add a step, and then select one or more steps to perform. Refer to
Appendix B, “Adding Steps to a Task, ” starting on page 330.
10. In the On Success and Remediation sections, select one or more steps to perform. Refer to
Appendix B, “Adding Steps to a Task, ” starting on page 330.
11. In the On Remediation Success and On Remediation Failure sections, select one or more steps
to perform. Refer to Appendix B, “Adding Steps to a Task, ” starting on page 330.
To remove a dependency, task, or step, click the trash can icon beside the item.
This icon appears when your mouse hovers over an item.
Click beside Policy or Job Rules to view the token replacement variables that can be
used anywhere in the KBOX script, and are replaced at runtime on the client with
appropriate values. For more information, Refer to “Token Replacement Variables,” on
page 153.
To add an Online Shell Script:

2. Select Add New Item from the Choose action drop-down list. The Script: Edit Detail page appears.
3. In the Configuration area, enter the requested details:
Script Type Use this field to select the Online Shell Script type.
Name Enter a meaningful name for the script to make it easier to distinguish from
others listed on the Scripts tab.
Description Enter a brief description of the actions the script performs. Although this
field is optional like the Name field, it helps you to distinguish one script
from another on the Scripts tab.
Status Use this field to indicate whether the script is in development (Draft) or has
been rolled out to your network (Production). Use the Template status if
you are building a script that is to be used as the basis for future scripts.
Enabled Select this check box to run the script on the target machines. Do not
enable a script until you are finished editing and testing it and are ready to
run it. Enable the script on a test label before you enable it on all
machines.
4. Specify the deployment options:
Deploy to All Select this check box if you want to deploy the script to all the machines.
Machines
Limit Deployment To Select a label to limit deployment only to machines grouped by that label.
Selected Labels Press CTRL and click labels to select more than one label.
Listed Machines list, select a machine to add to the list. You can add more than one
machine. You can filter the list by entering filter options.
Supported Operat- Select an operating system on which the script runs.
ing Systems If you selected a label as well, the script runs on only the machines with
that label if they are also running the selected operating system.
Scheduling In the Scheduling area, specify when and how often the script runs.
Don’t Run on a Schedule The test runs in combination with an event
rather than on a specific date or at a spe-
cific time. Use this option in combination
with one or more of the “Also” choices
below. For example, use this option in con-
junction with “Also Run at User Login” to
run whenever the user logs in.
Run Every nth minutes/hours The test runs on every hour or minutes as
specified.
Run Every day/specific day at The test runs on the specified time on the
HH:MM AM/PM specified day.
Custom Schedule This option allows you to set an arbitrary
schedule using standard cron format. For
example, 1,2,3,5,20-25,30-35,59 23 31 12
* * means:
On the last day of year, at 23:01, 23:02,
23:03, 23:05, 23:20, 23:21, 23:22, 23:23,
23:24, 23:25, 23:30, 23:31, 23:32, 23:33,
23:34, 23:35, 23:59. The KBOX doesn’t
support the extended cron format.
5. Click Run Now to immediately push the script to all machines. Use this option with caution. For more
information about the Run Now button, Refer to “Using the Run Now function,” on page 154.
6. To browse for and upload files required by the script, click Add new dependency, click Browse, and
then click Open to add the new dependency file.
If a Replication Share has being specified and enabled at Distribution | Replication, the
dependencies are still downloaded from the KBOX server, since Replication is not supported by Online
Shell Scripts.
Repeat this step to add additional new dependencies as necessary.
Script Text Enter the relevant script text.

Timeout (minutes) Enter the value in minutes, the maximum time, for which the server tries
for execution of the script.
Upload File Select this check box to upload dependency file, if any to the client
machine. Specify the directory path and file name.
Delete Downloaded Select this check box to delete the downloaded files from the client
Files machine.
To remove a dependency, click the trash can icon beside the item. This icon
appears when your mouse hovers over an item.
Click beside Policy or Job Rules to view the token replacement variables that can be
used anywhere in the KBOX script, and are replaced at runtime on the client with
appropriate values. For more information, Refer to “Token Replacement Variables,” on
page 153.
Editing Scripts
You can edit scripts on the Script: Edit Detail page, or in an XML editor (only for Offline KScripts and Online
KScripts). To use the XML editor, click the View raw XML editor link below the Scheduling option. Offline
KScripts and Online KScripts can be edited using the wizard in addition to these methods.
To edit a script:

2. Click the name of the script you want to edit. The Script: Edit Detail page appears.
3. Modify the script as desired.
4. Click Save.
To delete a script from the Scripts page:

2. Select the check box beside the script you want to delete.
3. Choose Delete Selected Item(s) from the Choose action drop-down list.
4. Click OK to confirm deletion.
To delete a script from the Scripts Edit page:

2. Click the name of the script you want to delete. The Script: Edit Detail page appears.
3. Click Delete.
Importing Scripts
If you prefer to create your script in an external XML editor, you can upload your finished script to the
KBOX. Be sure that the imported script conforms to the following structure:
The root element <kbots></kbots> includes the URL of the KACE DTD
“kbots xmlns=”http://kace.com/Kbots.xsd”>...<kbots>
One or more <kbot> elements.
Exactly one <config> element within each <kbot> element.
Exactly one <execute> element within each <config> element.
One or more <compliance> elements within each <kbot> element.
Following is an example of XML structure for a the KBOX script:

<?xml version=”1.0” encoding=”utf-8” ?>
<kbots xmlns=”http://kace.com/Kbots.xsd”>
<kbot>
<config name=”name=”” type=”policy” id=”0” version=”version=””
description=”description=””>
<execute disconnected=”false” logged_off=”false”>
</execute>
</config>
<compliance>
</compliance>
</kbot>
</kbots>
In the above example of a simple XML script, the <config> element corresponds to the Configuration
section on the Script: Edit Detail page. This is where you specify the name of the policy or job (optional),
and the script type (policy or job). Within this element you can also indicate whether the script can run
when the target machine is disconnected or logged off from the KBOX.
You can specify whether the script is enabled and describe the specific tasks the script is to perform within
the <compliance> element.
Tip: If you are creating a script that can perform some of the same tasks as an existing
script, you may want to consider following:
Creating a copy of that existing script,
Opening the copied script in XML editor view to better understand what is
possible in the <compliance> element.
For more information, Refer to “Duplicating Scripts,” on page 153.
To import an existing script:

2. From the Choose action drop-down list, select Import from XML. The Script: Edit Detail page
appears.
3. Paste the existing script into the space provided, then click Save.
Duplicating Scripts
If you have already created a script that performs many of the tasks required of your new script, the
simplest way to begin is to make a copy of the current script, then modify the steps as required, and then
upload any new dependency files.
To duplicate an existing script:

2. Click the linked name of the script you want to copy to open it for editing. The Script: Edit Detail page
appears.
3. Click the Duplicate button. The Scripts list page appears, which includes a new script named “Copy of
xxx”, where “xxx” is the name of the copied script.
4. Click the linked name of the copied script to open it for editing. Continue as you would in “Adding
Scripts,” on page 145.
Token Replacement Variables

The following token replacement variables can be used anywhere in the XML of a the KBOX script, and are
replaced at runtime on the client with appropriate values:
$(KACE_DEPENDENCY_DIR) - expands to $(KACE_INSTALL)\packages\kbots\xxx. This is the folder
where any script dependencies for this script are downloaded to the client.
$(KBOX_INSTALL_DIR) - agent installation directory, C:\Program Files\KACE\KBOX.
$(KBOX_SYS_DIR) - agent machine's system directory, C:\Windows\System32.
$(KACE_INSTALL) - same as KBOX_INSTALL_DIR.
$(KBOX_EXECUTE_EVENT) - event causing KBOT to run, [BOOTUP|LOGON|null].
$(MAC_ADDRESS) - agent machine's primary MAC address.
$(KACE_SERVER) - hostname of KBOX server (kbox).
$(KACE_SERVER_PORT) - port to use when connecting to KACE_SERVER (80/443).
$(KACE_SERVER_URLPREFIX) - http/https.
$(KACE_COMPANY_NAME) - agent's copy of the setting from server's configuration page.
$(KACE_SPLASH_TEXT) - agent's copy of the setting from server's configuration page.
$(KACE_LISTEN_PORT) - agent's port that server can use for "run now".
$(KACE_SERVER_URL) - combination of server, port, and url prefix (http://kbox:80).
$(KBOX_IP_ADDRESS) - agent's local IP address (corresponds with network entry of MAC_ADDRESS).
$(KBOX_MAC_ADDRESS) - same as MAC_ADDRESS.
$(KBOX_MACHINE_ID) - for 2.1 agents, this is the server's assigned unique ID for this machine.
Using the Run Now function
The Run Now function provides a way for you to run scripts on selected machines immediately without
setting a schedule. You may want to use this function if you have machines on your network that you
suspect are infected with a virus or other vulnerability, and can compromise your entire network, if not
resolved right away. Run Now is also useful for testing and debugging scripts on a specific machine or set
of machines during development.
The Run Now function is available in three places:
Run Now tab—Running Scripts from the Scripting | Run Now tab allows you to run one script at a
time on the target machines.
Script: Edit Detail Page—Running Scripts from the Script : Edit Detail page allows you to run one
script at a time on the target machines.
Scripts List Page—Running scripts from the Scripts List Page using the Run Now option from the
Choose action drop-down list allows you to run more than one script at the same time on the target
machines.
CAUTION: Because a script is deployed immediately when you click Run Now, use
this feature cautiously, and do not deploy unless you are certain that you want to run
the script on the target machines.
Refer to Chapter 3,“Labels,” starting on page 84 for more information.
Run Scripts using the Run Now tab

You can run scripts using the Scripting | Run Now tab.
To run Scripts using the Run Now tab:
1. Select Scripting | Run Now. The Run Now page appears.

2. Select the Script you want to run in the Scripts list. You can use the Filters options to filter the Scripts
list.
3. Select the machines on which Script needs to run from the Inventory Machines list. Selected
machine name appears in the Machine Names field. You can use the Filters to filter the machine
names list. You can add all the machines by clicking Add All.
Atleast one machine name should be present in the list to run the script.
4. Click Run Now to run the selected Script.
If a Replication Share has being specified and enabled at Distribution | Replication,

on clicking Run Now, the dependencies are still be downloaded from the KBOX Server
for all the scripts types.
Run Now from the Script Detail page
To use the Run Now function from the Script Detail page:
1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a
label that represents the machine or machines on which you want to use the Run Now function. Refer
to Chapter 3,“Labels,” starting on page 84 for more information.
3. Select the script you want to run. The Script: Edit Detail page appears.
4. Select the label or labels that represent the machine(s) on which you want to run the script. Press
CTRL and click to select multiple labels.
5. Scroll to the bottom of the Scheduling section, then click Run Now.
A confirmation dialog box appears, if you have made any changes.
Click OK in the confirmation dialog box to save any unsaved changes before running or click Cancel to
run without saving. The Run Now Status page is displayed after the script is run.
To use the Run Now function from the Scripts Lists Page:
1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a
label that represents the machine or machines on which you want to use the Run Now function. Refer
to Chapter 3,“Labels,” starting on page 84 for more information.
3. Select the script or scripts you want to run.
4. Select Run Now from the Choose action drop-down list.
Monitoring Run Now Status

When you click Run Now or select Run Now from the Choose action drop-down list, the Run Now
Status tab appears where you can see a new line item for the script.
The Pushed column indicates the number of machines on which the script is attempting to run. The
Completed column indicates the number of machines that have finished running the script. The numbers
in these columns increment accordingly as the script runs on all of the selected machines. The icons above
the right-hand column provide further details of the script status.
Icon Description
The script completed successfully.
The script is still being run, therefore its success or

failure is unknown.
An error occurred while running the script.
Table 8-3: Run Now Status tab icons
If there were errors in pushing the scripts to the selected machines, you can search the scripting logs to
determine the cause of the error. For more information about searching logs, Refer to “Searching Scripting
Log Files,” on page 156.
The Run Now function communicates over port 52230. One reason a script might fail to
deploy is if firewall settings are blocking the KBOX Agent from listening on that port.
Run Now Detail Page

For more information on a Run Now item, click the linked start time on the Run Now Status page to display
the item’s Run Now Detail page.
The Run Now Detail page displays the results of a script that was run manually using the Run Now
function, instead of running it on a schedule.
The Run Now Statistics section displays the results of a script that was pushed, the push failures, push
successes, completed machines, running machines, successes and failures in numbers and percentage.
The Push Failures section lists those machines that the server could not contact, and therefore did not
receive the policy. Once pushed, it may take some time for the machine to complete a policy. Machines
that have received the policy, but have not reported their results yet are listed in the Scripts Running
section. After the policy is run, it reports either success or failure. The results are sorted under the
appropriate section. Each individual computer page also has the results of the Run Now events run on that
machine. The Run Failures section lists those machines that failed to complete the script. The Run
Successes section lists those machines that completed the script successfully.
Searching Scripting Log Files

The Search Logs page allows you to search the logs uploaded to the KBOX 1000 Series appliance by the
machines on your network.
To search scripting logs:
1. Select Scripting |Search Logs.

2. Enter the keywords using which you want to search for the scripts in the Search for field. You can use
the following operators to change how the logs are searched:
Operator Function
+ A leading plus sign indicates the word must be present in the log.
- A leading minus sign indicates the word must not be present in the log.
* A trailing asterisk can be used to find logs that contain words that begin
with the supplied characters.
“ A phrase enclosed in double quotes matches only if the log contains the
phrase exactly as typed.
Table 8-4: Available search operators

3. To search only in logs uploaded by a particular script, choose the script name.
4. Select the log type to search in from the drop-down list. You can choose from the following options:
Output
Activity
Status
Debug
5. In the Historical field, select whether to search in only the most recent logs or in all logs from the
drop-down list.
6. In the label field, select a label from the drop-down list to search logs uploaded by machines in a
particular label group.
7. Click Search. The search results display the logs and the machines that have uploaded the logs.
8. You can apply a label to the machines that are displayed by selecting a label from the drop-down list,
under search results.
Configuration Policies
The Configuration Policy page displays a list of wizards you can use to create policies that manage various
aspects of the computers on your network.
To access the list of available Configuration Policy wizards, click the Scripting button, then select the
Configuration Policy tab. This section includes descriptions of the settings for each of the policies you
can create.
Available wizards include:
Enforce Registry Settings
Remote Desktop Control Troubleshooter
Enforce Desktop Settings
Desktop Shortcuts Wizard
Event Log Reporter
MSI Installer Wizard
UltraVNC Wizard
Un-Installer Wizard
Windows Automatic Updates Settings
Enforce Registry Settings

This wizard allows you to create scripts that enforce registry settings.
To enforce registry settings:
1. Use regedit.exe to locate and export the values from the registry that you are interested in.
2. Open the .reg file that contains the registry values you want with notepad.exe and copy the text.
3. Select Scripting |Configuration Policy.
4. Click Enforce Registry Settings. The Configuration Policy : Enforce Registry Settings page appears.
5. Enter a policy name in the Policy Name field.
6. Paste the copied registry values into the Registry File field.
7. Click Save. The Script: Edit Detail page appears.
8. Enable and set a schedule for this policy to take effect.
A new script is created that checks that the values in registry file match the values found on the target
machines. Any values that are missing or incorrect are replaced. Refer to “Adding Scripts,” on page 145
for more information.
Remote Desktop Control Troubleshooter

This editor creates a troubleshooting script for the KBOX Remote Control functionality. The script that this
page generates tests the following things:
Terminal Services: To access a Windows XP Professional machine using Remote Desktop, Terminal
Services must be running. This script verifies that this is the case.
Firewall Configuration: If the Windows XP SP2 Firewall is running on the machine, several different
configurations can affect results in Remote Desktop requests being blocked by the firewall.
To troubleshoot remote behavior:

2. Click Remote Desktop Control Troubleshooter. The Configuration Policy : Remote Control
Troubleshooter page appears.
3. Under Firewall Configuration, specify the required settings.
5. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more
information.
Enforce Desktop Settings

This wizard allows you to build policies that affect the user's desktop wallpaper. The Wallpaper bitmap file
is distributed to each machine affected by the policy. This file must be in the Bitmap (.bmp) format.
To create a policy to enforce Desktop Settings:
1. Select Scripting | Configuration Policy.

2. Click Enforce Desktop Settings.
3. Select the Use wallpaper check box to enforce this setting.
4. Click Browse to select and upload the .bmp file to use for the wallpaper.
5. Select a position for the wallpaper image from the Position drop-down list. Select Stretch to stretch
the image so that it covers the entire screen. Select Center to display the image in the center of the
screen. Select Tile to repeat the image over the entire screen.
information.
Desktop Shortcuts Wizard
This wizard allows you to quickly create scripts that add shortcuts to users' Desktop, Start Menu, or Quick
Launch bar. You can create an Internet shortcut and can put a URL to the target with no parameters and
working shortcut.
To create scripts to add shortcuts:

2. Click Desktop Shortcuts Wizard. The Configuration Policy : Enforce Shortcuts page appears.
3. Enter a name for the desktop shortcut policy in the Policy Name field.
4. Click Add Shortcut.
5. Specify the shortcut details.
Name Enter the text label that appears below or beside the shortcut.
Target Enter the application or file that is launched when the shortcut is clicked, say for exam-
ple, Program.exe.
Parameters Enter the any command line parameters. For example:
/S /IP=123.4
WorkingDir Enter the changes to the current working directory. For example:
C:\Windows\Temp
Location Select the location where the shortcut appears from the drop-down list. Options
include Desktop, Quick Launch, and Start Menu.
6. Click Save Changes to save the new shortcut.

7. Click Add Shortcut to add more shortcuts. To edit or delete a shortcut, hover over a shortcut and click
the Trash can icon that appears.
information.
Event Log Reporter
This wizard creates a script that queries the Windows Event Log and uploads the results to the KBOX.
To create an Event Log query:

2. Click Event Log Reporter. The Configuration Policy : Event Log Reporter page appears.
3. Specify query details:
Output filename Enter the name of the log file created by the script.
Log file Enter the type of log you want to query. Options include Application, Sys-
tem, and Security.
Event Type Enter the type of event you want to query. Options include Information,
Warning, and Error.
Source Name Use this optional field to restrict the query to events from a specific source.

information.
6. You can view the Event log in the Computers : Detail page of the particular machine, by selecting
Inventory | Computers.
In Scripting Logs, under Currently Deployed Jobs & Policies, click the View logs link beside Event Log.
MSI Installer Wizard

This wizard helps you set the basic command line arguments for running MSI based installers. Refer to the
MSI Command Line documentation for full details.
To create the MSI Installer policy:

2. Click MSI Installer Wizard. The Configuration Policy : MSI Wizard page appears.
Action Select a task from the drop-down list. Options include Install, Uninstall,
Repair missing files, and Reinstall all files.
Software Select the application you want to install, uninstall, or modify from the
drop-down list. You can filter the list by entering any filter options.
MSI filename Specify the MSI filename if it is a zip.
User Interaction Select an option to specify how the installation should appear to end users.
Options include: Default, Silent, Basic UI, Reduced UI, and Full UI. Refer to
MSI Command Line documentation for a complete description of the
available options.
Installation Directory Enter the installation directory.
Additional Switches Enter details of any additional installer switches. Additional Switches are
inserted between the msiexe.exe and the /i foo.msi arguments.
Additional Properties Enter details of any additional properties. Additional Properties are inserted
at the end of the command line.
For example:
msiexec.exe /s1 /switch2 /i patch123.msi TARGET-
DIR=C:\patcher PROP=A PROP2=B
Feature List Enter the features to install. Separate features with commas.
Store Config per Select this box to do per-machine installations only.
machine
After install Select the behavior after installation. Options include:
Delete installer file and unzipped files
Delete installer file, leave unzipped files
Leave installer file, delete unzipped files
Leave installer file and unzipped files
Restart Options Select the restart behavior. Options include:
No restart after installation
Prompts user for restart
Always restart after installation
Default
Logging Select the type(s) of installer messages to log. Press CTRL and click to
select multiple message types. Options include:
None
All Messages
Status Messages
Non-fatal warnings
All error messages
Start up actions
Action-specific records
User requests
Initial UI parameters
Out-of-memory or fatal exit information
Out-of-disk-space messages
Terminal properties
Append to existing file
Flush each line to the log
Refer to MSI Command Line documentation for a complete description of

the available logging options.
Log File Name Enter the name of the log file.

information.
UltraVNC Wizard
The UltraVNC Wizard creates a script to distribute UltraVNC to Windows computers on your network.
UltraVNC is a free software solution that allows you to display the screen of a computer (via Internet or
network) on another computer. You can use your mouse and keyboard to control the other computer
remotely. It means that you can work on a remote computer, as if you were sitting in front of it, right from
your current location. This wizard creates a script to deploy UltraVNC to your computers. Refer to Ultra
VNC website for documentation and downloads.
To distribute UltraVNC to the computers on your network:

2. Click UltraVNC Wizard. The Configuration Policy : Ultra VNC Wizard page appears.
3. Specify UltraVNC installation and authentication options:
Install Options Install Mirror Driver Check the Mirror Driver box if you want to install the
optional UltraVNC Mirror Video Driver.
The Mirror Video Driver is a driver that UltraVNC can
receive immediate notifications if any screen changes
occur. Using it on an UltraVNC server results in an
excellent accuracy. The video driver also makes a direct
link between the video driver framebuffer memory and
UltraWinVNC server.
Using the framebuffer directly eliminates the use of the
CPU for intensive screen blitting, resulting in a big
speed boost and very low CPU load.
Refer to Ultra VNC documentation for complete
details.
Install Viewer Check the Mirror Driver box if you want to install the
optional UltraVNC Mirror Video Driver.
Authentication VNC Password Provide a VNC password for authentication.
Require MS Logon If you want to use MS Logon authentication, use
MSLogonACL.exe /e acl.txt
to export the ACL from your VNC installation. Copy and
paste the contents of the text file into the ACL field.
It is advisable to look at the script that is generated by
this wizard to make sure it is doing something you
expect. You can view the raw script by clicking View
raw XML Editor on the Script Detail page.
4. Specify UltraVNC miscellaneous options:
Disable Tray Icon Select this box if you do not want to display the UltraVNC tray icon on
the target computers.
Disable client options in Select this check box if you do not want to display client options in the
tray icon menu tray icon menu on the target computers and have not you did not
check Disable Tray Icon, check this box if.
Disable properties panel Select this check box to disable the UltraVNC properties panel on the
target computers.
Forbid the user to close Select this check box if you do not want to allow computer users to
down WinVNC shut down WinVNC.

information.
Un-Installer Wizard
This wizard allows you to quickly build a script to uninstall a software package. The resulting script can
perform three actions: Execute an uninstall command, Kill a process, and Delete a directory.
To create an uninstaller script:

2. Click Un-Installer Wizard. The Configuration Policy : Uninstaller page appears.
Job Name Enter a name for the uninstaller script.

Software Item Select the software item to uninstall from the drop-down list.
The wizard attempts to fill in the correct uninstall command. Verify
that the values are correct.
Uninstall Command Directory When you select the software item, the wizard attempts to fill in the
uninstall command directory, file, and parameters.
Uninstall Command File
Uninstall Command Review the entries to make sure the values are correct.
Parameters
Kill Process To have a process killed before executing the uninstall command,
enter the full name of the process in the Kill Process field.
For example: notepad.exe
Delete Directory. To have a directory deleted after executing the uninstall command,
enter the full name of the directory in the Delete Directory field
here. For example: C:\Program Files\An Example App\.

information.
Windows Automatic Update Settings policy
The KBOX provides a way for you to control the behavior of the Windows Update feature. This feature
allows you to specify how and when Windows updates are downloaded so that you can control the update
process for the computers on your network. The configuration settings reside under the Scripting |
Configuration Policy tab. More detailed information can be found at Microsoft's site: KB Article
328010.
To modify Windows Automatic Update settings:

2. Click Windows Automatic Update Settings. The Windows Automatic Update Policy page appears.
Automatic (recommended) Select this option to enable automatic downloading of Windows

Updates.
Download updates for me, but Select this option to ensure that you always receive the latest
let me choose when to install downloads, but retain the flexibility to decide when to install them.
them.
Notify me but don’t automati- Select this option to provide the additional flexibility in installation of
cally download or install them. updates.
Note: Beware, this may make your network more vulnerable to
attack, if you neglect to retrieve and install the updates on a regular
basis.
Turn off Automatic Updates Select this option if you are using the KBOX patching feature to
manage Microsoft patch updates.
Remove Admin Policy. User Select this option to provide users with the control over the updates
allowed to configure. downloaded.
Note: Beware, this may make end-users, and as a result your net-
work, more vulnerable to attack.
Reschedule Wait Time Select the interval (in minutes) from the Reschedule Wait Time
drop-down list to wait before rescheduling an update if the update
fails.
Do not reboot machine while Select this checkbox to specify no reboot while a user is logged in.
user logged in
4. Enter the details for the SUS Server and SUS Server Statistics.
information.
To start the Automatic Windows Update on the client machine:
You can start the Automatic Windows Update on the client machine using one of these methods:
1. Enabling automatic windows updates settings policy of the KBOX on the client machine.
2. Enabling local policy for automatic deployment of windows update on the client machine.
3. Modifying the registry key for automatic deployment of windows update on the client machine.
4. Setting up the group policy on the domain for automatic deployment of windows update on the client
machine.
5. Configuring the patching functionality for automatic deployment of windows update on the client
machine.
If you are using the patching functionality for automatic deployment of Windows
updates on the client machine, you must disable the automatic deployment of
Windows updates on the client machine by any other process to avoid the conflict
between the different deployment processes.
C H A P T E R 9
Patching
KBOX Systems Management Appliance patching uses PatchLink’s

patented Patch Fingerprint Technology that supports the Windows
and Macintosh® operating systems, and many third-party and
vendor-supplied applications for both the operating systems.
Patches are kept up-to-date with an automatic or on-demand
patch feed.
“Overview of the Patch Management feature,” on page 167

“Subscription Settings,” on page 169
“Patch Listing,” on page 169
“Patching Reports,” on page 176
166
Overview of the Patch Management
feature
The KBOX Patch Management provides a quick, accurate and secure patch management. It allows you to
manage threats proactively by automating the collection, analysis and delivery of patches throughout your
network. The patch management feature provides access to the latest security bulletin updates for
Windows and Macintosh® platforms.
Microsoft updates its list of security bulletins on a periodic basis and new patches are made available for
download from the KBOX 1000 Series appliance. The KBOX 1000 Series automatically downloads patch
software based on the configured patch settings.
To view the patch management page, go to Security | Patching. The Patch Management page appears.
The Installation Progress indicator displays:
• Percentage of patches installed out of the total patches scheduled for deployment.
• Percentage of patching tasks completed for the current patch run.
The Critical Patch Compliance indicator displays the number of critical patches installed from all the
detected critical patches.
The patch management feature works only on KBOX Agent version 4.0 or higher.
For updating KBOX Agent version 3.3, Refer to section Chapter 2,“To update KBOX
Agent automatically:,” starting on page 47.
The patch management feature requires a constant connection between the KBOX and
the KBOX Agent. This is indicated by the icon on the Inventory list page. For
information on how to set up the constant connection, Refer to Chapter 1,“Configuring
AMP Settings for the Server,” starting on page 24.
Individual agents receive patches from the KBOX or their replication share point. A replication share allows
a KBOX Client to replicate software installers to a share for use by other KBOX Clients. This allows them to
download software from the share instead of downloading it directly from the KBOX.
Patch Quality Assurance

Lumension Security provides additional value PatchLink Update customers through the content
development and quality assurance process. This is done by verifying the patch metadata produced by the
content development team, the install and uninstall processes. Also, you need to validate that the patch
does not disrupt immediate stability of the targeted operating system and/or the application.
The Lumension Security tests, verifies, and certifies patches before the patch deployment. To ensure
successful delivery of content, it executes test cases by covering the following test components:
1. Application Testing - Various applications are tested whenever essential, to ensure that the
requirements of the patch are satisfied.
2. Testing Strategy - A list of testing strategies is as follows:
General Testing:
Verifying that the patch-naming convention complies with the Lumension Security policy
Verifying that the content supports the replication process. Each patch created by the content team
is validated with the GSS distribution and Update Server products.
Assessment Testing:
Verifying that an applicable non-patched system shows applicable and not patched
Verifying that a patched system shows installed and not applicable
Verifying false positives in the detection of digital fingerprint
Verifying that the content is compliant with mandatory baselines
Deployment Testing:
Verifying that the package is successfully deployable
Verifying that No Reboot functionality works correctly
Verifying that the uninstall functionality works correctly
Verifying the CRC checksum, and ensuring package integrity
Patching enhancements in 4.3

The patching enhancements in the KBOX 1000 4.3 version are as follows:
The patch label feature - Enables creating separate patch labels for individual patches, operating
systems, and operating system languages.
Multiple operating system languages support - Download patches for different operating systems
languages such as English, French, Italian, German, and Spanish.
Ready-to-deploy downloaded Patches - Downloaded patches are by default, in ready-to-deploy state
and no review is required for deployment.
Run Detect and/or Deploy on specific patch labels - Limiting detect and/or deploy run to specific
patches, operating systems, and operating systems languages by using patch labels.
Enhanced content architecture to support patching on KBOX Agent 4.3 from 4.3 Server.
Schedule patching on the agents that are not connected to the KBOX Server.
Suspend a pending Detect and Deploy run - You can specify a time interval to suspend the tasks in
queue. This value is specified in Suspend pending tasks after n minutes from scheduled start
field in Patch Schedule : Edit Detail page.
Patching Workflow
The patching feature involves the following steps:
1. Enabling Enhanced Content Settings - Refer to Chapter 16,“To enable enhanced content:,” starting on
page 299.
2. Subscribing to the OS and OS languages - Refer to “To configure patch download settings:,” on
page 169.
3. Downloading patches for the subscribed OS and OS languages - Refer to Chapter 16,“To update the
patch definitions:,” starting on page 299.
4. Displaying the downloaded patches - Refer to “Patch Listing,” on page 169.
5. Detect and/or Deploy run on the machines - Refer to “Detect and Deploy Patches,” on page 172.
6. Viewing the results of Detect and/or Deploy run.
Subscription Settings
The KBOX automatically downloads all new patches available from Microsoft and Apple every day.
However, you can modify the patch configuration settings to download only bulletins according to the
operating system or operating system languages.
To configure patch download settings:
1. Select Security | Patching. The Patch Management page appears.

2. Click Subscription Settings. The Patch Subscription Settings page appears.
3. Scroll down and click the [Edit Mode] link.
4. Under the Select Patches To Download area, select the appropriate Windows and Macintosh®
operating systems . Press CTRL to select multiple operating systems.
Apple Security updates are also downloaded for Macintosh®.
5. Under the Languages area, select the appropriate operating system languages from those available.
You can choose the operating system language only for Windows Platform.
The language support is displayed only when EC is enabled on the KBOX Settings |
Server Maintenance page.
6. Select the Include Application Patches check box to also include application patches.
7. Click Save to save the patch subscription changes.
Patch Listing
The Patch Listing feature enables you to review the list of available patches, and assign them to labels for
detection and deployment.
To view the downloaded patches:

2. Click Patch Listing. The Patch Listing page appears.
The downloaded patches appear on the Patch Listing page with the patch status as Active. The patches
with an Active status can be deployed on the machines without reviewing them.
The Internet Explorer stops responding for few seconds, when the Patch Listing page is
opened, till the list of patches is updated.
Using Advanced Search for Patching
Searching the patch listing using keywords such as Microsoft Excel or Acrobat does not always give you
the level of specificity you need. However, advanced search allows you to specify values for each field
present in the record and search the entire patch listing for that value.

4. Specify your search criteria from the following:
Year Select the appropriate year from the drop-down list.

Severity Select the severity from the drop-down list.
Language Select the language from the drop-down list.
OS Select the operating system from the drop-down list.
Patch Label Select the appropriate label from the drop-down list.
Note: If you select the label, only patches assigned to that label are
displayed.
Status Select the appropriate status from the drop-down list.
Patch Type Select the patch type from the drop-down list.
Description Enter keywords in the text box, if any.
Deployment Errors Select the check box to search for patches that have deployment errors.
Detected Select the check box to search for patches that were detected but not
deployed.
5. Click Search. The patches are displayed as per the search criteria in the Patch Listing page.
Using Saved Search

You can also specify and save the search criteria using the saved search. You can use the created search
criteria, created thus, to search for the same patches in the subsequent releases of KBOX.
To create a saved search criteria:
3. Click the Create Saved Search button.
4. Specify the search criteria from the following:
Year Select the appropriate year from the drop-down list.

Severity Select the severity from the drop-down list.
OS Select the operating system from the drop-down list.
Language Select the language from the drop-down list.
Patch Label Select the appropriate patch label from the drop-down list.
Note: If you select a patch label, only patches with the assigned patch label
are displayed.
Status Select the appropriate status from the drop-down list.
Path Type Select the patch type from the drop-down list.
Description Enter keywords in the text box, if any.
Deployment Errors Select the check box to search for patches that have deployment errors.
Detected Select the check box to search for patches that were detected.
Saved Search Name Specify the name of the search.
5. Click Test Search to display the search results.

6. Click Create Search to create the saved search.
The saved search created thus, appears in the View by drop-down list under View by Saved Search
field in the patch listing page.
Applying Patch Label

You can apply patch label to the patches either by using the Patch filter or by manually assigning a label to
the patches.
To apply a patch label using the patch filter:

3. Click the Create Patch Filter button.
4. Specify the criteria from the following:
Title Enter the title of the patch. This title is displayed in patch listing page.
Description Enter the description of the patch. This description is displayed in the
summary section of the Patch : Detail page.
Identifier Enter the identifier of the patch. The Identifier is displayed under the ID
column in the Patch Listing page.
Vendor Enter the vendor of the patch. The vendor is displayed in the vendor field in
the Patch : Detail page.
Operating System Select the appropriate operating system from the drop-down list.
Importance Select the appropriate level of importance from the drop-down list
Release Date Enter the release date of patch. This date is displayed in the Patch Listing
page.
Patch Type Select the appropriate patch type from the drop-down list.
Architecture Select the appropriate architecture from the drop-down list.
Language Select the appropriate operating system language from the drop-down list.
Associate to Label Select the label you wish to apply to the patches matching the filter criteria.
Refer to Chapter 3,“Labels,” starting on page 84 for more details.
5. Click Test Patch Filter to display the search result based on the entered criteria.
6. Click Create Patch Filter.
The patch label gets applied to the subsequent downloaded patches matching the patch filter criteria. You
can view the label applied to the patch in the patch detail page.
To apply patch label manually to the patches:
1. Select the patch you want to apply the label to.

2. Select the appropriate label to apply from the Choose action drop-down list. The applied label for the
specific patch is displayed in the patch detail page.
Detect and Deploy Patches

The Detect and Deploy Patches feature allows you to create schedules for detecting and deploying
patches. These schedules are used to define when patch detection and deployment will run on a set of
machines.
To create a schedule:

2. Click Detect and Deploy Patches. The Patch Schedules page appears.
3. Select Add New Item in the Choose action drop-down list. The Patch Schedule : Edit Detail page
appears.
Schedule Description Enter the schedule name here.

Patch Action Select the appropriate patch action from the drop-down list.
Detect: Detect patches on the target machines.
Detect and Deploy: Detect and deploy patches.
Deploy: Deploy patches on the target machines.
Note: The results of detection and deployment are displayed under the
Patching Detect/Deploy Status area on the Computer Detail page in
Inventory | Computers. For more information on computer details,
Refer to Chapter 3,“Computers Inventory,” starting on page 58.
5. Specify following under Machine Selection details,
Run on All Machines Select the check box to run the schedule on all the machines. Click OK in
the confirmation dialog box.
Limit Run To Selected You can limit the schedule to run on one or more labels. Press CTRL to
Labels select more than one label.
Limit Run To Machines You can limit the schedule to run on one or more machines. From the
drop-down list, select a machine to add to the list. You can add more
than one machine. You can filter the list by entering filter options.
Limit Run To Machines You can limit the schedule to run on machines with specific operating
With Selected systems. Press the CTRL key to select more than one label. Use this
Operating Systems option in conjunction with “Limit Run to Selected label” or “Limit Run to
Machines” to filter the machine list further, based on the selected operat-
ing system.
6. Specify the following under Detect Patch Label Selection details:
Detect All Patches Select the check box to detect all patches of the respective OS of the
selected machines.
Limit Detect To Selected This field is displayed only if the Detect All Patches check box is not
Patch Labels selected above. Press CTRL to select more than one label. You can use
this option to run the detect operation only for specific patches. Only
those patches that are applied with the selected label are considered for
detect operation. This helps to limit the number of patches for detect
operation.
Detect Patch Labels This field is displayed only if the Detect All Patches check box is not
selected above. The patch labels selected in Limit Detect to Selected
Patch Labels are displayed in this field.
7. Specify the following under Deploy Patch Label Selection details:
Deploy All Patches Select the check box to deploy all patches. A pop-up window opens, click
OK to proceed.
Limit Deploy To Selected You can limit the patch deployment to run on one or more machines.
Patch Labels Press CTRL to select more than one machine. You can use this option to
run the deploy operation only for specific patches. Only those patches
that are applied with the selected label is applied are considered for
deploy operation. This helps you to limit the number of patches for
deploy operation.
Deploy Patch Labels The patch labels selected in Limit Deploy to Selected Patch Labels
are displayed in this field.
Limit Patches To Match- Select the check box to limit the deployment of patches on the machines
ing Machine Labels having labels (i.e. machine label) similar to the ones applied on the
patches (i.e. patch label). This way only those patches, with a patch label
similar to the machine label, get deployed on the machine.
8. Specify the following under Deploy Reboot Options details:
Reboot Options Select the appropriate reboot option from the drop-down list.
Note: This option may not display patches in the Inventory list page and cause
certain machines to become unstable. Therefore, rebooting the machine is nec-
essary for patches that require a reboot.
No Reboot The machine does not reboot.
Prompt User The machine prompts the user to reboot. Specify the following
details:
Reboot Message: Enter a message prompting the user
to reboot.
Message Timeout: Enter the timeout, in minutes, for
Timeout Action: Select an appropriate action from the
drop-down list to execute after message timeout. You can
either reboot the machine immediately by selecting the
Reboot Now option or can delay the machine reboot by
selecting the Reboot Later option.
Reprompt Interval: This action is executed if you have
select the Reboot Later option in Timeout Action.
Enter the interval, in minutes, after which you are again
prompted for reboot.
Force The machine reboots immediately after the patches are
Reboot deployed. Specify the following details:
Reboot Message: Enter a message that tells the user
the machine is going to reboot.
Message Timeout: Enter the timeout, in minutes, for
Note: These options allow users to save their work before the
machine reboots.
9. Specify the following under Patch Schedule details:
Don’t Run on a Schedule Select this option to run the schedules with an event instead of a
specific date or at a specific time.
Run Every n hours Select this option to run the schedules at the specified time.
Run Every day/specific day at Select this option to run the schedules on specified day at the
HH:MM AM/PM specified time.
Run on the nth of every month/ Select this option to run the tests on the specified time on the 1st,
specific month at HH:MM AM/PM 2nd, or any other date of every month or only the selected month.
Run custom Refer to “To create a custom patch schedule:,” on page 175 for
more details.
Run on next connection if offline Select this option to run a Detect and/or Deploy operation on
those client machines that are offline. Detect and/or Deploy run
happens on those machines when they get connected to KBOX
Server.
Suspend pending tasks after n You can suspend the pending tasks that are in queue for a time
minutes from scheduled start interval as specified in this field. For example, you schedule a
Detect and Deploy run and specify the time interval of 10 minutes
from the scheduled start. If Detect run gets completed after 12
minutes, the Deploy run does not happen, as the time specified
for deploy run to start has elapsed.
10. Click Save to save the schedule.
To create a custom patch schedule:
You can create a custom patch schedule by entering five values separated by space, while creating the
unix crontab entries:
Crontab has five field values.
Starting from left, the first denotes the minute value (that is 0-59).
Second denotes the hour value (that is 0-23).
Third denotes the value for the day of the month (that is 1-31).
Fourth denotes the value for the month (that is 1-12).
Fifth denotes the value for the day of the week (that is 0-6).
For example, 15 * * * * * refers to the patch schedule which runs at 15 minutes, every hour, every day, for
all the months.
To delete a schedule:

3. Select the patch schedule that you want to delete.
4. Select Delete Selected Item(s) in the Choose action drop-down list.
5. Click Yes to confirm deleting the schedule.
To run a scheduling action:

3. Select the check box beside the schedule(s) you want to run.
4. In the Choose action drop-down list, select Run Selected Item(s) Now under Scheduling Action.
5. Click Yes to confirm the action.
Patching for the Microsoft Windows Vista x 64 edition is supported only with KBOX
Agents 4.3 and higher.
Patching Reports
There are several ways you can access patching results. To see which patches were unsuccessful, for
example, you could sort the Patch Listing page by Bulletins with Errors.
For more details about patching status you can Refer to the Computer Detail page in Inventory |
Computers. For more information on computer details, Refer to Chapter 3,“Computers
Inventory,” starting on page 58.
To view patching reports:

2. Click Reporting. The KBOX Reports page appears, with patching selected in the view by category
drop-down list.
This page provides quick links for viewing reports on:
Critical Bulletin List
For each Machine, which patches are installed
For each Patch, which machines have it installed
How many computers have each Patch installed
Installation Status of each enabled Patch
Machines not compliant by patch
Machines that failed to patch by patch
Needs Review Bulletin List
Patches waiting to be deployed
To generate a report output, click the desired format type (HTML, PDF, CSV, TXT, or XLS).
Creating a Replication Share for Patches

A Replication Share allows a KBOX Agent to replicate software installers to a share for use by other KBOX
Agents. This allows KBOX Agent machines to download patch software from the share instead of directly
from the KBOX. This is useful if you have machines in a remote office where downloading the software
once for each machine would impact the network.
For more information about creating Replication Shares, Refer to Chapter 6,“Replication,” starting on
page 127.
Create New Windows Update Policy

The KBOX provides a way for you to control the behavior of the Windows Update feature. This feature
allows you to specify how and when Windows updates are downloaded so that you can control the update
process for the computers on your network. The configuration settings reside under the Scripting |
Configuration Policy tab. For more information about this policy, Refer to Chapter 8,“Windows
Automatic Update Settings policy,” starting on page 164.
C H A P T E R 10
Security
The optional KBOX Security Enforcement and Audit Module allows

you to run vulnerability tests on your network using Open
Vulnerability and Assessment Language (OVAL). This feature is
available only for computers that run on the Windows operating
system.
“Security Module Overview,” on page 179

“OVAL Tests,” on page 180
“OVAL Settings,” on page 182
“Vulnerability Report,” on page 183
“Computer Report,” on page 184
“Creating Security Policies,” on page 184
178
Security Module Overview
If you purchased the optional KBOX 1000 Series Security Enforcement and Audit Module, you can ensure
the health of your network. You can run vulnerability tests on the computers in your network, and using
the results of these tests you can determine how to bring the computers back into compliance. You can
customize security policies to enforce certain rules, schedule tests to run automatically, and run reports
based on testing results thus obtained.
The KBOX 1000 Series Security Enforcement and Audit Module uses Open Vulnerability and Assessment
Language (OVAL), an internationally recognized standard to detect security vulnerabilities and
configuration issues on computer systems. OVAL is compatible with the Common Vulnerabilities and
Exposures (CVE) list, which provides common names used to describe known vulnerabilities and
exposures.
The ability to describe vulnerabilities and exposures in a common language makes it easier to share
security data with other CVE-compatible databases and tools.
Note that the OVAL tests available with your KBOX when it is first installed might be out of
date. After installation, the KBOX will automatically check for nightly updates.
To view OVAL information, select Reporting | Summary. The KBOX Summary Page
appears. Click View Details. The details are displayed on the KBOX Summary Details page.
About OVAL and CVE

OVAL relies on definitions submitted by members of the security community on the Community Forum, by
MITRE Corporation, or by the OVAL Board, to detect vulnerabilities on your network. OVAL uses the
vulnerabilities on the CVE List (Common Vulnerabilities and Exposures List) as the basis for most of its
definitions. CVE content is determined by the CVE Editorial Board, which is composed of experts from the
international information security community.
Any new information about a vulnerability that is uncovered as a result of discussions on the Community
Forum is sent to the CVE Initiative for possible addition to the list. For more information about CVE visit
http://cve.mitre.org.
OVAL definitions pass through a series of phases before being released. Depending on where a definition
is in this process, it is assigned the status of DRAFT, INTERIM, or ACCEPTED. Other possible values for
status are Initial Submission and Deprecated. For more information about the stages of OVAL definitions,
visit http://oval.mitre.org/about/stages.html.
Status Description
DRAFT Definitions with this status have been assigned an OVAL ID number and are under discus-
sion on the Community Forum and by the OVAL Board.
INTERIM Definitions with this status are under review by the OVAL Board and available for discussion
on the Community Forum. Definitions are generally assigned this status for two weeks,
unless further changes or discussion are required.
ACCEPTED Definitions with this status have passed the Interim stage and are posted on the OVAL Def-
inition pages. All history of discussions surrounding Accepted definitions are linked from the
OVAL definition.
Table 10-1: OVAL status definition descriptions
OVAL Tests
The KBOX checks for nightly updates to the list of available OVAL definitions. Definitions are displayed on
the OVAL Tests tab, along with their associated OVAL ID and CVE Number. Search for a specific OVAL test
by operating system, vulnerability, or by OVAL ID or CVE Number.
To view the list of OVAL definitions, select Security | OVAL. The OVAL Scan page appears.
To view the details of a test, click the linked definition OVAL Tests on the OVAL Scan page to view the
OVAL Tests page.
Click on any Description link in the OVAL Tests list to view the OVAL details. The OVAL Tests : Definition
page appears.
When OVAL tests are enabled, all of the available OVAL tests are run on the target machines.
Definition Status
The steps used to

test for the
vulnerability
Click the OVAL-ID or Ref-ID for more

details about a vulnerability
The computers detected to have this vulnerability along with the IP Address and
the operating system will be listed here
Figure 10-2: OVAL Test Definition page
OVAL Test details do not indicate the severity of the vulnerability. Use your own judgment when
determining whether to test your network for the presence of a particular vulnerability.
The table below contains an explanation of the fields found on the OVAL Tests Definition page:
Field Description
OVAL-ID Click the OVAL-ID to visit an external website with more details about the vulnerabil-
ity. The status of the vulnerability follows the OVAL-ID. Possible values are DRAFT,
INTERIM, or ACCEPTED.
Class Indicates the nature of the vulnerability. Possible values are: compliance, depre-
cated, patch, and vulnerability.
Ref-ID Click the Ref-ID to visit an external website for more details about the vulnerability.
Description The common definition of the vulnerability as found on the CVE list.
Definition Specifies the testing steps used to determine whether or not the vulnerability exists.
Table 10-3: OVAL Test Definition page fields

The table at the bottom of the page displays the list of computers in your network that contain this
vulnerability. For convenience, a printer-friendly version of this data is available.
Running OVAL Tests

The KBOX runs OVAL tests that are automatically based on the schedule specified in OVAL Settings.
Because OVAL Tests take up a considerable amount of memory and CPU, they will impact the performance
of the target machines. OVAL Tests take between 5 and 20 minutes to run. Therefore, to minimize the
disruption to your users, it is best to run OVAL Tests once a week, or once a month during off hours when
your users are least likely to be inconvenienced. For example, you may want to schedule OVAL to run tests
on the Saturday of every week.
If you are running OVAL Tests periodically or if you want to obtain the OVAL test results for only a few
selective machines, you can assign a label to those machines and use the Run Now Function to run OVAL
Tests on those machines only. For more information about the Run Now Function, see “Using the Run Now
function,” on page 154.
OVAL Updates
The KBOX checks www.kace.com for new OVAL definitions every night, but you should expect new
definitions every month. If you have OVAL tests enabled, the KBOX will download new OVAL definitions to
all client machines on the next scripting update interval whenever a new package becomes available,
regardless of the OVAL schedule settings. The .zip file that contains the updates could be up to 2MB, so
use caution when enabling OVAL Tests for the computers on your network, as the size of the package
could impact the performance of users’ machines, particularly those on dialup connections.
For this reason, a good rule to follow is to only enable OVAL Tests when you want to run them. For
example, if you wanted to schedule OVAL Tests to run on January 1st, you could disable them on January
2nd, and not enable them again until close to the next time you want them to run. Any OVAL updates that
are pulled down while the OVAL Tests are disabled will be stored on the KBOX and only pushed out to the
target machines when enabled again.
OVAL Settings
You can configure OVAL scan settings using this link. You should exercise caution when applying OVAL
settings.
To specify OVAL settings:
1. Select Security | OVAL.

2. Click OVAL Settings. The OVAL Settings & Schedule page appears.
3. Specify the Configuration settings:
Enabled Run OVAL on the target machines. Only enabled OVAL Tests will run when you
want to run them.
Allow Run While Run OVAL on the target machines, but store test results on the target machine
Disconnected until they can be uploaded to the KBOX.
Allow Run While Run OVAL even if a user is not logged in. With this turned off, the script will
Logged Off only run when a user is logged into the machine.
4. Edit deployment settings as shown in the following table:

Deploy to All Select this check box if you want to deploy the OVAL settings to all the
Machines Machines. Click OK in the confirmation dialog box.
Limit Deployment To You can limit the deployment OVAL settings to one or more labels. Press
Selected Labels CTRL and click to select more than one label. Current Labels will display the
current ones.
Listed Machines list, select a machine to add to the list. You can add more than one machine.
You can filter the list by entering filter options. Click Remove to remove the
machine (s).
Supported Operating Select the operating system to which you want to limit deployment. Press
Systems CTRL and click to select more than one operating system.
Note: Leave this setting field as blank to deploy to all operating systems.
5. In the Scheduling area, specify the time and frequency for running OVAL:
Don’t Run on a schedule Tests will run in combination with an event rather than on a spe-
cific date or at a specific time. Use this option in combination with
one or more of the “Also” choices below. For example, use this
option in conjunction with “Also Run at User Login” to run when-
ever the user logs in.
Run Every n minutes/hours Test will run on every hour and minutes as specified.
Run Every day/specific day at ... Test will run on the specified time on the specified day.
Run on the nth of every month/ Test will run on the specified time on the 1st, 2nd, or any other
specific month at... date of each month or the selected month.
Custom Schedule This option allows you to set an arbitrary schedule using standard
cron format. For example, 1, 2, 3, 5, 20-25, 30-35, 59 23 31 12 *
* means:
On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20,
23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33,
23:34, 23:35, 23:59. The KBOX doesn’t support the extended cron
format.
Also Run Once at next Client If this option is selected, the OVAL test will run once at next client
Checkin checkin.
It is recommended to avoid this option because this option will run
tests when the user’s machine is in use. Selecting this option
could impact the machine’s performance.
Also Run at Machine Boot Up If this option is selected, test will run at machine boot up. It is
recommended to avoid this option because it will run tests when
the user’s machine is in use. Selecting this option could impact the
machine’s performance.
Also Run at User Login If this option is selected, test will run when the user logs in. It is
recommended to avoid this option because this option will run
tests when the user’s machine is in use. Selecting this option
could impact the machine’s performance.
6. Click Run Now to run the script immediately.

The Run Now button only runs tests on the machines selected in the Deployment area, specified in
steps 3 and 4 above. For more information about Run Now, see “Using the Run Now function,” on
page 154.
Vulnerability Report
The Vulnerability Report link displays a list of all of the OVAL Tests that have been run. At a glance, you
can see which OVAL Tests failed and the number of computers that failed each OVAL test.
From the test detail view, you can see all the computers that failed that OVAL Test and you can assign a
label to those machines so that you can patch them at a later time.
To apply a label to affected machines
1. Select Security | OVAL.

2. Click Vulnerability Report. The OVAL Report page appears.
3. Select the check box beside the test you want to apply a label to.
4. Select the appropriate label under Apply label to Affected Machines from the Choose action
drop-down list.
In addition, you can search tests by making the appropriate selection under View by and View by class
options from the drop-down list.
Computer Report
The Computer Reports link offers a list of machines with OVAL results where you can see a summary of
tests run on specific computers. The label under the Machine column in the OVAL Computer Report page is
the KBOX inventory ID assigned by the Inventory module.
For more information about any of the computers on the report, click the linked machine name to go to the
computer’s Inventory Detail page.
Creating Security Policies

The KBOX 1000 Series Security Module includes several wizards that can help you create security policies
to manage the computers on your network. To view the list of available security policies you can create,
select Scripting | Security Policy. This section includes descriptions of the settings for each of the
policies you can create.
You can create policies using the policy wizard screens. After you click Save, the Scripting tab appears
where you can specify when to run the script and which machines are targeted. If you want to modify a
script that was created using one of these wizards, you can either re-edit it using the wizard or you can
edit the script in the KBOX script editor. Opening the script in the regular KBOX script editor is also a useful
way to determine exactly what actions the script performs.
Available wizards include:
Enforce Internet Explorer Settings
Enforce XP SP2 Firewall Settings
Enforce Disallowed Programs Settings
Enforce McAfee AntiVirus Settings
McAfee SuperDAT Updater
Enforce Symantec AntiVirus Settings
Quarantine Policy
Lift Quarantine Action
Enforce Internet Explorer Settings

This policy allows you to control user’s Internet Explorer preferences. You can choose to control some
preferences, while leaving others as user-defined. Policy settings enforced by you will overwrite the users’
corresponding Internet Explorer preferences. Because this script modifies user settings, you will need to
schedule it to run when the user is logged in.
To set the Internet Explorer settings policy:
1. Select Scripting | Security Policy.

2. Click Enforce Internet Explorer Settings. The Security Policy : Internet Explorer Policy appears.
3. In the User Home Page area under Internet Explorer Configurator, select the Enforce User Home
Page policy check box, then specify the URL to use as the home page.
The User Home Page policy forces the users' home pages to the specified page.
4. In the Security area, select the Enforce Internet Zone settings policy check box, then choose the
security level.
The Security zone policies allow you to specify the security level for each zone.
5. Select the Enforce Local Intranet Zone settings policy check box, then choose the security level.
6. Set the following options:
Include all local (intranet) sites not listed in other zones
Include all sites that bypass the proxy server
Include all network paths (UNCs)
7. Select the Enforce Trusted Zone settings policy check box, then choose the security level.
8. Select the Enforce Zone Map check box, then specify the IP addresses or ranges for the following
zones:
Restricted sites
Locale Intranet sites
Trusted sites
The Zone Map allows you to assign specific domains and IP ranges to zones.
Note: Domains not listed, default to the Internet Zone.
9. Select the Enforce Privacy settings policy check box, then set the Cookie policy.
Privacy policies allows you to control the cookies that are accepted by Internet Explorer from the
Internet Zone.
10. Select the Enforce pop-up settings policy check box, then set the following options:
Pop-up filter level
Websites to allow
11. Click Save.
The Script: Edit Detail page appears.
Enforce XP SP2 Firewall Settings
This policy enables you to enforce firewall settings on target computers running Windows XP with Service
Pack 2. You can enforce different policies based on whether the target computer is authenticated with a
domain controller, or is accessing the network remotely, from home or through a wireless hotspot. If your
target computer has authenticated with a domain controller, it uses the Domain Policy; otherwise, it uses
the Standard Policy, so you might want to configure it to impose tighter restrictions.
To set the XP SP2 Firewall settings policy:

2. Click Enforce XP SP2 Firewall settings. The Security Policy : XP Firewall Config page appears.
There are two types of policies described under Windows XP SP2 Firewall Configurator area.
Domain Policy: This firewall policy will be used when the desktop computer has authenticated with a
domain controller. If you do not have a domain controller, use the Standard Policy configuration.
Standard Policy: This firewall policy will be used when the desktop computer has not authenticated
with a domain controller. For example, when a laptop user is at home or using a Wi-Fi hotspot. This
configuration is more restrictive than the Domain Policy.
3. In either the Domain Policy or Standard Policy areas, indicate whether Firewall is Enabled, Disabled,
or if No Policy is in effect.
If the firewall is enabled, the policy settings will override any settings the user may have set. If the
firewall is disabled, the user will not be able to enable the firewall. If the firewall is set to no policy, the
user's configuration for the firewall will be used.
The following fields are available only if you select the Enabled option for Firewall.
4. Select or clear the Enable logging check box, then specify a location and name for the log file.
By default, the log is stored in: C:\Program Files\KACE\firewall.log.
Enable Logging check box will enable the firewall to log information about the unsolicited incoming
messages that it receives. The firewall will also record information about messages that it blocks as well
as successful inbound and outbound messages.
5. Select or clear the check boxes for the following settings:
Allow WMI traffic Enables inbound TCP traffic on ports 135 and 445 to traverse the fire-
wall. These ports are necessary for using remote administration tools
such as the Microsoft Management Console (MMC) and Windows
Management Instrumentation (WMI).
Allow Remote Desktop Enables inbound TCP traffic on port 3389 to traverse the firewall. This
port is required for the computer to receive Remote Desktop
requests.
Allow file and printer sharing Enables inbound TCP traffic on ports 139 and 445, and inbound UDP
traffic on ports 137 and 138. These ports are required for the
machine to act as a file or printer sharing server.
Allow Universal Plug-and-Play Enables inbound TCP traffic on port 2869 and inbound UDP traffic on
(UPnP) port 1900. These ports are required for the computer to receive mes-
sages from Plug-and-Play network devices, such as routers with built-
in firewalls.
6. To specify Inbound Port Exceptions, click Add Port Exception.
Inbound Port Exceptions enables additional ports to be opened in the firewall. These may be required
for the computer to run other network services. An Inbound port exception is automatically added for
port 52230 for the KACE Client Listener, which is required to use the Run Now functionality.
7. Specify a Name, Port, Protocol, and Source for the exception.
8. Click Save.
Enforce Disallowed Programs Settings

This policy allows you to quickly create a script that prevents certain programs from running on the target
machines. After the resulting script is executed on a target machine, these policies take effect only after
the next reboot of that machine. On Windows XP or 2000, you can add a shutdown command as the last
step of the script to force a reboot, which will enable the policy to take effect immediately.
The script created as a result of this wizard will overwrite any disallowed program
settings on the target machines.
To set the Disallowed Programs settings policy:

2. Click Enforce Disallowed Programs Settings. The Security Policy : Enforce Disallowed Programs
page appears.
3. Specify a name for the policy.
4. Select or clear the Disallow programs check box.
When checked, all disallowed programs will be prevented from running. When unchecked, all programs
will be allowed to run.
5. Add disallowed programs.
To prevent Notepad from running, for example, enter notepad.exe.
Note: You can add more than one program.
6. Click Save.
Enforce McAfee AntiVirus Settings
This policy allows you to configure selective McAfee VirusScan features to be installed on all computers.
This policy works with McAfee VirusScan version 8.0i and verifies that the software is installed with the
configuration you specify here. It also confirms that the On Access Scanner (McShield) is running.
You will need to zip the McAfee VirusScan installation directory and upload it here. A Software Inventory
item will be created automatically if it does not already exist.
To set the McAfee AntiVirus settings policy:
1. Zip the McAfee VirusScan installation directory.

3. Click Enforce McAfee AntiVirus Setting. The Security Policy : McAfee Policy Enforcement page
appears.
4. Click Browse to search for the McAfee zip file.
5. Use the User Interaction drop-down list to specify how the installation should appear to your users.
For a description of the available options, Refer to the McAfee documentation.
6. Select the McAfee AntiVirus features to install.
Press CTRL and click to select multiple features. To install the Alert Manager, use the McAfee tools to
include the Alert Manager installation files in the deployment package. Please consult the McAfee
documentation for specific information about the features available here.
7. Select or clear the following check boxes:
Enable On Access Scanner
Lockdown VirusScan Shortcuts
Preserve earlier version settings
Remove other anti-virus software
8. Specify the location on the target machine where the following files will be installed:
McAfee installation
Alert Manager
SITELIST.XML
Desktop Firewall
EXTRA.DAT
9. Select the information you want to log. Press CTRL and click to select multiple log items.
10. Enter a filename for the log.
11. Enter any additional arguments.
12. Select the appropriate reboot option from the drop-down list.
13. Enter the behavior following installation. Select appropriate options for AutoUpdate and Scan from
the drop-down lists.
McAfee SuperDAT Updater
This policy allows you to build a script for applying McAfee SuperDAT or XDAT updates. There are several
steps involved in creating this script:
Specifying the update files and reboot behavior on the target machines
Selecting the software package(s) to push to target machines during update
Verifying network scan status
To create the McAfee update script:

2. Click McAfee SuperDAT Updater. The Security Policy: McAfee SuperDAT Configurator page appears.
3. Enter a file name and then click Browse to search for the SDAT or XDAT file.
4. Set update options:
Install Silently This option causes the update to be installed without showing a UI on the
target computers.
Prompt for Reboot Use this option to make the update prompt the user before rebooting.
Use this option with the "Install Silently" option.
Reboot if Needed This option causes the update to reboot the machine as needed. If this
options is not used, a silent installation will not reboot the machine.
Force Update Use this option to always update all file versions, even if the machine
already appears to have the latest versions.
5. Click Save.
Enforce Symantec AntiVirus Settings

This policy allows you to configure which Symantec AntiVirus features are installed. It verifies that the
software is installed with the configuration you specify here. This policy is intended to be run periodically
to ensure that Symantec AntiVirus is installed, configured, and running properly, not only upon initial
installation.
You will need to create a Software inventory item and upload the Symantec
AntiVirus.msi file to be distributed.
To set the Symantec AntiVirus settings policy:

2. Click Enforce Symantec AntiVirus Settings. The Security Policy: Symantec AntiVirus page appears.
3. Specify the Action to perform.
Install
Uninstall
Repair missing files
Reinstall all files
4. Select the software package to use for this script.
5. If the software package is zipped, enter the MSI file name.
6. Use the User Interaction drop-down list to specify how the installation should appear to your users.
7. Specify the install directory.
8. Specify any additional switches.
9. Specify any additional properties.
10. Specify behavior after installation.
11. Select the information you want to log.
Press CTRL and click to select multiple items.
12. Enter a filename for the log.
13. Select a NETWORKTYPE from the Network Management drop-down list.
14. Specify the server name, if required. This field is mandatory if you select Managed from Network
Management drop-down list.
15. Set the AutoProtect option.
16. Set the Disable SymProtect option.
17. Set the Live Update behavior.
18. Select the features you want to install.
Press CTRL and click to select multiple items. Please consult the Symantec documentation for specific
information about the options available here.
You must include the SAVMain feature for this script to work properly, although this
wizard does not enforce that.

You can/should look at the script that is generated by this wizard to make sure it is
doing what you expect. You can view the raw script by clicking To edit the policy
using this editor, click here on the Script detail page.
Quarantine Policy
Use this wizard to create a script that you can use to quarantine computers. The script that is created as a
result of this wizard is merely a template. Use the script editor to modify the template script and add the
appropriate verification steps to decide which computers to quarantine.
When a computer is under quarantine, all communication from it is blocked except for communication to
the KBOX Server, therefore use care when performing this action. If you were to deploy this accidentally to
all machines on your network, you could take your network down very quickly.
After a user’s machine is in quarantine, it cannot be reversed without intervention by the KBOX
administrator. The user will not be able to recover from this without you taking some action. Quarantined
computers only have access to the KBOX Server in order to receive a Run Now event to lift the quarantine.
To set the Quarantine policy:

2. Click Quarantine Policy. The Security Policy: Quarantine page appears.
3. Specify a Policy Name.
This field is optional. It could be helpful to assign a meaningful name that relates to the vulnerability so
that you can lift the quarantine later once that vulnerability is resolved.
4. Leave the KBOX SERVER IP unchanged.
5. Specify the DNS Server IP address.
6. Modify the Message dialog text as required.
This message is displayed to users prior to placing their computer in quarantine.
7. Modify the description text as required.
8. Click Save.
Modify the Verify steps to determine the conditions under which you want the quarantine to take
effect. Although it will not be enabled automatically, it will be configured to deploy to everyone. For
more information on how to modify the verify steps, Refer to Chapter 8,“Adding Scripts,” starting on
page 145.
For example, you can add a step under verify, to check whether the file KBOXClient.exe exists on the
target machine.
You can define a log message, create a message window or launch a file. The file kbq2.exe will be
launched for quarantine.
Lift Quarantine Action

Assuming you have a machine that has been quarantined from the network using the KBOX Quarantine
application, you can use this to turn off the quarantine.
To set the Lift Quarantine Action policy:

2. Click Lift Quarantine Action. The Security Policy: Lift Quarantine Action page appears.
3. Select the label under Labeled Computers area for the quarantined machines or select the specific
machine under Specific Computer(s) area to remove the quarantine.
You can filter the machine list by entering any filter options.
4. Click Send Lift Quarantine Now.
If there are a lot of computers in quarantine, it will take some time for all of them to receive and process
the request.
C H A P T E R 11
User Portal and Help Desk
The KBOX Help Desk provides an online area for you to upload
software library, support documents, and other self-help tools.
The optional KBOX Help Desk Module adds the ability to create,
track, and manage Help Desk tickets.
“Overview of the User Portal,” on page 194

“Understanding the Software Library feature,” on page 195
“Using the Knowledge Base,” on page 197
“Managing Users,” on page 199
“Roles,” on page 203
“Overview of the Help Desk Module,” on page 206
“Helpdesk Queues,” on page 207
“Customizing Help Desk fields,” on page 210
“Help Desk E-mail Customization,” on page 213
“Ticket Rules,” on page 214
“Creating and Editing Help Desk Tickets,” on page 217
“Managing Help Desk Tickets,” on page 221
“Running Help Desk Reports,” on page 223
193
Overview of the User Portal
The User Portal enables the users to download software, run scripts, have software installed for them
automatically, track computer info, and view a record of what they have downloaded. You can log onto the
User Portal by visiting the root URL of the KBOX machine name (for example, http://kbox/). Although
users can access the User Portal even if they do not have KBOX Agent installed on their machine, they will
not be able to run installations or scripts. The User Portal is administered from the User Portal tab.
If you have purchased the optional KBOX Help Desk Module, additional tabs or options are added to the
ones described below. For more information about using the features added by the Help Desk Module, see
“Overview of the Help Desk Module,” on page 206.
End User View of the User Portal

The tabs listed here are by default. These can be turned on or off depending on the role of the user
viewing the user portal. For details on how to change roles Refer to “Creating and Editing Roles,” on
page 204.
The end-user view of the User Portal displays the following tabs:
Welcome—Users enter login credentials from this screen.
Software Library—Displays available software for download or automatic install.
My Computer—Displays status information about the user’s computer.
License Keys—Lists license information for installed software, as available.
Help Desk—Users create or edit a Help Desk ticket using this tab.
Knowledge Base—Provides access to Knowledge Base articles authored by the administrator.
Download Log—Displays a log of software downloaded and installed on the user’s computer.
Users can also filter the views for Software Library or Knowledge Base by using keywords to narrow their
search.
Administrator View of the User Portal

As an administrator logged into the administrator UI, you can create and push packages, define
Knowledge Base articles, and specify which users can connect to the User Portal.
The User Portal tab displays the following tabs:
Software Library—Packages can be scripts, software packages, documentation, or other media.
Knowledge Base—Knowledge Base articles include software notices, instructional content, IT
reference documentation, self-help information, and any other specific content intended for the end
users.
Users—This user information is used to authenticate users of the KBOX Help Desk. Users can be
"tagged" with labels in order to define which packages they can access through the portal.
Roles—Roles are used for setting permissions for each user on different tabs in the Administrator
Console and the User Portal.
The sections that follow will focus on the administrator view of the User Portal and describe the process to
create packages and Knowledge Base articles. It also describes managing user access to the User Portal.
Understanding the Software Library
feature
Software Libraries are deployed to end users via the KBOX User Portal. This "self service" portal allows
individuals to download and install software or documents on their own in a controlled environment. The
software library you create from the Software Library tab are available for download on the Software
Library tab of the User Portal.
From the Software Library tab you can create or delete software library, sort software library by label or
column header, and search for software library using keywords.
Creating a software library to deploy

The Software Library tab allows you to specify the components of the software library you want to make
available to your end users; it does not allow you to upload software or author scripts. Any software or
scripts that you want to include in a software library must already exist on the KBOX Software Inventory or
Scripting tabs.
Along with the software library, you can choose to post cost information, documentation, or other
instructions for your users. Any notifications that you have configured will be mailed at the time of user
download. You can also restrict access to a software library by specifying a label.
To create a package:
1. Select User Portal | Software Library, or select Help Desk | Software Library if you have the
optional Help Desk Module installed.
2. In the Choose action drop-down list, select Add New Item. The Software Library : Edit Detail
screen appears.
3. Select or clear the Enabled check box.
Select this box to make the software library visible to users on the Help Desk.
4. Specify the Package Type under the Software Choice section:
Download Select this type to include documentation, files, or other software that does not
automatically install.
Install Select this type to select software that will install automatically on the user’s
machine. The user must have the KBOX Agent installed to run installations.
Script Select this type to select a script to include in the software library. The user
must have the KBOX Agent installed to run scripts.
5. From the Package Type drop-down list, choose the software to install. You can filter the list by
entering any filter options in the Filter box.
6. Specify the information to include with your package under the User Portal Page Details section:
Installation Instructions Specify the installation instructions. Any defined instructions, legal
policy, cost information, and so on, are posted along with the por-
tal package for user visibility.
Product Key Specify the product key that is specified in the Asset Detail page
in Asset | Assets for Assets of License type.
E-mail Product Key to User Select this option if you want to send download instructions at the
time of user download.
Request Mgr Notification Select this option to require users to enter their manager’s mail
address for notification prior to downloading or installing the soft-
ware library.
7. If you select the Install package type, specify the command line to run the installation, including any
necessary install switches or other parameters.
Note that users must have the KBOX Agent installed on their machines in order to run
the installations or scripts.
8. If you selected the Script package type, choose the script from the Script drop-down list.
9. Type any notes in the Additional Notes field.
10. Specify the following informations, as necessary.
Corporate License Text Enter any text related to the Corporate License.
Vendor License Text Enter any text related to Vendor License.
Unit Cost Enter the cost per Unit.
Documentation File Browse the desired documentation file. The Documentation File
size is displayed after the file is selected.
11. If desired, select a label from the Limit Access To User Labels list to limit software library
deployment to specific users.
12. Select the Also Restrict By Machine Label check box to restrict software library deployment by
machine label.
13. Click Save.
A major benefit of the Help Desk is that it provides your users with the resources they
need to solve many of the most common support issues on their own, thus alleviating
some of the burden on your support staff. Be sure to provide adequate information to
your users so that you, and they, can experience the full benefit of this feature.
To apply a label to a package:
2. Select the check box beside the user(s) you want to apply a label to.
3. Select the appropriate label under Apply Label from the Choose action drop-down list.
To remove a label from a package:
2. Select the check box beside the user(s) you want to remove the label from.
To delete a package:
2. To delete a package, select the check box beside the package and choose Delete Selected Item(s)
from the Choose action drop-down list.
Using the Knowledge Base

The Knowledge Base allows you to provide documentation, FAQs, or other self-help information for your
users. If you purchased the optional Help Desk Module, the Knowledge Base integrates with the Tickets
feature to enable users to resolve their own issues. For more information, see “Creating and Editing Help
Desk Tickets,” on page 217.
Users can sort the articles by Article ID, Title, Category, Platform, or Importance. They can search article
contents by using keywords.
Adding Knowledge Base Articles

Knowledge base articles are published to the KBOX Help Desk where users can search and sort articles to
locate the information they require.
If you have the optional Help Desk Module installed, you can also create a new
Knowledge Base article from the comments in a Ticket by clicking the Create KB
article button on the Ticket Detail page. For more information, see “Creating and
Editing Help Desk Tickets,” on page 217.
To add an article to the Knowledge Base:
1. Select User Portal | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the
2. Select Add New Item from the Choose action drop-down list. The Knowledge Base: Edit Article
page appears.
3. Enter the following article information:
Title A specific description of the issue covered in the article. Make the title as descriptive
as possible and use common terms so that it will be easy for an end-user to locate
information about a problem.
Category A general description of the type of issue. (For example, “printing” or “network
access”).
Platform The operating systems to which this article applies.
Importance The relative relevance of the article’s contents. (For example, “reference” or “low”; or
“critical” or “high”.
Use Mark- Select or check this box. Markdown is a plain text formatting syntax, and a software
down tool, written in Perl, that converts the plain text formatting to HTML. Markdown is a
text-to-HTML filter; it translates an easy-to-read/easy-to-write structured text format
into HTML. Markdown's text format is most similar to that of plain text e-mail, and
supports features such as headers, *emphasis*, code blocks, block quotes, and links.
Examples of sample formatting if the Use Markdown check box is selected:
*normal emphasis with asterisks* normal emphasis with asterisks
**strong emphasis with asterisks** strong emphasis with asterisks
This is some text *emphasized* with asterisks.
This is some text emphasized with asterisks.
For more information about markdown, see http://daringfireball.net/projects/mark-
down/
Limit Access Select the labels you want to limit access to.
To User Labels
Article Text Enter any text about the article.
Note: You can include external links to web pages by using href for that link. For
example, <a href="http://www.kace.com/">Visit KACE!</a>
You can include images by using src. For example, <img src="http://www.kace.com/
img/nav/new/4_27_06/logo.gif">
4. Click Browse to add any attachment, if required.

5. Click Save.
The KBOX assigns the article an Article ID and displays it on the Knowledge Base Articles List page.
To see how the article appears to your users on the Help Desk, click on the article’s title,
and then click the User URL on the Edit Article page.
Editing and Deleting Knowledge Base Articles

You can easily modify or remove existing Knowledge Base articles. There are two options for deleting
articles:
Using the Articles List page
Using the Edit Article page
To edit an existing Knowledge Base article:
2. Click the linked article title. The Knowledge Base: Edit Article page appears.
3. Click the [Edit] link to update the article details.
4. Modify article details, then click Save.
To delete an article from the Articles List page:
2. To delete an article, select the check box beside the article and choose Delete Selected Item(s)
from the Choose action drop-down list.
To delete an article from the Article Edit page:
1. Select User Portal| Knowledge Base tab, or select Help Desk | Knowledge Base if you have the
2. Click the linked article title. The Knowledge Base: Edit Article page appears.
3. Click the [Edit] link, then click Delete.
Managing Users
When logged in as an administrator, you can add users to the User Portal or Help Desk either manually or
automatically. Depending upon the permissions assigned to the users logged into the Help Desk, all or only
a subset of the Help Desk features may be available. When adding users to the Help Desk, be sure to
specify the correct user permission level.
Adding Users Manually

When adding users to the KBOX, you can tag them with a label, which determines which packages they
can access to in the Help Desk. The details that you enter below are used to authenticate users.
To add users manually:
1. Select User Portal | Users, or select Help Desk | Users if you have the optional Help Desk Module
installed.
2. In the Choose action drop-down list, select Add New Item. The User : Edit User Detail page
appears.
3. Enter the necessary user details. Do not specify legal characters in any field.
User Name Enter the name the user will use to access Help Desk. This is a mandatory field.
Full Name Enter the user’s full name. This is a mandatory field.
Email Enter the user’s e-mail address. This is the address to which Help Desk mes-
sages, if enabled, will be sent. This is a mandatory field for Help Desk installa-
tions.
Domain Enter an active directory domain. This is an optional field.
Budget Code Enter the financial department code. This is an optional field.
Location Enter the name of a site or building. This is an optional field.
Work Phone Enter the user’s work phone number. This is an optional field.
Home Phone Enter the user’s home phone number. This is an optional field.
Mobile Phone Enter the user’s mobile phone number. This is an optional field.
Pager Phone Enter the user’s pager phone number. This is an optional field.
Custom 1
Custom 2 Enter information in the custom fields if necessary. This is an optional field.
Custom 3
Custom 4
Password Blank or empty passwords are not valid for new users. The user will be created
but the user cannot be activated without a valid password. This is a mandatory
field.
Confirm Password Retype the user’s password. This is a mandatory field.
Assign To Label Select the labels to assign.
Role This is a mandatory field. Enter the user’s role:
Admin—This user role can log on and access all the features of the
administrator UI and User Portal or Help Desk. This role is selected by
default. The users can log on to the Help Desk, only if they have the
ReadOnly Admin—This user role can log on, but cannot modify any settings
in the administrator UI and User Portal or Help Desk. The users can log on
to the Helpdesk, only if they have the optional Help Desk Module installed.
User—This user role can log on only to the User Portal or Help Desk. The
users can log on to the Helpdesk, only if they have the optional Help Desk
Module installed.
Login Not Allowed—This user cannot log on to the User Portal or Help Desk.
Note: The roles listed above are system provided roles and are not editable. To
create a new role, Refer to “Roles,” on page 203.
Lock user out of Select this check box to lock the user out of the User Portal.
User Portal
Allowed to be Required for Help Desk installations. Select this check box to permit any user
assigned Help (Admin, ReadOnlyAdmin, or User) to be assigned as owner of Help Desk tickets.
Desk Tickets
4. To assign users as owners of help desk tickets, go to Helpdesk Queues page. For more information on
help desk queues, Refer to “Helpdesk Queues,” on page 207.
5. Click Save. The Users page appears.
To apply a role to a user:
installed.
2. Select the check box beside the user(s) you want to apply a role to.
3. Select the appropriate role to apply from the Choose action drop-down list.
To apply a label to a user:
installed.
2. Select the check box beside the user(s) you want to apply a label to.
3. Select the appropriate label under Apply Label from the Choose action drop-down list.
To remove a label from a user:
installed.
2. Select the check box beside the user(s) you want to remove the label from.
To delete a user:
installed.
2. To delete users, do one of the following:
From the Users List view, select the check box beside the user, then select Delete Selected
From the User : Edit User Detail page, click Delete.
3. Click OK to confirm deleting the selected user.
To change the password:
installed.
2. Click the user name whose password you want to change. The User : Edit Detail page appears.
3. Modify the password as follows:
Password Blank or empty passwords are not valid for new users. The user will be created
but the user can not be activated without a valid password. This is a mandatory
field.
Confirm Password Retype the user’s password. This is a mandatory field.
4. Click Save to save the changes.
Adding Users automatically

Rather than setting up users individually on the Users tab, you can configure the KBOX to access a
directory service (such as LDAP) for user authentication. This allows users to log into the KBOX
Administrator portal using their domain username and password, without requiring to add users
individually from the Users tab. For more information on user authentication, Refer to “User
Authentication,” on page 249.
Importing Users
You can import Users and Labels directly from your LDAP or Active Directory system into KBOX.
To import users:
installed.
2. In the Choose action drop-down list, select Import Users. The User : Import page appears.
3. Specify the LDAP Server Details in the Choose attributes to import section:
LDAP Server Enter IP or Host Name of the LDAP Server.

Note: For connecting through SSL, use the IP or the Host Name,
as ldaps://HOSTNAME
If you have a nonstandard SSL certificate installed on your LDAP
server such as an internally-signed or a chain certificate not from
a major certificate provider such as Verisign, contact KACE
Support for assistance before proceeding.
LDAP Port Enter the LDAP Port number which could be either 389 / 636
(LDAPS).
Search Base DN Enter the Search Base DN.
For example:
CN=Users,DC=hq,DC=corp,DC=kace,DC=com
Search Filter Enter the Search Filter.
For example: (samaccountname=admin)
LDAP Login Enter the LDAP login.
For example:
LDAP Login:
CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=com
LDAP Password Enter the password for the LDAP login.
4. Specify the attributes to import:
Attributes to retrieve Enter the attributes to retrieve. For example, samaccountname

Note: You can leave this field blank to retrieve all attributes, but
this may be slow and is not recommended.
Label Attribute Enter a label attribute. For example, memberof.
Label Attribute is the attribute on a customer item that returns a
list of groups this user is a member of. The union of all the label
attributes will form the list of Labels you can import.
Label Prefix Enter the label prefix. For example, ldap_
Label Prefix is a string that is appended to the front of all the
labels.
Binary Attributes Enter the Binary Attributes. For example, objectsid.
Binary Attributes indicates which attributes should be treated as
binary for purposes of storage.
Max # Rows Enter the maximum rows. This will limit the result set that is
returned in the next step
Debug Output Select the check box to view the debug output in the next step.
5. If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP
Browser Wizard. For more information on how to use the LDAP Browser Wizard, Refer to “LDAP
Browser Wizard,” on page 245.
6. Click Next.
7. Select the value from the drop-down list next to each LDAP attribute to map the values from your LDAP
server into the User record on the KBOX. The fields in Red are mandatory. The LDAP Uid must be a
unique identifier for the user record.
8. Select a label to add to the KBOX. Press CTRL and click to select more than one label. This list displays
a list of all the Label Attribute values that were discovered in the search results.
9. Click Next.
10. Review the information displayed in the tables below. The Users to be Imported table displays list of
users reported and the Labels to be Imported table displays the list of labels reported. The Existing
Users table and the Existing Labels table display the list of Users and Labels that are currently on the
KBOX. Only users with a LDAP UID, User Name, and E-mail value will be imported. Any records that do
not have these values are listed in the Users with invalid data table.
11. Click Next to start the import.
This user can log on to and access all features of the administrator UI and User Portal or Help Desk. He
can log on to the Helpdesk, only if you have the optional Help Desk Module installed.
Roles
Roles are assigned to each user to limit access to different tabs in the Administrator Console and the User
Portal. You can restrict the tabs displayed for a user is allowed when the administrator logs in to the
Administrator Console and the user logs in to the User Portal.
Following are the permissions that can be applied for each tab.
Write:
The user will have write access for the tab. The administrator or user will be able to edit the fields
present on the screen.
Read:
The organization will have only read access for the tab. The administrator or user will be not be able to
edit the fields present on the screen. He/she will be not be able to add / edit / delete any item present
in the list.
Hide:
The tab will be hidden and the administrator or user will not be able to view that tab.
Creating and Editing Roles
You can create new roles or edit the existing roles from the Roles page by going to Help desk | Roles
tab. It is recommended that you first create the roles, since it is required to specify the role while creating
users.
To create a role:
1. Select Help desk | Roles. The User Roles page appears.

2. Select Add New Item from the Choose action drop-down list. The User Role : Edit Detail page
appears.
Record Created The date and time when the Role was first created. This is a Read-only field.
Record Last Modified The date and time when the Role was last modified. This is a Read-only field.
Role Name Enter a name for the role. This is a mandatory field.
Description Enter the description for the role.
4. Under Permissions ADMIN Console, click the individual tab link to expand it. Or click the [Expand All]
link to expand all the tabs.
5. Under each tab, click the All Write option, All Read option or the All Hide option to assign the
respective permission to all the sub tabs. Or click the Custom option to assigned appropriate
permission to individual sub tabs.
6. If you click Custom option, select the appropriate permission from the drop-down list next to each
tab.
7. Under Permissions USER Console, click the UserUI link to expand it.
8. Under each tab, click the All Write option, All Read option, or the All Hide option to assign the
tab.
10. Click Save.
If you assign READ permission to General Settings and User Authentication under
Settings, then all other settings; AMP Settings, Network Settings, Security Settings and
Date & Time Settings will also have READ permission.
If you assign HIDE permission to General Settings and User Authentication under
Settings, then the Control Panel tab is hidden.
From KBOX 1000 Release 4.3 onwards, you can set and edit the permissions of users
on Virtual Kontainers tab from the User Role: Edit detail page.
To edit a role:

2. Click the linked name of the role. The User Role : Edit Detail page appears.
4. Edit the role details:
Record Created The date and time when the Role was first created. This is a Read-only field.
Record Last Modified The date and time when the Role was last modified. This is a Read-only field.
Role Name Enter a name for the role. This is a mandatory field.
tab.
respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission
to individual sub tabs.
tab.
11. Click Save.
To delete a role:
1. To delete a role, do one of the following:

From the User Roles page, select the check box beside the role, then select Delete Selected
From the User Role : Edit detail page, click Delete.
2. Click OK to confirm deleting the role. Else, click Cancel to cancel the deletion.
To duplicate a role:

2. Click the role you want to duplicate. The User Role : Edit Detail page appears.
4. Click Duplicate to duplicate the role details. The page refreshes.
Name Enter a name for the role. This is a mandatory field.

6. Click Save.
Overview of the Help Desk Module

The optional KBOX Help Desk Module provides a ticket submission, tracking, and management system that
allows you to solve problems in real time. The KBOX Help Desk Module provides integrated access with
KBOX capabilities for hardware and software inventory, software deployment, updates and patching,
remote control, and alerting and reporting. Upon installation, you can customize the Help Desk settings
according to the needs of your organization.
The Help Desk Module adds the following tabs to the administrator view of the Help Desk:
Tickets—Provides a list view of tickets submitted for users, and allows Help Desk users to assign,
resolve, or escalate tickets based on user profile
Configuration—Allows administrators to customize the Help Desk displayed to users
If you do not have the optional Help Desk module installed, you will not see these tabs.
The Help Desk Module provides permissions-based access to the features and functions needed by a
particular user.
The Tickets tab of the Help Desk provides a way for end-users to submit and track desk tickets. In addition
to creating new tickets, users can search for Knowledge Base articles that might help them to resolve
support issues on their own.
From the Tickets tab users can:
Create Help Desk tickets
View tickets that they have submitted
Search for tickets using keywords and advanced methods
If the end-user also happens to be a support technician and you have given the permission to own Help
Desk tickets as well as assigned label to the user (see “Managing Users,” on page 199), this user is known
as a Help Desk user.
Users who are also Help Desk users (i.e., they can be assigned Help Desk tickets), can perform these
additional functions:
Delete Help Desk tickets
By default, view unassigned tickets and additions to tickets assigned to them, and view other tickets by
using the View by owner drop-down list
Change a ticket’s status, priority, or owner
The Help Desk users do not need Administrator rights on the KBOX. They can manage all their Help Desk
ticket activities via the user portal available at http://kbox.
Note: The Help Desk users need Administrator rights if they have to deploy software or run reports.
Administrators can create, modify, and manage Help Desk tickets from the Tickets tab in the Administrator
UI. Administrators can also use the security, scripting, and distribution features to resolve Help Desk
tickets, then use the Knowledge Base to create the documentation that references the resolution for users.
From the Tickets tab, administrators can:
Create or delete Help Desk tickets
Sort the Ticket view by owner or submitter, summary, priority, or status
Change a ticket’s status, priority, or owner
Helpdesk Queues
Helpdesk Queues allows to partition helpdesk for use by different groups. Each queue can be configured
independently. They can have separate custom fields, e-mail addresses, ticket defaults, and so on.
To add a new helpdesk queue:
1. Select Help Desk | Configuration. The Helpdesk Queues page appears.

2. Select Add New Item from the Choose action drop-down list. The New Queue page appears.
3. Enter the Queue information as follows:
Name Enter a name for the queue. The name that is displayed in the
From field when users receive e-mails from the Help Desk.
Email Address Enter the e-mail address used to send e-mail to and from the Help
Desk.
Note: Specify an e-mail address that is not used by any other help
desk queue, as each queue must have an unique e-mail address.
Alt. Email Address Enter the alternate e-mail address to which users can submit Help
Desk tickets.
4. Click Save. The Help Desk Configuration page appears.

From the Help Desk Configuration page, you can configure a variety of settings including the support mail
address, defaults for ticket submission fields, and which events trigger mail alerts and to whom they are
sent. This section describes how to configure basic Help Desk Settings only. To customize the default
values for the options here, see “Customizing Help Desk fields,” on page 210.
Field(s) Description
Name Enter the name for the Help Desk.

Email Address Enter the e-mail address used to send e-mail to and from the Help Desk.
Ticket Defaults Determines the default ticket values for tickets. To customize these options, click Cus-
tomize These Values. For more information see “Customizing Help Desk fields,” on
page 210.
Email on These check boxes determine who gets e-mail when tickets are changed or escalated.
Events Note that "Any Change" overlaps with the "Owner Change" and "Status Change"
events, but it does not include ticket escalations.
Table 11-1: Help Desk Configuration fields

6. The Name field displays the name that is displayed in the From field when users receive e-mails from
the Help Desk. This field retains the information you specified in the previous page. You can modify the
name if required.
7. In the Email Address displays the e-mail address to which users can submit Help Desk tickets. This
field retains the information you specified in the previous page. You can modify the e-mail address if
required.
8. In the Alt. Email Address field, specify the alternate e-mail address to which users can submit Help
Desk tickets.
9. Select the Allow all users as submitters check box to allow all users to submit tickets to this queue.
You can limit the submitters to a queue by user label. Press CTRL and click labels from the Restrict
Submitters By Label list, to select more than one label.
10. You can assign ticket owners by label. Press CTRL and click labels from the Ticket Owners By
Label list, to select more than one label. The users in that label can be assigned as the owners of Help
Desk tickets.
11. Select the Accept email from unknown users check box to accept e-mails from unknown users.
12. In the Ticket Defaults area, specify the following settings:
Category Enter the default category for tickets. Options include Software, Hardware, Network,
and Other.
Status Enter the default status for tickets. Options include New, Opened, Closed, and Need
More Info.
Impact Enter the default impact for tickets. Options include Many people can’t work, Many
people inconvenienced, 1 person can’t work, and 1 person inconvenienced.
Priority Enter the default priority for tickets. Options include Low, Medium, and High.
13. In the E-mail on Events area, specify to whom, and under what circumstances, e-mails should be
sent:
Recipients:
Owner - The Help Desk user assigned to the ticket
Submitter - The user who submitted the ticket
Ticket CC - The e-mail recipients listed in the CC area of the ticket
Category CC - The e-mail recipients listed in the CC List area for the Ticket Category.
Events:
Any Change - Any change to any field on the ticket.
Owner Change - A change to the owner field on the ticket. By default, e-mails are sent to the old
and new owners of the ticket.
Status Change - A change to the status field on the ticket.
Comment - A comment on the ticket.
Resolution Change - A change to the Resolution field on the ticket.
Escalation - The ticket enters escalation based on the configured settings. For more information,
see “Understanding the Escalation Process,” on page 221.
Satisfaction Survey - Indicate whether you want to send an mail requesting that the submitter
complete a satisfaction survey when the ticket is closed. For more information, see “About the
Satisfaction Survey,” on page 222.
New Ticket Via Email - Select this check box for an e-mail notification on a new ticket.
14. Click Save.
Customizing Help Desk fields
Where the basic Help Desk configuration page allowed you to set default values for the various drop-down
lists in the Help Desk fields, the Customization page allows you to customize the values that appear in
those drop-down lists, as well as add up to six custom fields.
To access the Help Desk Customization page:

2. Click a queue name. The Help Desk Configuration page appears.
3. Click the [Customize These Values] link. The Help Desk Customization page appears.
To customize Category Values:
1. In the Category Values area, click the icon beside a category value to modify it. Editable fields
appear for that value.
2. Edit the Category Values fields:
Name Enter the name for the value.

Default Owner Assign a default owner for tickets of this category.
CC List Enter the e-mail address(es) to be copied when tickets of this category are sub-
mitted to the Help Desk.
User Settable The User Settable value is either 'true' or 'false'. It indicates if a non-help desk
admin is allowed to set the category value on a ticket and whether or not this
category appears in the list of choices displayed to the end user. This setting
allows you to present a simplified list of values to the user, and display more and
create additional values that are only displayed to the administrator or Help
Desk users.
3. Click the icon beside a Category value to change its order in the drop-down list.
4. Click the icon to add an option to the Category drop-down list.
5. Click the icon to remove a Category value.
You cannot remove Category values that are in use.

If you want to change the values, add a new value first, move those tickets with the old
value to the new value. Once the value is not being used, you can safely delete the
value.
6. Click Save to apply your changes.
To customize Status values:
1. In the Status Values area, click the icon beside a category value to modify it.
Editable fields appear for that value.
2. Edit the Status Values field:
Name Enter the name for the value.

State Indicates whether the ticket is open, closed, or stalled.
Open - The ticket is active
Closed - The ticket has been resolved
Stalled - The ticket is open past its due date, but is not in escalation.
3. Click the icon beside a Status value to change its order in the drop-down list.
4. Click the icon to add an option to the Status drop-down list.
5. Click the icon to remove a Status value.
You cannot remove Status values to which tickets are currently assigned.
value.
To customize Priority values:
1. In the Priority Values area, click the icon beside a category value to modify it.
Editable fields appear for that value. Edit the Priority Values fields:
Name Enter a name for the custom field.
Color The displayed color of this status on the ticket list pages.
Escalation Time The interval after which an open ticket of this priority is escalated. Enter a time
integer and a unit from the drop-down list.
2. Click the icon beside a Priority value to change its order in the drop-down list.
3. Click the icon to add an option to the Priority drop-down list.
4. Click the icon to remove a Priority value.
You cannot remove Priority values to Tickets which are currently assigned.
value.
To customize Impact values:
1. In the Impact Values area, click the icon beside an Impact value to modify it.
Editable fields appear for that value.

2. Modify the Name field as desired.
3. Click the icon beside an Impact value to change its order in the drop-down list.
4. Click the icon to add an option to the Impact drop-down list.
5. Click the icon to remove an Impact value.
You cannot remove Impact values to Tickets which are currently assigned.
value.
To add custom value fields:
1. In the Custom fields area, click the Edit item icon to modify the fields.
2. In the Name field, enter the names for the custom fields as you want them to be displayed on the
Ticket Details page.
The custom fields are added as text boxes that hold up to 255 characters. You can add up to six custom
fields.
3. Enter the select values in the Select Values field.
Select Values are used for custom fields with Field Type of Single Select or Multiple Select. These values
should be entered as comma-separated strings.
4. Select the field type in the Field Type list.
5. Select the Only Editable By Owners check box to make this field editable by owners.
6. To remove a custom field, clear the name from the field value.
When you remove the name of a field, values for that custom field will be removed from all tickets.
When you rename a field, values for that custom field will be retained.
8. In the Ticket List View area, click the Edit item icon to modify the desired Ticket List View fields.
9. Select the name in the Name list.
10. Specify the width in the Width field and then click Save.
11. Click Save.
You can create fifteen custom fields.
To customize Ticket List view:
1. In the Ticket List View area, click the icon beside an attribute to modify it.
Editable fields appear for that value. Edit the fields:

Name Select an attribute name from the drop-down list.
Width Enter the column width.
2. Click the icon beside an attribute to change its order in the drop-down list.
3. Click the icon to add an attribute to the Ticket List View drop-down list.
4. Click the icon to remove an attribute.
Help Desk E-mail Customization

The help desk e-mail customization page contains e-mail templates that can be used by the Help Desk to
generate e-mails. You can modify these templates if required.
To customize help desk e-mails:

3. Click the [Customize Emails] link. The Help Desk Email Customization page appears.
The following e-mail templates are available:
Ticket Escalation
Email Ticket Creation Acknowledgement
Ticket Change Notification
Satisfaction Survey Notification
Response To Unknown Email Address
Email Ticket Error
You can edit these templates if required.
The e-mail templates contain various symbols, which are replaced with the appropriate information when
an e-mail is sent. For example, $ticket_number is replaced with the ticket number of the ticket for which
the e-mail is sent.
The following symbols are available in all templates:
$userui_url
$helpdesk_name
$helpdesk_email
The following symbols are available in templates for e-mail involving tickets:
$ticket_escalation_minutes
$ticket_priority
$ticket_number
$ticket_title
$ticket_url
$ticket_history
$change_desc
The following symbols are available in the "Response to Unknown Email Address" template:
$subject
$quoted_mail
Ticket Rules
Ticket Rules allow you to periodically run queries and take various actions on the resulting list of tickets.
To create a ticket rule:

3. Click the [Customize] link. The Ticket Rules page appears.
4. Select Add Ticket Rule from the Choose action drop-down list.
The Ticket Rule page appears. The queue name is displayed in parentheses.
5. Enter criteria to choose the tickets to be affected.
6. Under Define Ticket Rule, select an attribute from the drop-down list. For example, Priority.
7. Select a condition from the drop-down list. For example, =
8. Specify the attribute value. For example, Medium.
In the above example, tickets with medium priority will be searched.
10. Click Test. The search results will be displayed below.
11. Click Next.
12. Choose the values to change.
13. Under Define Ticket Rule, select an attribute whose value you want to change, from the drop-down
list. For example, Priority.
14. Specify the new attribute value. For example, High.
The Priority of the tickets that were searched, will now be changed to high.
15. Click Done. The Ticket Rule : Edit Detail page appears. You can configure settings for running the
SQL query periodically and take various actions on the resulting list of tickets.
Record Created The date and time when the Rule was first created. This is a Read-only field.
Record Last The date and time when the Rule was last modified. This is a Read-only field.
Modified
Title Enter a title for the rule.
Order Enter a number. The rule will be executed according to the evaluation order
specified.
Queue The name of the queue the ticket belongs to. This is a Read-only field.
Frequency Select the appropriate frequency from the drop-down list. The rule will be run
according to the selected frequency.
Next Run The date and time when the rule will be run next time. This is a Read-only field.
Enabled Select the check box to enable the ticket rule. The ticket rule will run only if you
enable it.
Select Query This SQL is generated by the Ticket Rule wizard from the inputs that you speci-
fied during searching for Tickets in the Ticket Rule page. This is a SQL SELECT
statement that will return a set of ticket IDs to operate on. This query will be
run based on the Frequency selected above.
You can click the View Ticket Search Results link to view the search results.
Note: You must not manually edit the SQL statements generated by the Ticket
Rule Wizard, without fully understanding the ramifications of doing so. You can
easily write SQL that can degrade the performance of your KBOX.
Send query Select the text box send a table of results of the Select Query to the e-mail
results to some- address(es) specified. All the columns returned by the Select Query will be
one included in the e-mail.
Enter the e-mail addresses in the Email text area. You can specify more than
one e-mail address, by separating them with commas.
Results are tick- Select the check box to add a comment to each ticket from the Select Query.
ets, add a com- This is useful because the Update Query specified later may update a Ticket
ment to each without logging that information. Here you could add a message like 'Ticket
one Rule: Increase Priority to High triggered.' This would give you an indication of
what tickets have been changed.
Enter your comments in the Comment text area.
Send an email Select the check box to send an e-mail to e-mail address that will be returned by
for each result the Select Query. An e-mail will be sent to each e-mail address returned by the
row Select Statement in the E-mail Column.
Variables will be replaced in the body of the e-mail. For example, strings like
$title and $due_date will be replaced by the values in the columns names TITLE
and DUE_DATE respectively. Any column returned by the select statement can
be replaced in that way.
The SQL generated by the Ticket Rule Wizard will supply OWNER_EMAIL and
SUBMITTER_EMAIL as well as CC_LIST as possible values.
Enter the subject in the Subject text field.
Enter the e-mail column name in the E-mail Column text field. For example,
OWNER_EMAIL. E-mail will be sent to each e-mail address returned by the
Select Statement in this E-mail Column.
Enter an e-mail message in the E-mail Body text area.
Run an update Select the check box to run an update query using the results from the query in
query, using the the Update Query field.
results from the Using this query you can run an additional sql UPDATE statement, replacing the
one above string <TICKET_IDS> with a comma separated list of IDs extracted from the
Select Query. Such that "update HD_TICKET set TITLE = 'changed' where
HD_TICKET.ID in (<TICKET_IDS>)" would turn into "update HD_TICKET set
TITLE = 'changed' where HD_TICKET.ID in (1,2,3)"
This SQL is generated by the Ticket Rule wizard from the inputs that you speci-
fied while changing the attribute values in the Ticket Rule page.
Note: The Run Log will show a count of the changed rows. This may differ from
the selected rows, if the data was already set to the requested values. The
update sql that is generated by the Ticket Rule wizard will not update the ticket
row if an incorrect value is entered for fields like Priority or Submitter.
Run Log Each time the rule runs, the run log will be updated with the last results of that
execution. Any failures or errors will be displayed.
17. Click Run Now to immediately run the ticket rule.

18. Click Save to save the ticket rule.
To delete a ticket rule:
1. To delete ticket rules, do one of the following:

From the Ticket rule List view, select the check box beside the ticket rule, then select Delete
Selected Item(s) from the Choose action drop-down list.
From the Ticket Rule : Edit Detail page, click Delete.
2. Click OK to confirm deleting the selected Ticket rule.
Creating and Editing Help Desk Tickets
Depending on whether you are creating a ticket from mail, the Administrator UI, or from the Help Desk,
you will have different options available to you. This section describes each of these methods. Regardless
of the method used to submit a Help Desk ticket, all interested parties will receive a confirmation mail that
includes a link to the submitted ticket.
To create a new ticket from the Help Desk:
1. Log into the User Portal as user. Tickets page appears.

2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears.
To create a new ticket from the Administrator UI:
1. Select Help Desk | Tickets.

2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears.
3. Specify ticket details.
Title Enter a title for the ticket.

Impact Enter the severity of the issue.
Category Indicate the issue type.
Status Indicate the status of the issue.
Priority Indicate the importance of the issue.
Note: You cannot set the priority if you are creating the ticket through the user
portal.
Owner Select an owner from the drop-down list. You can filter the list by entering any filter
options.
Machine The machine affected by the issue. Defaults to submitter’s computer after Ticket is
saved. You can filter the list by entering any filter options.
Note: You can see help ticket submissions from the Computer’s inventory record.
See Chapter 3,“Help Tickets,” starting on page 62.
Asset Select an asset from the drop-down list. You can filter the list by entering any filter
options.
Due Date
Enter a due date if desired. Click the icon to select the Month, Day, and Year.
CC List A comma-separated list of additional e-mail addresses for users who might be
interested in changes to this ticket. You can filter the list by entering any filter
options.
Note: You can enter only 200 characters in the CC list field. To bypass this limita-
tion you can create e-mail aliases for large distribution lists.
Submitter
Click the icon to select the submitter from the drop-down list. You can filter the
list by entering any filter options.
See Also Link(s) to related tickets. When editing this list, enter the Ticket IDs as comma-sep-
arated integers.
Referrers If other tickets Refer to this ticket in the see also field, those ticket IDs will appear
here after this ticket is saved.
Owners only Select the check box to have the comment you are entering visible only to users
who are authorized to own tickets.
KB article Select an KB article from the drop-down list. You can filter the list by entering any
lookup filter options.
Comment The contents of the selected KB article will be populated in the comment field. This
field is editable.
Attachment Browse the desired attachment file.
4. Click Save.
After you create the new ticket, you can open the ticket record and view a print-friendly
version of the ticket, e-mail the ticket to someone, and click the Find Relevant Articles
link to locate Knowledge Base articles related to the ticket.
The submitter will get a confirmation e-mail with a link to the specific ticket, if you have
selected the New Ticket Via Email check box in the Help Desk Configuration page.
Submitting Help Desk Tickets through E-mail

In addition to submitting tickets via the Web-based User and Administrator interfaces, users also can
submit Help Desk tickets by sending mail to the Help Desk mail configured in the Help Desk settings.
Tickets created from mails will receive the default values for Impact, Category, and Priority, as set on the
Help Desk | Configuration tab. The body of the mail message will be added as a comment. The
submitter is determined by the sender’s mail address. For more information, see “To add a new helpdesk
queue:,” on page 207.
Setting Ticket Attributes via E-mail

You can set ticket attributes via e-mail. You can do this by including lines starting with the @ symbol at the
beginning of a e-mail to the helpdesk.
Only users with ticket ownership privileges can do this. If a non-owner were to try to do
this, his or her @-lines would be considered text and included in the comment.
For example, replying to a ticket e-mail with the following text would close the bug, change the owner, and
add a comment:
@status=closed
@owner=joe
I fixed that problem. If it happens again, talk to Joe.
The attributes you can control in this way are:
category Enter the category.

cc_list You can use a comma-separated list of e-mail addresses.
due_date The date can be in any format. For example, 2/3/2004, next friday or Febru-
ary 3, 2004. To clear the due date use the values empty string ("") or "null".
impact Enter the impact.
owner Enter the owner's user name, full name, or e-mail address. You can clear the owner
by using the empty string ""
priority Enter the priority
resolution Enter the resolution.
status Enter the status.
submitter Enter the submitter's user name, full name, or e-mail address. If the specified
name does not match an existing user and if the queue has "Accept email from
unknown users" check box selected, a new user will be created. If you think that
this might happen, you can include both a full name and an e-mail address. For
example, Full name <email address>
title Enter the title.
Custom fields
You can also set custom fields. The value must be a name having an underscore. For example, If the field
name is eye color, the value should be eye_color. You can also make two custom fields which have the
same name with an underscore. In this case, the assignment will go to the first of the two custom fields.
You'll get an error if you try to put a bad value into a select or multiselect custom field. To select multiple
values in a multiselect custom field, the values should be comma-separated.
The lines at the beginning of an e-mail starting with "@" are special. You'll get errors if they're not
assignments as described above. For example,
@owner=NoSuchUser
@status=NoSuchStatus
Errors will be e-mailed back to you. The e-mail will use the "Email Ticket Error" template. For more
information on e-mail templates, Refer to “Help Desk E-mail Customization,” on page 213.
Editing Help Desk Tickets

After you create a Help Desk ticket, you can edit the tickets from the Tickets list page, or from the Ticket
Tick page. Regardless of where the change is made, any change made to a ticket is reflected in the history
log at the bottom of the Ticket Detail window.
To edit a ticket from the Tickets list page:
1. Select the check box beside the ticket(s) you want to edit.
2. From the Choose action drop-down list, select the desired option:
• Delete Selected Item(s)

• Set status to New, Opened, Closed, or Need More Info
• Set priority to High, Medium, or Low
• Reassign to another user.
To edit a ticket from the Ticket Tick page:
1. Select Help Desk | Tickets.

2. Click the Ticket ID or linked Issue Summary. The Ticket Tick page appears.
3. Edit Ticket details as desired. You can edit the Ticket details like Title, Impact, Category, Status,
Priority, Owner, Machine, Asset, Due Date, CC List, Submitter, See Also, Referrers, and Resolution.
4. To provide additional information about your change, click Add Comment, and then perform the
following steps:
a Select the Owners only check box to have the comment you are entering visible only to users who
are authorized to own tickets.
b Enter comment about the changes in the Comment field.
c Browse the desired attachment file.
5. To provide additional information about the work, click Add Work, and then perform the following
steps:
a Select the work date.
b Select the start date of the work.
c Select the end date of the work.
d Enter the adjustment hours in the Adjustment field.
e Enter work related details in the Work Note field.
6. To copy an existing ticket, click Duplicate.
7. To create a Knowledge Base article from the comments in the ticket, click the Create KB article
button.
8. Select the Owners only check box to have the comment visible only to users who are authorized to
own tickets.
9. Click Save to apply your changes or click Save & List to apply your changes and go to the Tickets list
page.
When reassigning a ticket to a new owner using the Choose action drop-down list,
the number in parentheses (), indicates the number of tickets currently assigned to that
Help Desk user.
Searching Help Desk tickets
From the Ticket List page, users can search tickets submitted by them, as well as view tickets by other
owners. You can use Advanced Search options to locate tickets. Advanced search allows you to use
operators such as contains, >, <, =, and Match RegEx.
Match RegEx allows for wildcard and other search expressions standard to PERL users. “%” functions as
the wildcard (similar to * in the DOS world). For additional information about RegEx searching, visit http:/
/www.regular-expressions.info/ and/or http://dev.mysql.com/doc/mysql/en/regexp.html.
Normally, a backslash (\) is used as an escape character in any programming language.
Therefore if a user wants to search for a character (for example, “.”) in any string, he is required to use
two backslashes (i.e. \\.). One backslash is used as an escape character, whereas the other backslash is
used for searching the character (“.”) in a string.
However the way KBOX is coded this can be accomplished by a single quote only. A user need not put
double backslashes (i.e \\.) to search the character (“.”) in the string. So for searching a regular expression
in a string in KBOX, a single backslash is sufficient.
Managing Help Desk Tickets

After a ticket is submitted to the Help Desk, it is the responsibility of the ticket owner to resolve the ticket.
The owner reviews the ticket, adjusts the impact if necessary, and assigns a priority. If the ticket issue is
straightforward, the owner might resolve the issue quickly, enter a resolution in the ticket details, then
close the ticket. In more complicated situations, however, a ticket may take more time to close, and be
assigned to different owners over its lifetime.
In some cases, the owner is unable to resolve the ticket by the due date and the ticket is then escalated to
someone else to resolve. The process of escalation is determined by the settings configured in the Help
Desk Configuration page.
Depending on the Help Desk configuration, the submitter of a ticket might receive a satisfaction survey to
gather feedback about the way the ticket was handled, after the ticket is closed. For more information
about the satisfaction survey, see “About the Satisfaction Survey,” on page 222.
Understanding the Escalation Process

The escalation process allows you to send out automatic e-mails when a ticket remains in an Open state
longer than a specified time. This gives you a way to monitor service level agreements, and allows you to
notify a large group when a ticket hasn’t been handled properly.
There are three variables that control the escalation process:
Which tickets can/should be escalated
The length of time a ticket can be open before an escalation e-mail is sent
The recipient(s) of the escalation e-mails
Each ticket has a Priority, and each Priority has an Escalation Time associated with it. Tickets are
escalated if they have been open longer than the time specified by their priority setting. Tickets also have
a Status that can either be Open, Stalled, or Closed. Tickets with an Open status will trigger an escalation
mail every n minutes, where n is the time specified by the Escalation Time assigned to the priority. For
example, by default, the KBOX has a Priority value of High, with an Escalation Time of 30 minutes. This
means that for each ticket that is marked as High Priority, an escalation mail will be sent every 30 minutes
to notify people that the ticket is still Open.
Tickets that are Stalled or Closed do not trigger escalation e-mails. Moving a ticket from Open to Stalled or
Closed, and then back to Open will not change the creation time, so the escalation mails will continue to
be processed based on the original time. For example, if you were to open a ticket, close it after 5 minutes,
then reopen it after 35 minutes, an escalation e-mail would be sent saying that the ticket is older than 30
minutes. After that e-mail is sent, the next e-mail would go out after an additional 30 minutes had elapsed.
You determine who receives the escalation e-mails in the Email on Events area of the Help Desk
Configuration settings. You could choose to send the escalation e-mail to any of the following:
The ticket owner
The submitter
The e-mail address(es) listed in the Ticket CC area
The e-mail address(es) listed in the Category CC area.
By specifying the recipient for escalation e-mails, you are routing open tickets to the right person or people
who can help to resolve the issue.
About the Satisfaction Survey

After a ticket is Closed, if a user views the detail page for that ticket, he or she will be presented with the
option to indicate their level of satisfaction with the way the ticket was handled. Users also can add
comments to the ticket to further explain their assessment.
In addition, you can configure the Help Desk to actively solicit feedback from users after a ticket is closed,
by automatically sending them an e-mail with a link to the survey.
Select the Closed ticket in the Tickets list, click Email this Ticket, and enter an e-mail address to which you
want to send the survey.
Score values assigned in the survey are stored in the ticket and are not editable by the Help Desk
administrator, although you can run a variety of reports to display survey data. For more information about
displaying survey data, please see, “Running Help Desk Reports,” on page 223.
Running Help Desk Reports
The KBOX provides several default reports you can run on the Help Desk.
You can view these reports by selecting the Reporting tab and then selecting HelpDesk from the View
by category drop-down list.
By default, the KBOX includes the Help Desk reports shown in the table below. For convenience, each of
these reports is available in a variety of formats: HTML, PDF, CSV, and TXT.
Help Desk Report Description
Closed Satisfaction Survey last 31 days Lists by Owner all Closed Satisfaction Surveys in the last 31
by Owner days.
Closed Ticket Resolutions last 31 days by Lists by Owner all Closed Ticket Resolutions in the last 31
Owner days.
Closed Ticket Resolutions last 7 days by Lists by Owner all Closed Ticket Resolutions in the last 7 days.
Owner
Closed Tickets last 31 days by Category Lists by Category all Help Desk tickets that have been closed
in the last 31 days.
Closed Tickets last 31 days by Owner Lists by Owner all Help Desk tickets that have been closed in
the last 31 days.
Closed Tickets last 7 days by Owner Lists by Owner all Help Desk tickets that have been closed in
the last 7 days.
Escalated/Open Tickets by Owner Lists by Owner all escalated and open Help Desk tickets.
Open Tickets by Category Lists by Category all open Help Desk tickets.
Open Tickets by Owner Lists by Owner all open Help Desk tickets.
Open Tickets last 7 days by Owner Lists by Owner all open Help Desk tickets opened in the last 7
days.
Stalled Tickets by Owner Lists by Owner all tickets that are past their due date but not
in escalation (stalled tickets).
Stalled/Open Tickets by Category Lists by Category all stalled and open Help Desk tickets.
Stalled/Open Tickets by Impact Lists by Impact all stalled and open Help Desk tickets.
Stalled/Open Tickets by Owner Lists by Owner all stalled and open Help Desk tickets.
Stalled/Open Tickets by Priority Lists by Priority all stalled and open Help Desk tickets.
Stalled/Open Tickets by Status Lists by Status all stalled and open Help Desk tickets.
Stalled/Open Tickets with Due Date by Lists by Owner and due date all stalled and open Help Desk
Owner tickets.
Work Report Date Range - Long Notes Displays date, ticket #, technician and hours worked as a
Display header above the Notes for a Work entry for 2006-04-01
through 2006-07-01.
Work Report last 31 days Reports all tickets for which work has been logged for the last
31 days.
Table 11-2: Default Help Desk reports
Help Desk Report Description
Work Report last 31 days - Customize Use this report if you want to build a customized report show-
ing only select fields for all tickets for which work has been
logged for the last 31 days.
Work Report last 31 days - Long Notes Displays date, ticket #, technician, and hours worked as a
Display header above the Notes for each Work entry.
Work Report last 31 days by Person Displays all people who logged work
during the last 31 days first by person, and then by ticket and
time.
Table 11-2: Default Help Desk reports
To run Help Desk reports:
1. Select Reporting. The KBOX Reports page appears.

2. From the View by category drop-down list, select HelpDesk.
3. Click the format type for the report you want to view.
If you need to create custom reports, see Chapter 12,“Creating and Editing
Reports,” starting on page 230 for information on using the Report Wizard.
C H A P T E R 12
Reporting
The KBOX provides a variety of alerts and reporting features

that enable you to communicate easily with users and to get
a detailed view of the activity on your network.
“The KBOX Reports Overview,” on page 226

“Creating and Editing Reports,” on page 230
“Alert Messages,” on page 238
“E-mail Alerts,” on page 239
“Filters,” on page 239
“Exporting Reports,” on page 241
“Importing Reports,” on page 241
225
The KBOX Reports Overview
The KBOX is shipped with many stock reports. The reporting engine utilizes XML-based report layouts to
generate reports in HTML, PDF, CSV, XSL and TXT formats.
By default, the KBOX provides reports in the following general categories:
Compliance
Hardware
Help Desk
KBOX
Network
Patching
Security
Software
Template
Types of Reports
Within each of the general categories mentioned above, there are various reports you can run to display
information about the computers on your network. Descriptions of each type of report you can run are
provided below. Help desk reports are discussed in Chapter 11,“User Portal and Help Desk,” starting on
page 193.
Compliance Hotfix Compliance Shows the list of computers that have the speci-
fied hotfix installed.
Compliance Software Compliance Simple Lists the licenses and counts like the License list
page with details such as vendor, PO#, and
Notes.
Compliance Software License Compliance Lists software and computers that are impacted
Complete by each license record.
Compliance Unapproved Software Lists software found on computers that do not
Installation have approved licenses.
Hardware C drives less than 2G free Shows which computers with less than 2
gigabytes of free space.
Hardware Computer - Video/Ram/Proc by Lists all computers and their video, ram and pro-
Label cessor information sorted by label and name.
Hardware Computer Export This report is intended to generate a CSV listing
for data export to other programs.
Hardware Computer Inventory Detail Detail listing of all computers on the KBOX
network with full field detail.
Note: When this report is opened in XLS format,
it gives an Apache Tomcat error.
Table 12-1: Default reports
Hardware Computer Listing by Free Disk Lists computer disk drives in order of total free
Space disk space.
Hardware Computer Listing by Label Lists all computers by all KBOX labels.
Hardware Computer Listing by Memory Lists computer RAM in order of total memory
size.
Hardware Computer Listing by Operating Sorts all computers by Operating System type
System and sums OS Types.
Hardware Computer Uptime Report Reports the uptime of the computers.
Help Desk Closed Satisfaction Survey last Lists by Owner all Closed Satisfaction Surveys in
31 days by Owner the last 31 days.
Help Desk Closed Ticket Resolutions last 31 Lists by Owner all Closed Ticket Resolutions in
days by Owner the last 31 days.
Help Desk Closed Ticket Resolutions last 7 Lists by Owner all Closed Ticket Resolutions in
days by Owner the last 7 days.
Help Desk Closed Tickets last 31 days by Lists by Category all Help Desk tickets that have
Category been closed in the last 31 days.
Help Desk Closed Tickets last 31 days by Lists by Owner all Help Desk tickets that have
Owner been closed in the last 31 days.
Help Desk Closed Tickets last 7 days by Lists by Owner all Help Desk tickets that have
Owner been closed in the last 7 days.
Help Desk Escalated/Open Tickets by Lists by Owner all escalated and open Help Desk
Owner tickets.
Help Desk Open Tickets by Category Lists by Category all open Help Desk tickets.
Help Desk Open Tickets by Owner Lists by Owner all open Help Desk tickets.
Help Desk Open Tickets last 7 days by Lists by Owner all open Help Desk tickets opened
Owner in the last 7 days.
Help Desk Stalled Tickets by Owner Lists by Owner all tickets that are past their due
date but not in escalation (stalled tickets).
Help Desk Stalled/Open Tickets by Lists by Category all stalled and open Help Desk
Category tickets.
Help Desk Stalled/Open Tickets by Impact Lists by Impact all stalled and open Help Desk
tickets.
Help Desk Stalled/Open Tickets by Owner Lists by Owner all stalled and open Help Desk
tickets.
Help Desk Stalled/Open Tickets by Priority Lists by Priority all stalled and open Help Desk
tickets.
Help Desk Stalled/Open Tickets by Status Lists by Status all stalled and open Help Desk
tickets.
Help Desk Stalled/Open Tickets with Due Lists by Owner and due date all stalled and open
Date by Owner Help Desk tickets.
Help Desk Work Report Date Range - Long Displays date, ticket #, technician and hours
Notes Display worked as a header above the Notes for a Work
entry for 2006-04-01 through 2006-07-01.
Help Desk Work Report last 31 days Reports all tickets for which work has been
logged for the last 31 days.
Help Desk Work Report last 31 days - Use this report if you want to build a customized
Customize report showing only select fields for all tickets for
which work has been logged for the last 31 days.
Help Desk Work Report last 31 days - Long Displays date, ticket #, technician, and hours
Notes Display worked as a header above the Notes for each
Work entry.
Help Desk Work Report last 31 days by Displays all people who logged work
Person during the last 31 days first by person, and then
by ticket and time.
KBOX Boot/Login Policies Lists all the activities that could happen at
machine boot time or after the user logs in.
KBOX KBOX Agent Roll Out Log Reports when a computer record was first cre-
ated.
KBOX KBOX Communication Lists by day the latest communication from com-
puters on the network.
KBOX MI's enabled on all machines Lists all the managed installations that are
enabled on all machines.
KBOX Scripts enabled on all machines This report lists the scripts that are enabled on all
machines.
Network Network Info - Domain Listing This report lists computers groups computers by
domain/workgroup.
Network Network Info - IP Address Lists computers in order of IP Address (ascend-
Listing ing).
Network Network Scan Report Displays the results of the nightly Network Scan.
Patching Critical Bulletin List Lists all critical bulletins.
Patching For each Machine, what patches Lists of all patches on each computer in the
are installed KBOX network.
Patching For each Patch, what machines Lists the computers having each software patch
have it installed in inventory.
Patching How many computers have each Software Inventory listing sorted by software title
Patch installed showing number of seats deployed.
Patching Installation Status of each Lists the installation status of each enabled
enabled Patch patch.
Patching Needs Review Bulletin List List of all the Bulletins that need review.
Patching Patches waiting to be deployed Lists all patches waiting to be deployed.
Security Number of machines with OVAL Lists, for each OVAL test, how many machines
vulnerabilities failed the test and are therefore vulnerable.
Security OVAL Machine Report Reports all the machines and how many OVAL
tests that each of them failed.
Security SANS Top 10 - Q2 2005 Reports all OVAL results from vulnerabilities
reported by SANS.
Security Threatening Items Displays all items of threat level 4 or 5 and the
computers which have them.
Security Top 10 OVAL Vulnerabilities Displays a Pie graph of the top 10 OVAL vulnera-
bilities that have been reported by the OVAL
scan.
Software Software Export Generates a CSV listing for data export to other
programs.
Software Software Installed But Not Used Lists, by software item, where software has been
Last 6 Months installed but not used according to software
metering. This only works when you have
attached the metering to a particular software
item which limits you to a particular version of
software.
Software Software Inventory By Vendor Software Inventory listing grouped by vendor
showing number of seats deployed.
Software Software Listing By Label Lists all software titles organized by all KBOX
labels.
Software Software not on any computer Listing of all software titles that are not currently
installed on any computers.
Software Software on Computer Listing of all software on each computer in the
KBOX network.
Software Software OS Report - Graph Pie graph showing the list and count of Operating
Systems currently deployed on your network.
Software Software Title & Version - Com- This report lists the computers having each soft-
puter List ware title in inventory.
Software Software Title - Computer List This report lists computers having each Microsoft
(MS Only) software title in inventory.
Software Software Title Deployed Count Software Inventory sorted by software title show-
ing number of seats deployed.
Template Computer Listing - XP SP2 Lists all computers, reporting if XP SP2 is
installed? installed or not. Change 'Windows XP Service
Pack 2' to any other Software title you are inter-
ested in. Sorted by installation status.
Template Computer Listing with Software Computer Listing sorted by LABEL with comput-
Template ers having software names like "Microsoft Office
Professional%".
Template Custom Inventory Template Reports the values returned by a custom inven-
tory rule that you can setup in the Software Item
page. Change 'McAfeeDATFile' to be the name of
the Software item with the Custom Inventory
Rule in it.
Template Log File Information Template This is a template that lists the values returned
from a 'Log File Information' action in a script.
Replace 'AccessedDate: ' with the actual attribute
that you returned.
Template Log Registry Value Template This template lists the values returned from a
script using the 'Log Registry Value' action.
Replace the value '!doc =' with the appropriate
value name that you entered in the script.
Template Machines By Label X with Soft- Reports all the machines in label(s) and indicates
ware Y Installed if they have a particular software product
installed. Replace KBOX with the name of the
software you are looking for and QA_LABEL and
KBOX_LABEL with the labels of the machines you
want included.
Running Reports
To run any of the KBOX reports, click the desired format type (HTML, PDF, CSV, XLS or TXT). For the HTML
format, the report is displayed in a new window. If you select PDF, CSV, XLS or TXT formats, you can open
the file or save it to your computer.
Creating and Editing Reports

If you have other reporting needs not covered by the reports previously mentioned, you can either create
a new report from scratch, or you can modify one of the templates provided in the KBOX Template
category.
You can create a report in the following ways:
Duplicate an existing report - Another way to create a report is to open an existing report and create a
copy of it, which you can then modify to suit your needs.
Create a new report using the Report Wizard.
Create a new report from scratch.
You can create a report using the Table or Chart presentation type. The table presentation type gives you
a tabular report with optional row groupings and summaries and the Chart presentation type gives you a
bar, line or pie chart.
To create a new report using the table presentation type:
1. Select Reporting | Reports. The KBOX Reports page appears.

2. Select Add New Report from the Choose action drop-down list.
3. Enter the report details as shown below:
Report Title Enter a display name for the report. Make this as descriptive as pos-
sible, so you can distinguish this report from others.
Report Category Enter the category for the report. If the category does not already
exist, it is added to the drop-down list on the Reports list page.
Description Describe the information that the report provides.
4. Click the appropriate topic name from the Available Topics list. For example, software.
5. Click the Table presentation type icon.
6. Click Next.
7. To choose table columns:
a Click the Appropriate column name from the Available columns list.
b Click to add that column to the Display Columns list. You can change the column order by
clicking or .
c To remove a column from the Display list, click the appropriate column and click .
8. Click Next.
9. To define the criteria for displaying records in the report:
a Click the Appropriate field name from the Available Fields list. Columns that you chose in the
previous step appear under display fields. You can also choose a field from among all fields available
for that topic. For example, Threat Level.
b Click Add.
c Select the appropriate operator from the comparison drop-down list. For example, Greater Than.
d Enter the appropriate value in the text field. For example, 3.
This rule filters the data and display only software that has Threat Level greater than 3.
e Click OK. The rule is added in the list of Current Rules. You can add more than one rule.
f Click to remove a rule from the list of Current Rules.

g Select the Use Expanded logic check box to use expanded logic. Expanded logic enables you to
define a syntactic structure for your rules to override operator precedence.
h Click the Check Syntax button to check whether the rule syntax is valid.
i Once you add more than one rule, you can click the Move Up or Move Down button to change the
order of rules.
10. Click Next.
11. To choose columns to be displayed in the report:
clicking or .
12. Click Next.
13. You can customize the report layout. You can drag to set column order, width and add spacers. You
can drag and drop between columns as well as between columns and spacer. Click on the column and
report headings for further menu of labels, grouping, summary and other options.
The options available are as follows:
Title Click on the title displayed before spacer to display the field name of spacer, Add as a
group and Add as a column options.
Spacer Click on spacer to display the field name of spacer and Add as a column options.
Column Click on column to display the column name, change label, switch to group, remove col-
umn, summaries and move to right or left depending upon the column alignment options.
14. Click Save to save the report. The KBOX Reports page is displayed with the new report in the list. To
run the new report, click the desired format (HTML, PDF, CSV, XLS or TXT). For the HTML format, the
report is displayed in a new window. If you select PDF, CSV, XLS or TXT formats, you can open the file
or save it to your computer.
You can jump to steps 1-5 of the Reporting Wizard Step. Step 1 and Step 2 are
mandatory and can not be left blank.
To create a new report using the chart presentation type:

Report Title Enter a display name for the report. Make this as descriptive as possible, so
you can distinguish this report from others.
Report Category Enter the category for the report. If the category does not already exist, it is
added to the drop-down list on the Reports list page.
5. Click the Chart presentation type icon.
6. Click Next.
clicking or .
8. Click Next.
b Click Add.

order of rules.
10. Click Next.
11. Select the appropriate chart type from the following:
Simple 3-D Bar: Displays categories along the X-axis, values along the Y-axis.
3-D Pie: Displays a slice for each category. The corresponding value determines the size of the slice.
Line: Displays categories or dates along the X-axis, values along the Y-axis.
12. Select the appropriate category field from the Category Field drop-down list.
13. Select the summary from the Summary drop-down list, beside appropriate Value field name. If you
have more than one Value field, you can change the value field order by clicking or .
14. Select the Show legend check box if you want to display a legend in the chart.
15. Specify the Chart width and Chart height in pixels, in the text fields.
16. Click Save to save the report. The KBOX Reports page is displayed with the new report in the list.
You can jump to steps 1-5 of the Reporting Wizard Step. Step 1 and Step 2 are
mandatory and can not be left blank.
To duplicate an existing report:

2. Click the report title you wish to duplicate. The Report Wizard page appears.
3. Click Duplicate.
4. Modify the report details as necessary, then go to the last step - step report layout, and click Save.
To create a new SQL report from scratch:

2. Select Add New SQL Report from the Choose action drop-down list. The KBOX Report : Edit Detail
page appears.
3. Specify the following report details:
Title Enter a display name for the report. Make this as descriptive as possible, so
Report Category Enter the category for the report. If the category does not already exist, it
is added to the drop-down list on the Reports list page.
Output File Name Enter the name for the file generate when this report is run.
Output Types Select the appropriate formats that should be available for this report.
SQL Select Statement Enter the query statement that generates the report data. For reference,
consult the MYSQL documentation.
Break on Columns A comma-separated list of SQL column names. The report generates break
headers and sub totals for these columns. This setting refers to the auto-
generated layout.
XML Report Layout Select this check box if you have changed the columns that are being
returned by the query so that the XML Report Layout is regenerated using
the new columns. This option creates the Report XML layout based on the
SQL you enter.
Note: If you have just changed a sort order or a where clause, you need
not recreate the layout.
4. Click Preview. Refer to “Previewing SQL report,” on page 235.

5. Click Save to add this SQL report to list of reports on the KBOX Reports page. The KBOX Reports page
appears.
For assistance with formatting the report XML, JRXML format is used. You can use iReports
to design reports with JRXML. The documentation is available at http://
jasperforge.org/jaspersoft/opensource/business_intelligence/ireport/.
Once you click the Save button, the report wizard is disabled for that report.
To edit a report using SQL Editor:

2. Click the report you want to edit. The Report Wizard page appears.
3. Click the Edit SQL button.
4. Click OK to proceed. The KBOX Report : Edit Detail page appears.
5. Edit the following report details:
Title Edit the display name for the report if required. Make this as descriptive as
possible, so you can distinguish this report from others.
Report Category Edit or enter the category for the report. If the category does not already
Output File Name Edit or enter the name for the file generate when this report is run.
SQL Select Statement Edit or enter the query statement that generates the report data. For refer-
ence, consult the MYSQL documentation.
Break on Columns A comma-separated list of SQL column names. The report generates break
headers and sub totals for these columns. This setting refers to the auto-
generated layout.
SQL you enter. You can edit, if necessary.
6. Click Save.
Editing the SQL of a report disables modifying it with the Report Wizard.
To duplicate an existing SQL report:

2. Click the report title you wish to duplicate. The KBOX Report : Edit Detail page appears.
3. Click Duplicate.
4. Modify the report details as necessary, then click Save.
Refer to Appendix B,“Adding Steps to a Task,” starting on page 330.
Previewing SQL report

The KBOX provides preview functionality, to view the report created using SQL Editor. You can also
customize an existing report by changing its title, layout, SQL query, break columns, and then view the
modified report using preview button.
To preview the SQL report:

page appears.
3. Specify title, report category, output file name, description, SQL Select Statement, Break on Columns.
4. Click Preview. The SQL report is displayed in KBOX Report : Preview Page Layout.
5. To customize the column width, hover the mouse over the report column you want to adjust the width.
Drag the mouse pointer to change the size of the column width.
6. Click on Save button to update these settings.
To preview the existing SQL report:
1. Click on existing SQL report. The KBOX Report : Edit Detail page appears.
2. Click Preview to view the report. You can customize the report by changing its title, SQL query, or
layout.
3. Click Preview to view the customized report.
Scheduling Reports
Reports can be scheduled from the Schedule Reports tab. From the Report Schedules List page you can
open existing schedules, create new schedules, or delete them. You can also search schedules using
keywords.
To create a report schedule:
1. Select Reporting | Schedule Reports. The Report Schedules page appears.

2. Select Create a New Schedule from the Choose action drop-down list. The Schedule Reports : Edit
3. Specify the following schedule details:
Record Created Displays the date and time when the schedule was first created. This field is
read-only.
Record Last Modified Displays the date and time that the schedule was last modified. This field is
read-only.
Schedule Title Enter a display name for the schedule. Make this as descriptive as possible,
so you can distinguish this schedule from others.
Description Enter the information that the schedule would provide.
Report to Schedule Select the appropriate report you would like to schedule. You can filter the
Report Output Click the desired output report format (PDF, Excel, CSV, or TXT) that should
Formats be available for this scheduled report.
Recipients
Click the icon to enter the recipient’s e-mail address,
or choose Select user to add from the drop-down list.
This is a mandatory filed.
Email Notification
Subject Enter the subject of the schedule. The subject can help to
quickly identify what the schedule is about.
Message Text Enter the message text in the notification.
Don’t Run on a Schedule Select to run the schedules in combination with an event rather
than on a specific date or at a specific time.
Run Every n hours Select to run the schedules at the specified time.
Run Every day/specific day at Select to run the schedules on specified day at the specified time.
HH:MM AM/PM
5. Click Save or Run Now to run the schedule reports immediately.
To run a schedule:

3. In the Choose action box, select Run Selected Schedules Now.

2. Select the check box beside the schedule(s) you want to delete.
4. Click Yes to confirm deleting the schedule(s).
Alert Messages
Alert messages provide a way for you to interact with your users by displaying a message in a pop-up
window. The Alerts List page displays the messages you have distributed to users.
From the Alerts List page you can open existing alerts, create new alerts, or delete alerts. You can also
search messages using keywords.
The Alerts feature works only if there is a constant connection between the KBOX Agent
and the KBOX. For information on how to set up the constant connection, Refer to
“Configuring AMP Settings for the Server,” on page 24.
Creating Alert Messages

If you have information that you want to distribute to your network, you can review and modify previous
messages you have deployed, or you can create a new message.
To create an alert message:
1. Select Reporting | Alerts.

2. Select Add New Item from the Choose action drop-down list. The Alerts: Edit Detail page appears.
3. In the Message Content field, type the text of your message.
4. In the Keep Alive field, specify the length of time (in hours) for which the message is valid.
The messages are broadcasted to users until either the user's desktop has received the message or the
specified time interval has elapsed. To set the time interval for downloading scripts, go to Settings |
KBOX Agent | KBOX Agent Settings.
5. In the Limit Broadcast To area, select the recipient label(s) to which this message is sent. Press
CTRL and click to select multiple labels.
6. Select the Enable Scheduled Run check box to specify the alert schedule. Select the appropriate day
and time from the drop-down lists.
7. Click Save.
The pending alert messages are displayed in the AMP Message Queue if they are not
pushed to the target machine. The alert messages remain in the queue till the Keep
Alive time interval elapses or if the connection between the KBOX Agent and the KBOX
is lost or interrupted. Once the time interval is elapsed, the messages are deleted from
the queue and the alerts expires.
E-mail Alerts
E-mail Alerts differ from Alerts (broadcast messages) in an e-mail alert you can send out messages to
administrators based on more detailed criteria. The E-mail Alert feature relies on the Inventory |
Computers engine to create a notification that are sent to administrators when computers meet the
criteria you specify.
The KBOX 1000 Series checks the computers listed in the inventory against the criteria in the E-mail Alert
once in every hour until one or more computers meet the criteria, then a message is sent to the
administrator(s) specified in the alert details.
Creating E-mail Alerts

Notifications are processed every 60 minutes. Should a notification query result in 1 or more machine
records, then a notification e-mail is automatically sent to the specified recipient.
To create an e-mail Alert:
1. Select Reporting | Email Alerts. The Email Alerts page appears.

2. Select Add New Computer Notification in the Choose action drop-down list.
The Inventory | Computers tab appears with the Create Email Notification fields exposed.
3. Enter the search criteria.
4. In the Title field, enter a title for the alert. The Title appears in the Subject field.
5. In the Recipient field, enter the e-mail address(es) of the message recipient.
The e-mail addresses must be fully qualified e-mail addresses. The recipient’s address can be a single
e-mail address or a list of addresses separated by commas.
6. Click the Create Notification tab.
Filters
The KBOX 1000 Series allows you to create two specific type of filters.
They are as follows:
Machine Filter
Software Filter
You can view the list of available filters from the Reporting | Filters tab. With the Filters tab you can:
Add A New Machine Filter
Add A New Software Filter
Delete a Filter
Order Machine Filters
Order Software Filters
For Adding A New Machine Filter, Refer to Chapter 3,“Creating Search Filters for Computer
For Adding A New Software Filter, Refer to Chapter 3,“Creating Search Filters for Software
To edit a filter:
1. Select Reporting | Filters. The Filters page appears.

2. Click on a filter name (filter label name) to open Filters : Edit Detail page appears.
3. Filters : Edit Detail page shows the following,
Filter Type Specifies whether the filter type is Machine Filter or Software Filter.
Assigned From the drop-down list, choose the appropriate label you want to assign. Click on
Label Details to edit label details. For more information on editing able details, Refer to
Chapter 3,“Labels,” starting on page 84.
Label Notes Displays note relevant to the label, if entered in the Notes field.
Filter SQL This field displays the filter query in the SQL format. You can click on Duplicate
to create a new filter with same Filter SQL text.
4. Click Save.
When you click on Duplicate to create a new filter with same Filter SQL text, you can
only reassign it to a new label.
To order machine filters:

2. Select Order Machine Filters from the Choose action drop-down list. The Order Machine Filters
page appears. This page lists all the existing machine filters.
3. Click the icon beside a filter listed to modify it. By default, when a new machine filter is created, it
has an order value of 100.
4. You can specify the order in which this filter runs by editing the Order value for this filter. Filters with
descending Order values executes first.
5. Click Save.
To order software filters:

2. Select Order Software Filters from the Choose action drop-down list. The Order Software Filters
page appears. This page lists all the existing software filters.
3. Click the icon beside a filter listed to modify it. By default, when a new software filter is created, it
has an order value of 100.
4. You can specify the order in which this filter runs by editing the Order value for this filter. Filters with
descending Order values executes first.
5. Click Save.
Exporting Reports
You can export the existing reports of individual organizations in the .jrxml format, which can be viewed
through iReport.
You can customize the exported report by changing the layout, font size or background color in iReport
and import this customized report in the KBOX.
To export a report:

2. Select the check box beside the report(s) that you want to export.
3. Select Export Selected Report(s) from the Choose action drop-down list. The File Download pop-
up window opens.
4. Select Save File to save the reports.zip file to the desktop of your machine.
The reports.zip file contains the exported report in the .jrxml format, which can be viewed in iReport.
You can download iReport from http://jasperforge.org/jaspersoft/opensource/
business_intelligence/ireport/.
To view the exported .jrxml file in iReport:
1. Create a connection between iReport and mysql database of the KBOX.

2. Open the .jrxml file in iReport and execute the report with active connection.
You can view the exported report and change its layout using iReport.
Importing Reports
You can import an existing report exported or a new report created in the .jrxml format, using the iReport
wizard.
To import the report:

2. Select Import Reports from the Choose action drop-down list. The KBOX Reports : Import Reports
page appears.
3. Click Browse and locate the .jrxml file that you want to import and then click Open.
4. Click Upload Reports to upload the .jrxml file in KBOX.
5. View the import results to verify the successful import of the report. This report is displayed in the
KBOX Reports page.
The Reporting module of the KBOX currently does not support the subreport feature
of JasperReports.
C H A P T E R 13
LDAP
The KBOX LDAP feature lets you to browse and search the data
located on the LDAP Server.
“LDAP Browser,” on page 243

“LDAP Easy Search,” on page 244
“LDAP Browser Wizard,” on page 245
“LDAP Filters,” on page 247
“User Authentication,” on page 249
242
LDAP Browser
The LDAP Browser allows you to browse and search the data located on the LDAP Server. For example,
Active Directory Server.
You must have the Bind DN and the Password to log on to the LDAP Server.
To use the LDAP Browser:
1. Select Reporting | LDAP Browser.

2. Specify the LDAP Server Details
LDAP Server Enter the IP or the Host Name of the LDAP Server.
Note: For connecting through SSL, use the IP or the Host Name, as
ldaps://HOSTNAME
If you have a nonstandard SSL certificate installed on your LDAP server
such as internally-signed or a chain certificate not from a major
certificate provider such as Verisign, you need to contact KACE Support
for assistance before proceeding.
LDAP Port Enter the LDAP Port number, which could be either 389/636 (LDAPS).
LDAP Login Enter the Bind DN
For example:
CN=Administrator,CN=Users,DC=kace,DC=com
3. Click test.
4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names)
available on that directory is displayed. These base DNs can be used as a start point to browse and
search the directory.
If the connection was not established, the Operation Failed message appears, which could be due to
one of the following reasons:
The IP or Host Name provided is incorrect.
The LDAP server is not up.
The login credentials provided are incorrect.
5. Click a Base DN or click Next.
A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on
the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN
and the Search Filter.
6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder
is displayed. Specify the following information.
Attribute Name Enter the Attribute Name. For example, samaccountname.

Relational Operator Select the relational operator from the drop-down list. For
example, =.
Attribute Value Enter the attribute value. For example, admin.
7. To add more than one attribute:
Conjunction Operator Select the conjunction operator from the drop - down list. For
example, AND.
Note: This field is available for the previous attribute only when
you add a new attribute.
Add Click Add. You can add multiple attributes.
Search Scope Click One level to search at the same level or click Sub-tree
level to search at the sub-tree level.
8. Click OK. The query appears in the Search Filter text area. For example,
(samaccountname=admin).
9. Click Browse to display all the immediate child nodes for the given base DN and search filter. Click
Search to display all the direct and indirect child nodes for the given base DN and search filter.
The search results are displayed in the left panel.

10. Click a child node to view its attributes.
The attributes are displayed in the right panel.
LDAP Easy Search

You can use LDAP Easy Search to quickly search the data located on the LDAP Server.
To use the LDAP Easy Search:
1. Select Reporting | LDAP Browser.

LDAP Server Enter the IP or the Host Name of the LDAP Server.
ldaps://HOSTNAME
you need to contact KACE Support for assistance before proceeding. A
nonstandard certificate can be an internally-signed or a chain certificate
that is not from a major certificate provider such as Verisign.
LDAP Port Enter the LDAP Port number, which could be either 389/636 (LDAPS).
For example:
3. Click test.
The LDAP server is not up.
5. Click a Base DN or click Next.
6. Click the Go to LDAP Easy Search link. The LDAP EasySearch page appears.
7. Enter any key word for search and click GO.
For more specific search you can click the Indexed field option or Non-Indexed field option. You
can also specify Other attributes, separated by comma.
LDAP Browser Wizard

The LDAP Browser Wizard enables you to fill in the information for Search Base DN and Search Filter. Using
the LDAP Browser Wizard you can browse and search the data located on the LDAP Server. For example,
Active Directory Server.
You must have the Bind DN and the Password to log on to the LDAP Server.
To use the LDAP Browser Wizard:
1. Click LDAP Browser.

LDAP Server Enter IP or Host Name of the LDAP Server.

ldaps://HOSTNAME
LDAP Port Enter the LDAP Port number which could be either 389 / 636 (LDAPS).
For example:
3. Click test.
The LDAP Server is not up.
5. Click Next or one of the base DNs to advance to the next step.
6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is
displayed. Specify the following information.
Attribute Name Enter the Attribute Name. For example, samaccountname.

Relational Operator Select the Relational Operator from the drop - down list. For
example, =.
Attribute Value Enter the Attribute Value. For example, admin.
7. To add more than one attribute:
Conjunction Operator Select the Conjunction Operator from the drop - down list. For
example, AND.
Note: This field is available for the previous attribute only when
you add a new attribute.
Add Click Add. You can add multiple attributes.
Search Scope Click One level to search at the same level or click Sub-tree
level to search at the sub tree level.
8. Click OK. The query appears in the Search Filter text area. For example,
(samaccountname=admin).
9. Click Browse to display all the immediate child nodes for the given base DN and search filter or click
Search to display all the direct and indirect child nodes for the given base DN and Search Filter.
The search results are displayed in the left panel.
10. Click a child node to view its attributes.
The attributes are displayed in the right panel.
11. Click Next to confirm the LDAP configuration.
12. Click Next to use the displayed settings.
LDAP Filters
LDAP Filters allow the automatic labeling of machine records based on LDAP or Active Directory
interaction. The search filter will be applied to the external server and should any entries be returned then
automatic labeling results.
If the external server requires credentials for administrative login (aka non-anonymous
login), supply these credentials.
If no LDAP user name is given, then an anonymous bind will be attempted. Each LDAP
filter may connect to a different LDAP/AD server.
You may bind to an LDAP query based on the following KBOX variables:
Computer Name
Computer Description
Computer MAC
IP Address
User name
User Domain
Domain User
To create an LDAP Filter:
1. Select Reporting |LDAP Filters.

The LDAP Filter: Edit Detail page appears.
Enabled Select the check box to enable.

Filter Type Select the LDAP filter type.
Associated Label Name Select the label to associate with this filter.
Associated Label Notes If any notes are entered in the label definition, these notes are auto-
matically populated in this field.
Server Host Name Specify the IP or the Host Name of the LDAP Server.
ldaps://HOSTNAME
LDAP Port Number Enter the LDAP Port number which could be either 389 / 636 (LDAPS).
For example:
CN=Users,DC=kace,DC=com
For example:
(&(sAMAccountName=admin)(memberOf=CN=financial,DC=kace,DC=
com))
For example:
LDAP Login: CN=Administrator, CN=Users,DC=kace=com
If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP
Browser Wizard. For more information on how to use the LDAP Browser Wizard, Refer to Chapter
11,“Importing Users,” starting on page 201.
4. Click Save.
Each time a machine checks into the KBOX, this query will run against the LDAP server. The admin
value in the 'Search Filter' will be replaced with the name of the user that is logged onto this machine.
If a result is returned, then the machine gets the label specified in the Associated Label field.
NOTE: To test your Filter, click the Test button and review the results.
You can also create an LDAP Filter using the LDAP Browser.
To create an LDAP Filter using the LDAP Browser:
1. Select Reporting |LDAP Filters.

2. Select Add New Item Using LDAP Browser from the Choose action drop-down list. The LDAP
Filter: Edit Detail page appears.
Enabled Select the check box to enable.

Filter Type Select the filter type.
Associated Label Name Select the label to associate with this filter. This field is
mandatory.
Associated Label Notes If any notes are entered in the label definition, these notes are
automatically populated in this field.
4. Click Next to configure the LDAP settings. The LDAP Browser Wizard is displayed. For more
information on how to use the LDAP Browser Wizard, Refer to “LDAP Browser Wizard,” on page 245.
User Authentication
Instead of setting up users individually on the Users tab, you can configure the KBOX 1000 Series for local
authentication, or External LDAP Server Authentication. The KBOX can then access a directory service
(such as LDAP) for user authentication. This allows users to log into the KBOX 1000 Series Administrator
portal using their domain user name and password, without having to add users individually from the
Users tab.
To configure the KBOX for user authentication:
1. Select Settings | Control Panel. The KBOX Settings: Control Panel page appears.
2. Click User Authentication. The KBOX Settings: Authentication page appears.
4. Specify the Authentication method you want to use:
KBOX (local Select this option to enable local authentication.

Authentication) If local authentication is enabled, the password is authenticated against the
existing entries in the local database at Help Desk | Users.
By default the Local authentication is set to enabled.
External LDAP Select this option to enable external user authentication.
Server External authentication can be used against an LDAP server or Active Directory
Authentication server.
If External LDAP Server Authentication is enabled, the password is authenticated
against the External LDAP Server.
Contact KACE customer support if you need assistance with this process.
If the External LDAP Server Authentication is enabled, provide credentials for

administrative login.
The LDAP user configured should at least have READ access to the "search base" area.
If you do not specify an LDAP user name, then an anonymous bind is attempted.
5. Click Edit Mode to edit External LDAP Server Authentication fields. Click the appropriate icons next to
the server name to perform described actions:
Icon Description
Schedules a user import for this server
Modifies the server definition
Removes the server
Changes the order of the server in the list of servers
6. You can have more than one LDAP Server/Directory configured. Click Add New Server to add a new
LDAP Server.
All servers must have a valid IP address or Host Names entered in the Server Host
Name field, or the KBOX will wait to timeout on an invalid IP address, resulting into
login delays when using LDAP Authentication.
7. Complete the external server definition by specifying the following information.
Server Friendly Name Enter a name for the server.

Server Host Name (or IP) Enter IP or Host Name of the LDAP Server.
ldaps://HOSTNAME
If you have a nonstandard SSL certificate installed on your LDAP
server you need to contact KACE Support for assistance before pro-
ceeding. A nonstandard certificate can be an internally-signed or a
chain certificate that is not from a major certificate provider such as
Verisign.
LDAP Port Number Enter the LDAP Port number which could be either 389 / 636 (LDAPS).
For example:
For example:
LDAP Login:
LDAP Password (if required) Enter the password for the LDAP login.
Role Required. Enter the user’s role:
Admin Role: This user can log on to and access all features of
the administrator UI and User Portal or Help Desk. Admin role is
the default role.
ReadOnly Admin Role: This user can log on, but cannot modify
any settings in the administrator UI and User Portal or Help
Desk.
User Role: This user can log on only to the User Portal or Help
Desk.
Login Not Allowed—This user cannot log on to the User Portal or
Help Desk.
Note: The roles listed above are system provided roles and are not
editable. To create a new role, Refer to Chapter 11,“Roles,” starting on
page 203.
The user can log on to Help Desk only if, optional Help Desk Module is installed.
8. Click Apply to save your changes.

9. To test LDAP settings, enter a password in the Test User password, then click Test LDAP Settings.
To schedule a User Import:
1. Click Edit Mode to edit External LDAP Server Authentication fields.
2. Click icon next to the server name in the list of servers to schedule a user import.
The User Import : Schedule - Choose attributes to import: Step 1 of 3 page appears.
3. The LDAP Server Details are displayed,
LDAP Server This is a Read-only field that displays the IP or Host Name of the LDAP
Server.
LDAP Port Displays the LDAP Port number which could be either 389 (LDAP)/636
(LDAPS). This is a Read-only field.
Search Base DN This is a read only field that displays the Search Base DN.
Search Filter This is a read only field that displays the Search Filter.
LDAP Login This is a read only field that displays the LDAP login.
LDAP Password The LDAP login password. This is a Read-only field.
4. Specify the attributes to import.
Attributes to retrieve Specify the attributes to retrieve.

For example:
samaccountname, objectguid, mail, memberof, displayname, sn, cn,
userPrincipalName, name, description
Note: You can leave this field blank to retrieve all attributes, but this
may make the import process slow and is not recommended.
Label Attribute Enter a label attribute. For example, memberof.
Label Attribute is the attribute on a customer item that returns a list of
groups this user is a member of. The union of all the label attributes will
form the list of Labels you can import.
Label Prefix Enter the label prefix. For example, ldap_
Label Prefix is a string that is appended to the front of all the labels.
Binary Attributes Enter the Binary Attributes. For example, objectsid.
Binary Attributes indicates which attributes should be treated as binary
for purposes of storage.
Max # Rows Enter the maximum rows. This will limit the result set that is returned in
the next step
Debug Output Select the check box to view the debug output in the next step.
5. In Email Notification section, Click to enter the recipient’s e-mail address, or choose Select user to
add from the drop-down list.
6. In Scheduling section, specify the scan schedule:
Don’t Run on a Schedule Select this to not have the user import run on a schedule
Run Every day/specific day Select to run the schedules on specified day at the specified time.
at HH:MM AM/PM
Run on the nth of every Select to run the tests on the specified time on the 1st, 2nd, or any
month/specific month at other date of every month or only the selected month.
HH:MM AM/PM
7. Click Next.
The User Import : Schedule - Define mapping between User attributes and LDAP attributes: Step 2 of 3
page opens.
8. Select the value from the drop-down list next to each LDAP attribute to map the values from your LDAP
server into the User record on the KBOX. The fields in Red are mandatory. The LDAP Uid must be a
unique identifier for the user record.
9. Select a label to add to the KBOX. Press CTRL and click to select more than one label. This list displays
a list of all the Label Attribute values that were discovered in the search results.
10. Click Next.
11. Review the information displayed in the tables below. The Users to be Imported table displays list of
users reported and the Labels to be Imported table displays the list of labels reported. The Existing
Users table and the Existing Labels table display the list of Users and Labels that are currently on the
KBOX. Only users with a LDAP UID, User Name, and E-mail value will be imported. Any records that do
not have these values are listed in the Users with invalid data table.
12. Click Next to start the import.
The User Import : Schedule - Import data into the KBOX: Step 3 of 3 page opens.
13. Click Import Now to save the schedule information and load the user information into the KBOX.
After importing, you will be taken to the User list page, where you can edit the imported user records.
14. Click Save to save schedule information.
After saving, you will be taken to the KBOX Settings: Authentication page.
The imported user can log on to and access all features of the administrator UI and
User Portal or Help Desk depending on the role assigned.
Optional Help Desk Module needs to be installed for logging on to the Help Desk.
C H A P T E R 14
KBOX Settings - System Admin
The KBOX is an easy-to-deploy Systems Management Appliance. It comes

with features that deliver all you expect from a distribution management
system and more. This chapter guides you to install and set up the KBOX
appliance to work in your environment.
“Configuring General Settings for the Server,” on page 256

“Configuring Network Settings for the Server,” on page 258
“Managing System Console Users,” on page 260
“Configuring Security Settings for the Server,” on page 262
“Configuring AMP Settings,” on page 266
“Configuring Date & Time Settings of the KBOX Server,” on page 268
“Troubleshooting Tools,” on page 268
“Single Sign-On,” on page 269
“The KBOX Summary,” on page 273
255
Configuring General Settings for the Server
This section covers the general server configuration settings you should modify before you use the KBOX.
To configure General Settings for the Server:

2. Click General Settings. The KBOX General Settings page appears. Click [Edit Mode] to edit the field
values.
3. Specify the following settings:
Company-Institu- Enter the name of your company. This name appears in every pop-up window or
tion Name alerts displayed to your users. For example, KACE.
User Email Suffix Enter the domain to which your users send e-mail. For example, kace.com.
System Enter the e-mail address of the KBOX administrator.
Administrator This address receives system-related alerts, including any critical messages.
Email
Login Organiza- Select the check box to enable the Login Organization Drop-down.
tion Drop-down By enabling the Login Organization dropdown, the empty Organization: field
on the Welcome login page will be replaced by a drop-down of the configured
organizations.
Note: The organization field or drop-down only appears if more than one
organization is configured.
Organization Fast Select the check box to enable Organization Fast Switching.
Switching By enabling Organization Fast Switching, the static Organization: field at the
top right corner of every page is replaced with a drop-down of organizations to
which the user has access.
Only those organizations that have the same user name and password appear in
the drop-down.
Send to Kace Crash reports Select the check box to send a report to KACE in the
event of a KBOX crash.
This option is recommended, since it provides additional
information to the Kace Technical Support team in case
you need assistance.
Enable AppDeploy Select the check box to enable your KBOX to share data
Live! with the AppDeploy Live! web site.
4. Specify the following Agent-Server Task settings:
Current KBOX Load Average This value depicts the load on the KBOX server at any given
point of time. For the KBOX UI to remain responsive, the value
in this field must be between 0.0 and 10.0 .
Last Task Throughput Update This value indicates the date and time when the KBOX Task
Throughput was last updated.
KBOX Task Throughput At any given point of time, the KBOX has multiple tasks
scheduled such as Inventory, Scripting, Patching updates and
execution of scripts. The value in this field governs how the
scheduled tasks are balanced by the KBOX. Larger the value,
more are the tasks attempted by the KBOX, and more is the
load on system resources.
Note: The value of the KBOX Task Throughput can be
increased only in following scenario:
Current KBOX Load Average is not higher than 10.0
Last Task Throughput Update time exceeds 15 minutes
Agent "Download Throttle" This settings decides the maximum number of the KBOX
Agents that can downloading packages at one point in time.
The packages are not deployed on machines after the Package
Download Throttle has been reached.
For example, if the value is set to 100 and 100 agents are
connected and receiving a deployment, the 101st agent is
deferred till one of these 100 agents has finished
communicating with the KBOX.
5. Specify the following User Portal settings if required to customize the User Portal page:
Portal Title Enter a title for the user portal page.

Portal Text Enter a description of the user portal page.
iPhone Portal Title Enter a title for the user portal page when accessed through iPhone.
iPhone Portal Text Enter a description of the user portal page when accessed through iPhone.
6. Click Set Options, to save your changes.

7. Specify the following Logo Override setting to use your custom report logo. Click [Edit Mode] to edit
the field value.
Custom Report Logo Displayed at the top of reports generated by the KBOX 1000 Series for each of
(.jpg) the organization associated with it.
The report image dimensions are 120x32 pixels, this is specified in the auto-
generated XML layout. You can adjust the xml report if you need a different
layout size.
8. Click Upload Logo.
List of Open Ports required for the KBOX Server
Please ensure that following ports are not blocked by your firewall. These ports are required to access the
KBOX server.
Port Number Use

21 To access backup files through FTP
25 If the KBOX SMTP Server is to be used
80 HTTP
443 SSL
3306 To access the KBOX database
52230 For the KBOX Agent(s) to connect to the KBOX SERVER via AMP
Configuring Network Settings for the

Server
The key KBOX network settings are mostly configured when you log into the KBOX for the first time using
the konfig/konfig credentials, but an administrator can verify or change the settings at any time on the
KBOX.
Any changes made to the Network settings on this page will force the KBOX to reboot
after saving. Total reboot downtime should be 1 to 2 minutes provided that the changes
result in a valid configuration.
To configure the KBOX Network Settings:

2. Click Network Settings. The KBOX Network Settings page appears. If fields are grayed out, you may
need to click [Edit Mode] before you can edit the field values.
3. Specify the following settings:
KBOX Server (DNS) We recommend adding a static IP entry for “kbox” to your DNS, and using the
Hostname default Hostname and Web Server Name. The fully-qualified domain name of
the KBOX on your network is the value of Hostname concatenated with
KBOX Web Server
Domain.
Name
For example, kbox.kace.com.
The clients will connect to KBOX using the Web Server Name, which can be
the hostname, fully-qualified domain name, or IP address.
For example, kbox.
Static IP Address The IP address of the KBOX server.
Note: Be extremely careful when changing this setting. If the IP address is
entered incorrectly, refer to the KBOX console and use the konfig login to
correct it.
Domain The domain that the KBOX is on. The default value is corp.kace.com
Subnet mask The domain that the KBOX is on. The default value is 255.255.255.0
Default gateway Your default gateway.
Primary DNS The primary DNS server the KBOX should use to resolve hostnames.
Secondary DNS The secondary DNS server the KBOX should use to resolve hostnames. This is
an optional setting.
Network Speed Your network speed. The network speed setting should match the setting of
your local LAN switch. When set to auto negotiate the system automatically
determines the best value. This requires the switch to support auto-negotiate.
Otherwise contact your network administrator for the exact setting to be
used.
4. To set Network Server Options, perform the following steps under Network Server Options:
a Set the external SMTP Server, to enable e-mail notifications through this SMTP server. To set SMTP
Server, select the Use SMTP Server check box, and then enter the SMTP Server name in the SMTP
Server box.
The server named here must allow anonymous (non-authenticated) outbound mail transport.
Ensure that your organization’s network policies allow the KBOX to contact the SMTP server directly.
The mail server must be configured to allow relaying of mail from the KBOX without authentication.
You can test the e-mail service by using Network utilities. For more information on how to use
Network Utilities, refer to “Troubleshooting Tools,” on page 268.
b To set Proxy Server, select the Use Proxy Server check box, and then specify the following proxy
settings, if necessary:
Proxy Type Enter the proxy type, either HTTP or SOCKS5
Proxy Server Enter the name of the proxy server
Proxy Port Enter the port for the proxy server, the default port is 8080
Proxy (Basic) Auth Select the check box to use the local credentials for accessing the proxy
server
Proxy Username Enter the user name for accessing the proxy server
Proxy Password Enter the password for accessing the proxy server
The KBOX includes support for a proxy server which uses basic, realm-based authentication i.e a proxy
server which prompts for a username and password as shown in the following figure.
If your proxy server uses some other kind of authentication you must add the IP address of the KBOX
on the exception list of the proxy server.
5. Click Set Options to set the Network Server options.
Managing System Console Users

When logged in as a system administrator, you can add users to access the System Console. When adding
users, be sure to specify the correct user permission level
If you want to setup users for a specific organization, log into that organization.
To add a user:

2. Click Users. The KBOX System Admin Users page appears.
3. In the Choose action drop-down list, select Add New Item. The KBOX System Admin: Edit Detail
page appears.
4. Enter the necessary user details. Do not specify legal characters in any field.
User Name Enter the name the user types to enter the system console. This field is manda-
tory.
Full Name Enter user’s full name. This field is mandatory.
Email Enter user’s e-mail address. This field is mandatory.
Domain Enter an active directory domain. This field is optional.
Budget Code Enter the financial department code. This field is optional.
Location Enter the name of a site or building. This field is optional.
Work Phone Enter the user’s work phone number. This field is optional.
Home Phone Enter the user’s home phone number. This field is optional.
Mobile Phone Enter the user’s mobile phone number. This field is optional.
Pager Phone Enter the user’s pager phone number. This field is optional.
Custom 1
Custom 2 Enter information in the custom fields if necessary. This field is optional.
Custom 3
Custom 4
Password Enter the password for the new user. Blank or empty passwords are not valid for
new users. The user will be created but the user cannot be activated without a
valid password. This field is mandatory.
Confirm Password Reenter the user’s password. This field is mandatory.
Permissions Specify the user’s logon permissions. This field is mandatory:
Admin—This user can logon to and access all features of the system
console.
ReadOnly Admin—This user can log on, but cannot modify any settings in
the system console.
5. Click Save.
To delete a user:

You can delete users in two ways:
From the Users List view
From the KBOX System Admin: Edit Detail page.
3. To delete users, do one of the following:
From the Users List view, select the check box beside the user, then select Delete Selected
From the KBOX System Admin: Edit Detail page, click Delete.
4. Click OK to confirm deleting the selected user.
To change the password:

3. Click the user name whose password you want to change. The KBOX System Admin: Edit Detail page
appears.
4. Modify the password as follows:
Password Enter the password for the new user. Blank or empty passwords are not valid for
new users. The user will be created but the user cannot be activated without a
valid password. This field is mandatory.
Confirm Password Reenter the user’s password. This field is mandatory.
5. Click Save to save the changes.
Configuring Security Settings for the
Server
Security Settings are not mandatory but are required to enable certain functionalities like Samba Share,
SSL settings, SNMP, SSH, Offbox DB Access, and FTP access on the KBOX Server. To use any of the
Security Settings features, you must enable them.
If you make changes to the security settings, the KBOX will need to be rebooted before
any changes can take effect.
To configure Security Settings:

3. Click [Edit Mode] to edit the security settings fields.
4. In the General Security Settings area, specify the following security settings:
SSH Enabled Select this check box if you want to permit someone to login to the
KBOX via SSH.
Enable backup via ftp Select this check box if you want to enable backup via ftp. The KBOX
creates a backup of the database and the files stored on it, daily. By
default, these files can be accessed by you via a read-only ftp server.
Refer Chapter 16,“To access the backup files through ftp:,” starting on
page 295.
If you do not need this feature and want to disable the FTP server,
clear this check box.
Secure backup files Select this check box if you want to prevent users from accessing the
KBOX backup files without logging on to the KBOX.
Note: Even if the Secure backup files check box is not selected, you
can still access the KBOX backup files. You can do this by entering the
full URL in the browser without logging on to the KBOX.
Enable SNMP monitoring Select this check box if you want to allow SNMP monitoring. The SNMP
is a network or appliance monitoring protocol that is supported by
many third party products.
If you do not want to expose the KBOX SNMP data, clear this check
box.
Enable database access Select this check box if you want to allow the KBOX database access.
The KBOX database is accessible via port 3306, to allow you to run
reports via an off board tool like Access or Excel.
If you do not want to expose the database in this way, clear this check
box.
5. In the Samba Share Settings area, specify the following settings:
Enable Organization File Select this check box if you want to allow each organization to leverage
Shares the KBOX's client share as an install location for the client.
The KBOX has a built-in windows file server that can be used by the
provisioning service to assist in distributing the KBOX Client on your
network. KACE recommends that this file server only be enabled when
performing client software installs.
Require NTLMv2 on KBOX Select this check box if you want to allow NTLMv2 authentication for the
File Shares KBOX files shares. When you enable this option, the clients connecting
to the KBOX File Shares require support for NTLMv2 and have to
authenticate to the KBOX using NTLMv2. Enabling this option disables
"lanman auth" and "ntlm auth" on the samba server.
turned off.
Require NTLMv2 on KBOX Certain functions on the KBOX are supported via samba client functions
Samba Client Usage (e.g. Agent Provisioning). Select this check box if you want to force
these functions to authenticate to off-board network file shares using
NTLMv2. Enabling this option enables the "client ntlmv2 auth" option on
samba client functions.
turned off.
6. In the Optional SSL Settings area, specify the following settings, if required:
Enable port 80 access When you activate SSL, port 80 continues to be active, unless Enable
port 80 access check box is unchecked. By default, the standard
KBOX Agent installers attempt to contact the KBOX via port 80, and
then switch to SSL over port 443, after getting the server configuration.
If you disable port 80, you need to contact KACE Support to adjust the
agent deployment scripts to handle SSL. For ease of agent deployment,
leave port 80 active.
SSL Enabled on port 443 Select this check box if you want to allow the clients check in to the
KBOX server using https. Refer “SSL Certificate Wizard,” on page 264.
If you have your own SSL certificate and SSL private key, click [Edit
Mode] to edit the field values. In the Set SSL Private Key File field,
browse to the SSL Private Key file and browse to the signed SSL Certifi-
cate, in the Set SSL Certificate File field.
Note: Once you switch over to SSL, this is a one-way automatic shift
for the clients. The clients need to be reconfigured manually, if you later
decide not to use SSL.
7. Click Set Security Options, to save the changes and reboot the KBOX.
8. In the Download New Patch Definitions area, click [Edit Mode] to edit the fields and specify as
follows:
Disable download of new patches Select to disable download of new patches.

Download Every day/specific day Select to download the patches on specified day at the specified
at HH:MM AM/PM time.
Download on the nth of every Select to download the patches on the specified time on the 1st,
month/specific month at HH:MM 2nd or any other date of every month or only the selected
AM/PM month.
9. In the Stop Download Of Patch Definitions area, click [Edit Mode] to edit the field values and
specify the following:
Allow download of patch defini- Select to allow download of the patch definitions to complete.
tions to complete
Stop patch download process by Select to stop the download the patches at the specified time.
at HH:MM AM/PM
10. Click Set Patching Options, to save the changes and reboot the KBOX.
SSL Certificate Wizard

A properly signed SSL Certificate is required to enable SSL. Certificates should be supported by a valid
Certificate Authority. SSL settings should only be adjusted after you have properly deployed the KBOX
1000 Series on your LAN in non-SSL mode. If you are enabling SSL, you will need to identify the correct
SSL Private Key File and SSL Certificate File.
The files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based Web
servers and not in the PCKS-12 format used by some Web servers. It is possible to convert a PCKS-12
certificate into a PEM format using software like the OpenSSL toolkit. Contact KACE Technical Support if
you wish to enable SSL on your KBOX.
To enable SSL, you need the correct SSL Private Key file and a signed SSL Certificate. If
your private key has a password it will prevent the KBOX from restarting automatically.
Contact KACE support if you have this issue.
To generate a SSL certificate using the wizard:
3. Click SSL Certificate Wizard. The KBOX Advanced SSL Settings page appears.
4. Click [Edit Mode] to edit the fields and specify the following:
Country Name Enter the name of your country.

State or Province Name Enter the name of your State or Province.
Locality Name Enter your locality name.
Organization Name Enter the name of your organization.
Organization Unit Name Enter the name of unit your organization belongs to.
Common Name Enter a common name of the KBOX you are creating the SSL
certificate for.
e-mail Enter your e-mail address.
5. Click Set CSR Options. Your Certificate Signing Request is displayed in the field below the Set CSR
Options button. You need to copy the text between the lines “-----BEGIN CERTIFICATE REQUEST-----
and -----END CERTIFICATE REQUEST-----” along with these lines, and then send it to the person who
provides your company with web server certificates.
6. Your Private Key is displayed under Private Key field. It will be deployed to the KBOX when you
upload a valid certificate and subsequently click Deploy.
Do not send the private key to anyone. It is displayed here in case you want to deploy
this certificate to another web server.
Click Create Self Signed Certificate and for Deploy to be displayed.
7. Click Create Self Signed Certificate. The SSL certificate is generated. This certificate will not be
accepted by any of the KBOX clients until it is added into the trusted certificate database on every
machine running the KBOX client.
8. Click Deploy to deploy the certificates and turn on SSL on the KBOX. Click OK to reboot the KBOX.
Configuring AMP Settings
Agent Messaging Protocol (AMP) is the KBOX Communications Protocol used by the KBOX Server with its
respective KBOX Agents.
KACE's AMP includes server, client, and communications components to perform optimized real-time
communications for control of systems management operations.
AMP provides:
Persistent connection between the KBOX Server
Server driven inventory updates
Higher scalability in terms of number of nodes supported on one KBOX 1000 Server
Better scheduling control and reliability
These settings are specific to the AMP infrastructure and do not affect other KBOX configuration settings or
runtime operations. These settings control both the runtime state of the AMP server and also the
operational state of the KBOX Agent.
Changing these settings will temporarily interrupt communications between the KBOX
Appliance and the KBOX Agents. Exercise caution when changing these settings and
contact KACE Technical Support for any questions regarding these parameters.
To configure AMP Settings:

2. Click AMP Settings. The KBOX AMP Settings page appears.
3. Specify the AMP General Settings:
Server Port Specify the Server Port.

The AMP Server on the KBOX SERVER will listen on port 52230 by default.
In order for the KBOX Agents to connect to the KBOX SERVER via AMP, you must have
the AMP Protocol Port 52230 open and available OUTBOUND. (i.e. the KBOX AGENT
must be able to connect through this port number OUTBOUND without restriction from
any OUTBOUND filter/firewall.)
Example of an OUTBOUND restriction:
“Windows XP Firewall blocking outbound port 52230”.
Allow outbound Protocol Port 52230.
This can be configured in your Filter/Firewall Software or Hardware as an
allowed OUTBOUND Exception.
In order for the KBOX SERVER to accept connections via AMP it must have the
AMP Protocol Port 52230 open and available INBOUND to the KBOX IP
ADDRESS. (i.e. the KBOX SERVER must be able to accept connections through
this port number INBOUND without restriction from an INBOUND filter/firewall.)
Example of an INBOUND restriction:
“A NAT Firewall such as Cisco or SonicWall blocking INBOUND port 52230 to the
KBOX IP ADDRESS.”
Allow inbound Protocol Port 52230 to the KBOX SERVER.
This can be allowed through a One-to-One Inbound NAT Policy.
Note: If you change the default AMP Port of 52230 you must update the
ALLOWED OUTBOUND/INBOUND port on your filter/firewall.
Enable Select the check box to enable different levels of "server" debug/logging to the server's
Server log file.
Debug
Enable SSL Select the check box to enable SSL for AMP. The activation of SSL is for AMP Only. The
for AMP check box must be selected to activate SSL over AMP even though the General KBOX
settings may have SSL enabled already. This allows the separate configuration of AMP
traffic to be un-encrypted even though all other KBOX communication is SSL encrypted.
Note: Select the check box only if SSL is already enabled on the KBOX and you want the
client to server AMP traffic to be encrypted.
4. Click Save and Restart to the save the settings and restart the AMP server.
5. You can click Restart AMP Server to restart the AMP server without saving the settings.
Restarting the AMP Server will not restart the KBOX.
Configuring Date & Time Settings of the
KBOX Server
It is very important to keep the time of the KBOX accurate as most time calculations are made on the
server.
When updating the time zone, the KBOX Web Server will be restarted in order for it to
reflect the new zone information. Active connections may be dropped during the restart
of the web server. After saving changes, this page will automatically refresh after 15
seconds.
To configure Date & Time settings:

2. Click Date & Time Settings. The KBOX Date & Time Settings page appears.
3. Click [Edit Mode] link to edit the field values.
Last Updated Displays the date and time when the settings were last updated.
It is a readonly field.
Current Time Displays the current date and time. It is a read-only field.
Time Zone Select the appropriate time zone from the drop-down list.
Automatically syn- Select the check box to automatically synchronize the KBOX time with an inter-
chronize with an net time server.
Internet time server Enter the time server in the text box. For example, time.kace.com
Set the clock on the Select the check box to manually set the KBOX clock.
KBOX manually Select the appropriate time and date from the drop-down lists.
5. Click Set Options to set the date & time settings.
Troubleshooting Tools
The KBOX Troubleshooting Tools page contains tools to help KBOX administrators and KACE Technical
Support to troubleshoot problems with this KBOX.
To access the KBOX Troubleshooting Tools page, go to Settings | Support | Troubleshooting Tools.
The Troubleshooting Tools page appears.
You can use Network Utilities to test various aspects of this KBOX's network connectivity.
To use Network Utilities:
1. Select Settings | Support. The KBOX Settings: KACE Support page appears.
2. Click Troubleshooting Tools. The Troubleshooting Tools page appears.
4. Enter the IP Address in the text box.
5. Select the appropriate network utility from the drop-down list.
6. Click Test.
You can download KBOX Troubleshooting Logs. KACE Technical Support may request that you
send them KBOX Troubleshooting Logs to help in troubleshooting some issues. Click the click here
link to download KBOX Troubleshooting Logs.
Select the Enable Tether check box under KACE Support Tether to allow KACE Technical Support to
access your KBOX.
Enter the key supplied by KACE in the text box. KACE Technical Support will provide you a key when
this type of support is required.
Single Sign-On
The Single Sign-On feature (KBOX Linking and Manage Linked KBOX Appliances) enables users to
authenticate once and gain access to multiple KBOXs. The Single Sign-On feature allows users to switch
between different KBOXs without having to re-login into each appliance individually.
The KBOX linking allows multiple KBOX appliance owners to easily switch between their different KBOX
management consoles. To configure KBOX appliance linking on your network, enable or select the Enable
KBOX Appliance Linking check box on each appliance. Assign a unique name to each KBOX appliance
must be given a unique friendly name. For example, “KBOX A”. The other appliances are shown preceded
by this unique name in the fast switching drop-down list located in the top left-hand corner of the user
interface. This name (KBOX A) is used to identify the appliance when it is listed in the fast switching drop-
down list located at the top right corner of each page. After you link the KBOX Appliance, you can manage
the linked KBOX Appliances from the KBOX Linked Appliances list page.
Only those appliances that have the same login username and password appear in the
fast switching drop-down list.
Only the linked appliances must be accessible to each other. If a hostname is specified instead of an IP
address while linking two or more appliances, the hostname entry must exist in the hosts file of the
appliance. Following combination of appliances can be linked:
KBOX 1000 and KBOX 2000 appliances
KBOX 1000 and KBOX 1000 appliances
Linking KBOX Appliances Settings

Click the Linking KBOX Appliances Settings link on the KBOX Settings: Control Panel page to
enable KBOX linking, set linking timeout parameters, and establish a linking key.
To configure a KBOX for linking a KBOX appliance:
2. Click Linking KBOX Appliances Settings. The Linking KBOX Appliances Settings page appears.
By default, this page is disabled.
3. Click the [Edit Mode] link. This enables the Linking KBOX Appliances Settings page.
4. Select the Enable KBOX Appliance Linking check box to enable the linking.
Once linking is enabled, return to the Control Panel page and click the Manage Linked KBOX
Appliances link to configure remote KBOX appliances.
After enabling linking on the KBOX appliance, the organizations of the linked KBOX
1200 appliance are listed in the fast switching drop-down list. Only those organizations
of the KBOX 1200 appliance, that have the same login username and password appear
in the fast switching drop-down list.
For linking between KBOX 1100 and KBOX 2000 or two KBOX 1100 appliances, only the
friendly name of the linked KBOX is displayed in the fast switching drop-down list.
KBOX Friendly Name This value is used by all other KBOXs as a system reference in the user
(this server) interface.
Remote Login Expiration This value corresponds to the amount of time after the initial login to this
server. You can use the fast switching drop-down to switch to a linked
KBOX Appliance without providing login credentials. After this time lapse,
provide the login credentials when switching to a linked KBOX Appliance.
Request Timeout This value corresponds to the amount of time this server waits for a remote
KBOX Appliance to respond to a linking request.
Key Fingerprint Key Fingerprint is a symbolic part of the linking key from the functionality
point of view, and is not used when linking any appliances. This key is
generated after you click Set Options.
Linking Key Linking Key is used for linking two KBOX appliances. This key is generated
after you click Set Options. Copy the Linking Key details into the other
KBOX appliance for linking them together.
6. Repeat the above steps to create linking for the other KBOX appliance.
To disable KBOX linking:
2. Click Linking KBOX Appliances Settings. The Linking KBOX Appliances Settings page appears. By
default, this page is disabled.
3. Click the [Edit Mode] link. This enables the Linking KBOX Appliances Settings page.
4. Clear the Enable KBOX Appliance Linking check box to disable linking.
5. Click Set Options.
Manage Linked KBOX Appliances
Click the Manage Linked KBOX Appliances link on the KBOX Settings: Control Panel page for
linking other KBOX Appliances to the KBOX you configured earlier.
If KBOX linking is not enabled, you are redirected to the Linking KBOX Appliances
Settings page when you click the Manage Linked KBOX Appliances link.
For linking two KBOX appliances, the Linking Key of one KBOX appliance (for example,
KBOX A) must be copied into the other KBOX appliance (for example, KBOX B).
Similarly, the Linking Key of the “KBOX B” appliance must be copied into the “KBOX A”
appliance.
To manage KBOX Linked Appliances:
2. Click Manage Linked KBOX Appliances. The KBOX Linked Appliances page appears.
The KBOX Linking Appliance: Edit Detail page is displayed.
Remote KBOX Host Name The name of the KBOX on which linking is enabled. For example, KBOX A.
Connect using SSL Select this check box if the remote KBOX Appliance is configured for SSL.
Linking Key The linking key of the KBOX appliance on which linking is enabled. The
linking details can only be edited here.
Status Messages If the settings are configured correctly, the Connection successful
message is displayed after you click Save and Test Connection.
5. Click Save.
6. Repeat the above steps to add another KBOX appliance (for example, KBOX B).
7. Login to the previously configured KBOX appliance (for example, KBOX A) and copy the linking key.
Paste it in the Linking Key field of KBOX B.
8. Similarly, copy the linking key from the KBOX B appliance and paste it in the Linking Key field of KBOX
A.
9. Click Save.
10. Click Test Connection to verify the linking between the two linked KBOX appliances.
11. Re-login into the KBOX to see the newly updated linked KBOX Appliances with the friendly name
prefixed in the fast switching drop-down list.
The KBOX Linked Appliances page contains the fields described in the table below:
Field Description
Host Name Indicates the host name.

Status Indicates whether the host was unavailable or the connection was successful.
Key Fingerprint Displays the key fingerprint associated with the KBOX linked appliance.
Table 14-1: Provisioned Configurations Page Fields
You can now navigate from one KBOX appliance to another and then back to the
previous KBOX appliance from the fast switching drop-down list using the Single Sign-
On feature. The login credentials should be same for the two KBOX appliances to be
able to get linked.
To delete a KBOX linked appliance:
2. Click Manage Linked KBOX Appliances. The KBOX Linked Appliances page appears.
3. Select the check box beside the KBOX Link Appliance(s) you want to delete.
After a linked appliance is deleted, you can still switch between the appliances until you log off and login
again from the KBOX Server. The linked appliance will not appear in the fast switching drop-down list, and
you cannot switch between the appliances after you perform a logoff and login action.
The KBOX Summary
The KBOX Summary page provides information about the configuration and operation of your KBOX
appliance. When you log on to the KBOX System Console, by default the System Home module displaying
the System Summary tab appears.
To View KBOX Summary:
1. Select Home | Summary. The KBOX System Summary page appears.

2. The sections that follow provide a description of the summary information that is displayed.
3. Click Refresh to refresh the information displayed.
Client Check-In Rate

Displays the total number of clients that have checked in to the server in an hour.
The counter automatically adjusts if the number increases beyond one hundred.
Web Server Load
Displays the number of apache sockets connected to the server.
The counter automatically adjusts if the number of sockets connected increases beyond
one hundred.
Tasks in Progress
Displays the total number of tasks in progress on server.
To view KBOX Summary details:

2. Scroll down, and then click View Details. The KBOX System Summary Details page appears.
3. The sections that follow provide a description of the summary details provided.
The summary displayed is for all the organizations of KBOX Server. Clicking on the links displayed,
opens a corresponding report for respective type.
As this page is refreshed, the record count information is refreshed. A new KBOX
installations will mostly contain zero or no record counts.
KBOX Version
Provides information of the KBOX version that you are currently running.
For example, the KBOX server build at your end is 4.3.16712.
KACE comes up with a new patch for the server build 4.3.16712. The patch name is 4.3.16800 and it is
pushed to the corporate server.
If you click on the Check for upgrade button in the KBOX Settings| Server Maintenance page, the
latest build is available in the Upgrade KBOX field on the KBOX Settings: Server Maintenance page. Click
Upgrade now to upgrade your KBOX Server to the build 4.3.16800 build.
The An upgrade to 4.3.16800 is now available link also appears in the Home | Summary page.
Computer Statistics
Provides a summary of the computers on your network, including a breakdown of the operating systems in
use. In addition, if the number of computers on your network exceeds the number allowed by your KBOX
license key, you are notified of it here.
Software Statistics
Provides a summary of the software in the KBOX Inventory. The summary the number of software titles
that have been uploaded to the KBOX.
Software Distribution Summary

Provides a summary of the packages that have been distributed to the computers on your network,
separated out by distribution method. The summary also indicates the number of packages that are
enabled and disabled.
Alert Summary
Provides a summary of the alerts that have been distributed to the computers on your network, separated
by message type. This also indicates the number of alerts that are active and expired.
The IT Advisory refers to the number of Knowledge Base Articles in Help Desk.
Patch Bulletin Information

Provides a summary of the patches received from Microsoft. The summary includes the date and time of
the last patch (successful and attempted), total patches, and total packages downloaded.
OVAL Information
Provides a summary of the OVAL definitions received and the number of vulnerabilities detected on your
network. The summary includes the date and time of the last OVAL download (successful and attempted)
and the number of OVAL tests in the KBOX, in addition to the numbers of computers that have been
scanned.
Network Scan Summary

Provides a summary of the results of Network Scans run on the network. The summary includes the
number of IP addresses scanned, the number of services discovered, the number of devices discovered, as
well as the number of detected devices that are SNMP-enabled.
C H A P T E R 15
Organizations - System Admin
The KBOX 1000 Series System Management Appliances

organization feature provides you to create different
organizations within your KBOX. Roles can be assigned to
these organizations to limit access to specific tabs.
“Overview of Organizations,” on page 278

“Creating and Editing Organizations,” on page 278
“Organizational Roles,” on page 284
“Creating and Editing Organizational Roles,” on page 284
“Organizational Filters,” on page 287
“Creating and Editing Organizational Filters,” on page 287
“KBOX Computers,” on page 290
277
Overview of Organizations
The KBOX 1000 Series System Management Appliances organization feature enables you to group
machines to allow for a high level of separation between logical areas of responsibility within a company.
These groups are referred to as an Organization. This feature is accessible to the system administrator
through the System Administrative Console. The system administrator creates these organizations and
assigns them roles to limit access to specific tabs. The administrators of each organization cannot view or
perform activities on machines that belong to other organizations other than their own.
Default Organization
The default organization will have everything coming into the KBOX. The default organization will allow the
administrator to view or perform activities on machines in all organizations. If a machine is not set in a
filter then the machine will go to the default organization.
Creating and Editing Organizations

You can create new organizations or edit the existing organizations from the KBOX Organizations page by
going to Organizations | Organizations tab. It is recommended that you first create the roles and then
create the organizations, since it is mandatory to specify the role while creating an organization.
To create an organization:

2. Select Add New Item from the Choose action drop-down list. The KBOX Organization: Edit Detail
page appears.
3. Enter Organization information as follows:
Record Created Displays the date and time that the Organization was first created.
This field is read-only.
Record Last Modified Displays the date and time that the Organization was last modified.
Name Enter the name for the new organization. This field is mandatory.
Description Enter the description for the new organization.
Role Select the appropriate role from the drop-down list.
Note: You should first create the role by going to Organizations |
Roles tab, before you can select that specific role from this list.
4. Click Save.
After clicking Save you will be taken to the next page.
Name Enter a name for the organization. This field is mandatory. This
field retains the information you specified in the previous page.
You can modify the name if required.
Description Enter the description for the organization. This field retains the
information you specified in the previous page. You can modify the
description if required.
Role Select the appropriate role from the drop-down list. This field
retains the role you selected in the previous page. You can modify
this selection if required.
Note: You must first create the role by going to Organizations |
Organization Filters Select the filter that will be used to direct a new machine checking
into the KBOX, to the this organization. Press CTRL and click
to select more than one filter.
Note: You must first create the filter by going to Organizations |
Filters tab, before you can select that specific filter from this list.
Computer Count Displays the number of computers checking in to the organization.
Database Name Displays the name of the database the organization is using. This
field is read-only.
Report User Displays the report user name used to generate all reports in the
specific organization.
By having a report user name you can provide access to the orga-
nizational database (for additional reporting tools), but not give
write access to anyone.
Report User Password Enter the report user password.
7. Specify the agent settings for the organization:
Suggested
Field Notes
Setting
Communications 12:00 AM to The interval during which the KBOX Agent is allowed to
Window 12:00 AM communicate with the KBOX 1000 Series appliance. For
example, to allow the KBOX Agent to connect between
1:00 AM and 6:00 AM only, select 1:00 AM from the first
dropdown list, and 6:00 AM from the second drop-down
list.
Agent “Run interval” 1 hours The interval that the KBOX Agent will check into the KBOX
1000 Series. Each time a KBOX Agent connects, it will
reset its connect interval based on this setting. The default
setting is once every hour.
Agent “Inventory 0 The interval (in hours) that the KBOX Agent will inventory
Interval” the computers on your network. If set to zero, the KBOX
1000 Series will inventory clients at every Run Interval.
Agent “Splash Page KBOX is verifying The message that appears to users when communicating
Text” your PC Configu- with the KBOX 1000 Series.
ration and man-
aging software
updates.
Please Wait...
Scripting Update 15 minutes Set the frequency with which the KBOX Agent should
Interval download new script definitions. The default interval is 15
minutes.
Scripting Ping 600 seconds Set the frequency with which the KBOX Agent should test
Interval the connection to the KBOX 1000 Series appliance. The
default interval is 600 seconds.
To view historical connection information, go to KBOX
Settings | Logs. Click Stats.
Agent Log Retention Agent Log Retention disallows the server to store the
scripting result information that comes up from the agents.
The default is to store all the results. This can have a
performance impact on the KBOX. Turning this off, gives
you less information about what each client is doing, but
will allow the agent check-ins to process faster.
8. Click Save.
To troubleshoot clients which fail to show up in the inventory:
Sometimes it may happen that your machine does not show up in the KBOX Inventory after installing the
KBOX Agent. By default the KBOX Agent communicates with the KBOX using http: over port 80. Assuming
network connectivity is in place, newly-installed the KBOX Agents to fail to connect to the KBOX during the
first-time setup due to the problems with the default "KBOX" host name in DNS.
1. If you set up the KBOX in your DNS using a host name other than the default "kbox", or need agents to
reach KBOX by using the IP address instead of the DNS name, you must install the KBOX Agent
specifying the SERVER property. For example,
Windows:
c:\>KInstallerSetup.exe -server=mykbox -display_mode=silent
or
c:\>KInstallerSetup.exe -server=192.168.2.100 -display_mode=silent
Macintosh®:
/Library/KBOXAgent/Home/bin/setkbox mykbox
or
/Library/KBOXAgent/Home/bin/setkbox 192.168.2.100
Linux:
or
Solaris:
or
2. To correct the server name for an already-installed client, edit the "ServerHost" value in:
Windows:
c:\program files\kace\kbox\config.xml
Macintosh®:
/var/kace/kagentd/kbot_config.yaml
Linux:
Solaris:
3. Verify that you are able to ping the KBOX and reach it via a web browser at http://kbox.
4. Verify that Internet Options are not set to use proxy, or proxy is excluded for the local network or the
KBOX.
5. Verify that no firewall or anti-spyware software is blocking communication between the KBOX and any
of the agent components, including:
KBOXManagementService.exe
KBOXClient.exe
KUpdater.exe
kagentd (OS X/ Unix)
6. Verify that the KBOXManagementService.exe (Windows) or the kagentd (OS X/ Unix) processes
are running. The agent will show up as 'perl' in the OS X Activity Monitor.
If after verifying these items, you are still unable to get the agent to connect to the KBOX, contact KACE
Support for further assistance.
To edit an organization:

2. Click the linked name of the organization. The KBOX Organization : Edit Detail page appears.
4. Edit the organization details:
This is a read-only field.
This is a read-only field.
Name Enter a name for the organization. This field is mandatory. This
field retains the information you specified in the previous page.
You can modify the name if required.
Description Enter the description for the organization. This field retains the
information you specified in the previous page. You can modify the
description if required.
Role Select the appropriate role from the drop-down list. This field
retains the role you selected in the previous page. You can modify
this selection if required.
Note: You must first create the role by going to Organizations |
Organization Filters Select the filter that will be used to direct a new machine checking
into the KBOX, to this organization. Press CTRL and click to select
more than one filter.
Note: You must first create the filter by going to Organizations |
Filters tab, before you can select that specific filter from this list.
Computer Count Displays the number of computers checking in to the organization.
Database Name DIsplays the name of the database the organization is using. This
field is read-only.
Report User Displays the report user name used to generate all reports in the
specific organization.
By having a report user name you can provide access to the
organizational database (for additional reporting tools), but not
give write access to anyone.
Report User Password Enter the report user password.
5. Specify the agent settings for the organization:
Field Suggested Setting Notes
Communications 12:00 AM to 12:00 AM The interval during which the KBOX Agent is allowed to
Window communicate with the KBOX 1000 Series appliance.
For example, to allow the KBOX Agent to connect between
1:00 AM and 6:00 AM only, select 1:00 AM from the first
dropdown list, and 6:00 AM from the second drop-down
list.
Agent “Run 1 hours The interval that the KBOX Agent will check into the KBOX
Interval” 1000 Series. Each time a KBOX Agent connects, it will
reset its connect interval based on this setting. The default
setting is once every hour.
Agent “Inventory 0 The interval (in hours) that the KBOX 1000 Series appli-
Interval” ance will inventory the client computers on your network.
If set to zero, the KBOX 1000 Series will inventory clients
at every Run Interval.
Agent “Splash KBOX is verifying your The message that appears to users when communicating
Page Text” PC Configuration and with the KBOX 1000 Series.
managing software
updates. Please
Wait...
Table 15-1: Agent Settings
Field Suggested Setting Notes
Scripting Update 15 minutes Set the frequency with which the KBOX Agent should
Interval download new script definitions. The default interval is 15
minutes.
Scripting Ping 600 seconds Set the frequency with which the KBOX Agent should test
Interval the connection to the KBOX 1000 Series appliance. The
default interval is 600 seconds.
To view historical connection information, go to KBOX
Settings | Logs. Click Stats.
Agent Log Reten- Agent Log Retention disallows the server to store the
tion scripting result information that comes up from the
agents. The default is to store all the results. This can
have a performance impact on the KBOX. Turning this off,
gives you less information about what each client is doing,
but will allow the agent check-ins to process faster.
Table 15-1: Agent Settings

6. Click Save.
The default credentials admin/admin are automatically created when you create an
organization.
To delete an organization:

2. Click the linked name of the organization. KBOX Organization: Edit Detail page appears.
4. Click Delete to delete the organization. A confirmation message appears.
5. Click OK to confirm deleting the organization. Else, click Cancel to cancel the deletion.
Organizational Roles
Roles are assigned to each organization to limit access to different tabs in the Administrator Console and
the User Portal. You can restrict what tabs an organization is allowed to see when the administrator logs in
to the Administrator Console and the user logs in to the User Portal.
Following are the permissions that can be applied for each tab.
Write:
The organization will have write access for the tab. The administrator or user will be able to edit the
fields present on the screen.
Read:
The organization will have only read access for the tab. The administrator or user will be not be able to
edit the fields present on the screen. He/she will be not be able to add / edit / delete any item present
in the list.
Hide:
The tab will be hidden and the administrator or user will not be able to view that tab.
Default Role
Default role will have access to all tabs in the Administrator Console and the User Portal. The default role
will have write access for all tabs. The administrator or user will be able to edit the fields present on the
screen.
Creating and Editing Organizational Roles

You can create new roles or edit the existing roles from the Organizational Roles page by going to
Organizations | Roles tab. It is recommended that you first create the roles and then create the
organizations, since it is mandatory to specify the role while creating an organization.
To create a role:
1. Select Organizations | Roles. The Organizational Roles page appears.

2. Select Add New Item from the Choose action drop-down list. The Organizational Role : Edit Detail
page appears.
5. Under each tab, click the All Write option, All Read option or the All Hide option to assign the respective
permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to
individual sub tabs.
tab.
9. If you click Custom option, select the appropriate permission from the drop-down list next to each tab.
10. Click Save.
If you assign HIDE permission to General Settings and User Authentication under
Settings, then the Control Panel tab is hidden.
For users upgrading from 1100 to 1200: When using 1100, if you assign HIDE
permission to all tabs other than Logs and Server Maintenance under Settings. Then
after upgrading to 1200 the settings tab gets hidden from the Administrator console.
From KBOX 1000 Release 4.3 onwards, you can set and edit the permissions for Virtual
Kontainers tab from the Organization Role: Edit detail page. You must have the
appropriate KBOX license to access the Virtual Kontainer tab on this page.
To edit a role:

2. Click the linked name of the role. The Organizational Role: Edit Detail page appears.
3. Edit the role details:
10. Click Save.
To delete a role:
1. To delete a role, do one of the following:

From the Organizational Roles page, select the check box beside the role, then select Delete
From the Organizational Role: Edit detail page, click Delete.
2. Click OK to confirm deleting the role. Else, click Cancel to cancel the deletion operation.
To duplicate a role:

2. Click the role you want to duplicate. The Organizational Role : Edit Detail page appears.
3. Click Duplicate to duplicate the organization details. The page refreshes.
Name Enter a name for the role. This is a mandatory field.

5. Click Save.
The Associated Organizations table displays the list of organizations associated with this role.
Organizational Filters
Filters are used to direct a new machine checking into the KBOX, to the appropriate organization. Each
organization can be assigned more than one filter. The filters will execute according to the ordinal specified
when the filters are created. If a machine is not set in a filter, it will go to the default organization.
A machine can be directed to the appropriate organizations, in following ways:
One or more Filters will be executed against the machine that is checking in. If one
of the filters is successful, the machine will be redirected to the correct organization.
If there is no filter that matches to the machine, it will be put into the default
organization. The system administrator can then manually move that machine from the
default organization to the appropriate organization.
Filters are of two types:

Data Filter:
Data Filter allows the automatic organization of machines based on a search criteria. Whenever
machines that check in meet the criteria, they will be directed to the specific organization.
LDAP Filter:
LDAP Filter allow the automatic organization of machines based on LDAP or Active Directory
interaction. The filter will be applied to the external server and if any entries are returned they are
automatic organized.
If the external server requires credentials for administrative login (aka non-anonymous
login), supply those credentials. If no LDAP user name is given, then an anonymous
bind will be attempted. Each LDAP filter may connect to a different LDAP/AD server
Creating and Editing Organizational Filters

You can create new filters or edit the existing filters from the Organizational Filters page by going to
Organizations | Filters tab.
To add a data filter:
1. Select Organizations | Filters. The KBOX Organization Filters page appears.

2. Select Add New Data Filter from the Choose action drop-down list. The KBOX Organization Filter :
Edit Detail page appears.
3. Enter the Filter information as follows:
Enabled Select the check box to enable the data filter. You have to enable
the filter in order to use it.
Name Enter a name for the filter.
Description Enter the description for the filter.
Evaluation Order Enter a number. The filter will be executed according to the evalu-
ation order specified.
4. Enter the Machine Filter Criteria.

6. Select the condition from the drop-down list. For example, contains
7. Enter the Attribute Value. For example, XXX.XX.*
In the above example, machines from the specified IP range will be filtered and directed to the
organization to which this filter is applied.
8. Select the Conjunction Operator from the drop - down list to add more criteria. For example, AND.
9. Click the Add Criteria link to add one more criteria.
10. Click Save.
To add a LDAP filter:

2. Select Add New LDAP Filter from the Choose action drop-down list. The KBOX Organization LDAP
Filter : Edit Detail page appears.
3. Enter the Filter information as follows:
Enabled Select the check box to enable this filter. You have to enable the filter in order to
use it.
Evaluation Order Enter a number. The filter will be executed according to the evaluation order
specified.
4. Enter the LDAP Machine Filter Criteria.
Server Host Name (or IP ) Specify IP or Host Name of the LDAP Server.
ldaps://HOSTNAME
LDAP Port Number Specify the LDAP Port number which could be either 389 / 636
(LDAPS).
For example:
Search Filter Specify the Search Filter.
LDAP Login Specify the LDAP login.
For example:
LDAP Login:
(if required)
5. To test your Filter, click Test LDAP Filter.
6. Click Save.
To edit a filter:

2. Click the linked name of the filter. The KBOX Organization Filter : Edit Detail page appears.
3. Edit the filter details:
Enabled Select the check box to enable this filter. You have to enable the fil-
ter in order to use it.
Evaluation Order Enter a number. The filter will be executed according to the evalu-
ation order specified.
4. Edit the Machine Filter Criteria.

6. Select the condition from the drop-down list. For example, contains
7. Specify the Attribute Value. For example, XXX.XX.*
In the above example, machines from the specified IP range will be filtered and directed to the
organization to which this filter is applied.
9. Click the Add Criteria link to add one more criteria.
10. To test your Filter, click Test Filter.
11. Click Save.
To delete a filter:
1. To delete a filter, do one of the following:

From the KBOX Organization Filters page, select the check box beside the filter, then select Delete
From the KBOX Organization Filter : Edit Detail page, click Delete.
2. Click OK to confirm deleting the filter. Else, click Cancel to cancel the deletion operation.
KBOX Computers
The KBOX Computers page lists all the machines that are checking into the KBOX. It displays details for
each computer such as Name, Organization - the computer is currently checking into, Last Sync - when the
computer last checked in to the KBOX, Description and the IP Address.
Advanced Search
Although you can search computer inventory using keywords like Windows XP, or Acrobat, those types of
searches might not give you the level of specificity you need. Advanced search, on the other hand, allows
you to specify values for each field present in the inventory record and search the entire inventory listing
for that value. For example, if you needed to know which computers had a particular version of BIOS
installed in order to upgrade only those affected machines.

4. Specify the Attribute Value. For example, XXX.XX.*
In the above example, machines from the specified IP range will be searched.
6. Click Search. The search results will be displayed below.
You can refilter the computers displayed in the list, for more information refer to “Refiltering
Computer(s),” on page 291.
You can redirect the computers displayed in the list, for more information refer to “Redirecting
Test Organization Filter

You can test an existing organization filter to check whether it is getting applied to the computers.
To test an organization filter:
1. Click the Test Organization Filter tab.

2. Select the appropriate filter from the drop-down list.
3. Click Test. The test results will be displayed below.
You can refilter the computers displayed in the list, for more information refer to “Refiltering
You can redirect the computers displayed in the list, for more information refer to “Redirecting
Note: If you do not see any computers listed in the test results, then either there are no existing
computers that match the machine filter criteria you have set up or the machine filter criteria is invalid.
You can edit the machine filter criteria. For more information on how to edit a filter, refer to “Creating
and Editing Organizational Filters,” on page 287.
Refiltering Computer(s)
You can refilter the computers, which will recheck the computers against all filters. For example, you can
check if the filter created by you is being applied correctly to the intended computers. You first create the
new filter by going to the Organizations | Filters tab. Now in the KBOX Computers page, you refilter the
computers. The organizations column will display the new organization name in red besides the old
organization name, against those computers on which the filter has got applied.
To refilter computer(s):
1. Select Organizations | Computers. The KBOX Computers page appears.

2. Select the check box beside the computer(s) that you want to refilter.
3. Select Refilter Selected Computer(s) from the Choose action drop-down list, to recheck the
computers against all filters.
Redirecting Computer(s)
You can redirect a computer to a different organization. For example, a computer is checking into
organization A, you can redirect that computer to organization B. So next time when the computer checks
in, it will check into organization B.
To redirect computer(s):

2. Select the check box beside the computer(s) that you want to redirect.
3. Select the appropriate organization name under Change Sync to Organization, from the Choose
action drop-down list, to redirect the computer(s) to the appropriate organization.
Understanding Computer Details

To view computer details:

2. Click the name of the computer whose details you want to view. The Computers : Detail Item page
appears.
3. To expand the sections, click Expand All. Click on a heading to expand or collapse it.
The Computer Detail page provides details about a computer’s hardware, software, install, patch, help
desk, and OVAL vulnerability history, among other attributes. The computer details displayed here are
same as those displayed from Inventory | Computers. The main difference is that this Computers :
Detail Item page does not display Security details for any machine. For understanding rest of the
computers details, refer Chapter 3,“Computers Inventory,” starting on page 58.
C H A P T E R 16
Server Maintenance - System Admin
This chapter describes the most commonly used features and

functions that the System Administrator will use in administering
and maintaining your KBOX.
“The KBOX Maintenance Overview,” on page 294

“Backing up the KBOX Data,” on page 295
“Restoring the KBOX Settings,” on page 296
“Updating the KBOX Software,” on page 297
“Updating Patch Definitions,” on page 299
“Updating OVAL Definitions,” on page 300
“Troubleshooting the KBOX,” on page 301
293
The KBOX Maintenance Overview
The KBOX Settings | Server Maintenance page allows you to perform a variety of functions to maintain and
update the KBOX 1000 Series appliance like:
Access the most recent KBOX server backups
Upgrade your KBOX 1000 Series server to newer server versions
Retrieve updated OVAL definitions
Restore to backed-up versions and also create a new backup of the KBOX 1000 Series at any time
The KBOX Settings | Server Maintenance tab also enables you to reboot and shutdown the KBOX, as
well as update the KBOX license key information.
From the Server Maintenance tab you can:
Upgrade the KBOX appliance
Update OVAL vulnerability definitions
Create a backup the KBOX appliance
Enter or update the KBOX License Key
Restore to most recent backup
Restore to factory default settings
Restore from uploaded backup files
Reboot the KBOX
Shutdown the KBOX
The following sections describe some of the most commonly used features of the KBOX Settings |
Server Maintenance tab.
Upgrading the KBOX

Whenever KACE comes up with a new patch for the server build, it makes it available on the corporate
server. The KBOX will check kace.com nightly for recommended upgrades, which you can apply from the
server maintenance page.
To upgrade your KBOX :
1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears.
3. Click Check for Upgrade.
If the upgrade is available, the label Available Upgrade along with the build number is displayed. Click
the [Release Notes] link to view the release notes of the available build.
If the upgrade is not available, the label ‘Your KBOX is up to date’, is displayed.
4. Click Upgrade Now to upgrade to the available build. When the KBOX has finished upgrading the
latest updates, your KBOX will reboot with the latest features.
Backing up the KBOX Data
By default, the KBOX 1000 Series automatically takes backup at 2:00 AM and creates two files on the
backup drive: kbox_dbdata.gz, containing the database backup, and kbox_file.tgz, containing any files and
packages you have uploaded to the KBOX 1000 Series appliance.
Backing up the KBOX Manually

In some cases, you might want to invoke a KBOX backup before the nightly backup occurs.
In such cases, you can create a KBOX backup manually.
To create a KBOX backup manually:
1. Select KBOX Settings | Server Maintenance.

3. Beside Run nightly KBOX Backup script, click Run Backup.
After creating the backup, the KBOX Settings | Logs tab will appear.
Downloading Backup Files to another location

The backup files are used to restore your KBOX 1000 Series configuration in the event of a data loss or
during an upgrade or migration to a new hardware. The KBOX 1000 Series contains only the most recent
backup files.
For a greater level of recoverability (for instance if you want to keep rolling backups), you can offload the
backup files to another location so that they can be restored later if necessary. You can access the backup
files for downloading from the System Admin UI as well as through ftp.
To download backup files to another location:
2. Click the backup links on the sidebar.
Contains the database backup
Contains the files and packages you have uploaded to

the KBOX
Figure 16-1: Links to backup files
3. Click Save in the alert that appears, then specify a location for the files.
4. Browse to the location where you want to store the files, then click Save.
To access the backup files through ftp:
1. Open a command prompt.
2. At the C:\ prompt, type:
ftp kbox
3. Enter the following login credentials:
Username: kbftp
Password: getbxf
4. Type the following ftp commands:
Figure 16-2: FTP command for accessing backup files
Restoring the KBOX Settings

The backup files are used to restore your KBOX configuration in the event of data loss or during an
upgrade or migration to new hardware. Restoring any type of backup file will destroy the data currently
configured in the KBOX Server. KACE recommends off loading any backup files or data that you want to
keep before performing a restore.
Restoring from most recent backup

The KBOX 1000 Series has a built-in ability to restore files from the most recent backup directly from the
backup drive. You can access the backup files from the KBOX Administrator UI or through ftp.
To restore from the most recent backup:
1. Click KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears.
3. Click the Restore from Backup button.
Uploading Files to Restore Settings

If you have off-loaded your backup files to another location, you can upload those files manually, rather
than restoring from the backup files stored on the KBOX.
To upload backup files:
3. In the Database Backup Files field, click Browse and locate the backup file.
4. In the KBOX Backup Files field, click Browse and locate the backup file.
5. Click Restore from Upload Files.
Restoring to Factory Settings

The KBOX 1000 Series has a built-in ability to restore the KBOX back to its factory settings. To view the
factory settings refer to “Setting Up the KBOX Server,” on page 4.
To restore to factory settings:
3. Click the Restore Factory Settings button.
Updating the KBOX Software

Part of maintaining your KBOX appliance involves updating the software that runs on the KBOX server. This
process also involves verifying that you are using the minimum required version of the KBOX, as well as
updating the license key in the KBOX to reflect the current product functionality.
Verifying Minimum Server Version

Before applying this update, verify your KBOX server version meets the minimum version requirement.
To verify minimum server version:
1. Open your browser and go to the URL for the KBOX appliance (http://kbox/admin).
2. Click the About KBOX link located at the bottom of the page.
Server Version
Figure 16-3: About KBOX
Updating the license key
After installing an upgrade to the KBOX server, you may need to enter a new KACE license key to fully
activate the KBOX. You should have the new license key to upgrade your KBOX 1000 Series appliance.
Updating your KBOX license key:
3. Under License Information, enter your new license key
4. Click Save License.
Applying the server update

If you are using a previous version of the KBOX, you must apply the earlier updates separately before
continuing. Refer to the release notes for your version of the KBOX to determine the minimum updates.
To apply the server update:
1. Download the kbox_upgrade_server_XXXX.bin file and save it locally.

2. Open your browser to http://kbox/admin.
3. Under Update KBOX, click Browse, and locate the update file you just downloaded.
4. Click Update KBOX.
When the file has completed uploading, your KBOX will reboot with the latest features.
Verifying the update

After applying the upgrade, verify successful completion by reviewing the update log.
To verify the upgrade:
1. Select KBOX Settings | Logs.

2. Select Updates from the Current log drop-down list.
3. Review the Update log for any error messages or warnings.
4. Click About KBOX in the upper right corner to verify the current version.
Patch Definitions
Although the definitions for Microsoft patches are updated automatically on a scheduled basis, you can
retrieve the latest files manually from the Server Maintenance page.
Updating Patch Definitions

You update patch definitions as follows:
To update the patch definitions:
3. Click Update Patching to update your patch definitions.
Deleting Patch files

You can delete downloaded patches as follows:
To delete patch files:
3. Click Delete Patch All files to delete all the patch files downloaded.
4. Click Delete Unused Patch files to delete unused downloaded patch files.
Enhanced Content
You can enable or disable Enhanced Content as follows:
To enable enhanced content:
3. Click Enable Enhanced Content to switch to the EC (Enhanced Content) Mode.
To disable enhanced content:
3. Click Disable Enhanced Content to switch to the Non-EC (Enhanced Content) Mode.
After changing the EC mode, you should update patches. Click Update Patching
besides Update Patch Definitions from KACE field to do so.
The Patch Subscription Settings page displays the language support only when EC
is enabled.
The following table depicts the difference between EC Mode and Non-EC Mode:
Criteria EC Mode Non-EC Mode

KBOX Agent Versions Only the 4.3+ agents. You upgrade all All 4.x agents with traditional patching
Supported the existing KBOX Agents to 4.3 ver- content supported.
sion before switching to this mode.
Effect on Replication Disables any ongoing update to any All 4.x agents access patching data
Share older 4.x Replication Shares. from any configured Replication Shares
Replication updated only for 4.3+ that have the Maintain 4.2
agents. Replication Share enabled.
Operating System Supports: Not Supported:
Specifics Microsoft Windows Server 2008 Microsoft Windows Server 2008
Not Supported:
Microsoft Windows Server 2003 SP3
Microsoft Windows XP SP1
Language Support English, French, German, Italian, and English only.
Spanish.
Table 16-4: Differences between EC Mode and Non-EC Mode
Rebooting and shutting down the KBOX appliance

You may need to reboot the KBOX appliance from time to time when troubleshooting or upgrading the
KBOX settings. When rebooting the KBOX, you should always do so by clicking the Reboot KBOX button
located on the KBOX Settings | Server Maintenance tab.
Before you perform any hardware maintenance, shutdown the KBOX and then unplug the appliance. You
can shutdown the KBOX appliance either by pressing the power button ONCE, quickly, or by clicking the
Shutdown KBOX button on the KBOX Settings | Server Maintenance tab.
You can use the Reboot and Shutdown buttons after you click the "Edit Mode" link at
the bottom of the page.
Updating OVAL Definitions

Although the definitions for OVAL vulnerabilities are updated automatically on a scheduled basis, you can
retrieve the latest files manually from the Server Maintenance page.
To update the OVAL & Patch definitions:
1. Select KBOX Settings | Server Maintenance.

3. To update OVAL definitions, click Update OVAL.
Troubleshooting the KBOX
The KBOX provides several log files that can help you detect and resolve errors. The log files are rotated
automatically as each grows in size so no additional administrative log maintenance procedures are
required. Log maintenance checks are performed daily.
The KBOX maintains the log of all the activities performed in the last seven days. KACE Technical Support
may request that you send the KBOX Server logs if they need more information in troubleshooting an
issue. To download the logs, click the Download Logs link. For more information, see “Downloading Log
Files,” on page 301.
Accessing the KBOX Logs

You can access the KBOX Server logs by going to the KBOX Settings | Logs tab. Select the appropriate
log to view from the Current log drop-down list. This area also provides a reference for any KBOX
informational or exception notices.
Log Type Log Name Description
Hardware Disk Status Displays the status of the KBOX disk array.
Server KBOX Log Displays the errors generated on the server.
Access Displays the HTTP Server's access information.
Server errors Displays errors or server warnings regarding any of the onboard server
processes.
Stats Displays the number of connections the KBOX is processing over time.
Updates Displays details of any KBOX patches or upgrades applied using the
Update KBOX function.
Client Client Errors Displays the KBOX Agent exception logs.
AMP Server Displays AMP server errors.
AMP Queue Displays AMP Queue errors.
Table 16-5: Types of Server Logs
Downloading Log Files

The KBOX provides the ability to download the logs into one file directly from the System Admin UI. You
may be asked by KACE Technical support to submit the KBOX logs in order to help diagnose a problem.
To download the KBOX logs:
1. Select KBOX Settings | Logs.

2. Click the Download logs link on the right of the Log page. The logs are downloaded in a file called
kbox_logs.tgz.
3. Click Save.
In addition to the standard logging, there are some additional debug logs that can be enabled on a KBOX
target machine:
KBOX Management Service—Enable debug logging on the KBOX Management Service for
detailed information on script execution and to troubleshoot script scheduling issues
KBOX Agent—Enable debug logging on the KBOX Agent to troubleshoot machine inventory,
managed installations, and file synchronizations
KBOX AMP Service—Enable debug logging on the windows KBOX Agent to troubleshoot the on-
demand running of Desktop Alerts, Run-Now scripts, and Patching. You can enable debug logging by
configuring AMP Settings. For information on how to configure AMP Settings page, refer to Chapter
1,“Configuring AMP Settings for the Server,” starting on page 24.
Windows Debugging
To enable debug logging for the KBOX Management Service:
Stop the KBOX management service and edit the file: C:\Program Files\KACE\KBOX\config.xml and change
the value of the debugLoggingEnabled flag to read:
<debugLoggingEnabled>true</debugLoggingEnabled>
Now restart the KBOX Management service. This will cause KBOXManagementService to log additional
debugging information to the file KBOT_LOG.txt
To enable the KBOX Client debug log:
Create an empty file with the name: C:\Program Files\KACE\KBOX\KBCLIENT_DEBUG. This will cause
KBOX Client to log debug information to a file in the same directory named debug.log
The KBOX Client debug log file documents the details of gathering machine inventory, executing custom
inventory rules, and outputs the managed installs and file synchronizations to be run based on interaction
with the KBOX server. If an installation fails, it is possible to duplicate the issue using the same command
found in the debug.log file and run locally on the client machine. If there are any errors they can be tested
and investigated on the client machine.
To log on the AMP Service:
The AMP service can be debugged by adding the following to the c:\program files\kace\kbox\AMP.conf file
debug=true
For information on debug logging on Linux, Solaris, and Macintosh® platforms, refer to
Appendix D,“Manual Deployment of the KBOX Agent,” starting on page 342.
Understanding Disk Log Status Data
The log you are likely to interact with most often when troubleshooting the KBOX is the Disk Status log. If
there is a physical problem with the KBOX, that issue should be reflected here.
The KBOX 1000 Series Server and the KBOX Agent exceptions are reported every night to kace.com if you
enabled crash reporting on the KBOX Settings | General tab.
Figure 16-6: Disk status without error
Error Status is displayed
here
Figure 16-7: Disk status with error
The figures above display the difference in the Disk status log when no error is found and when an error
exists. Although this section does not describe every possible error message that could be displayed here,
many of the errors that occur can be resolved by following the same set of steps:
Step Description
Step 1: Rebuild If the disk status log error reads “Degraded” this is an indication that you
need to rebuild the array. To do this, click the Rebuild Disk Array but-
ton. Rebuilding can take up to 2 hours. If the error continues to display,
proceed to step 2.
Table 16-8: Troubleshooting your KBOX 1000 appliances
Step Description
Step 2: Power Down and In some cases, the degraded array may be caused by a hard-drive that is
Reseat the Drives no longer seated firmly in the drive-bay.
In these cases, the disk status will usually show "disk missing" for that
drive in the log. Power down the KBOX 1000 Series.
Once the appliance is powered off, eject each of the hard-drives and then
re-insert them, making sure that the drive is firmly in the bay.
Power the machine back on and then look again at the disk status log to
see if that has resolved the issue.
If an error state still exists, try rebuilding again or proceed to Step 3.
Step: Call KACE If you have the previous steps and are still experiencing errors, please
Technical Support contact KACE Technical Support by e-mail (support@kace.com) or
phone (888) 522-3638 option 2.
Table 16-8: Troubleshooting your KBOX 1000 appliances
C H A P T E R 17
Reporting - System Admin
The KBOX appliance provides a variety of alerts and reporting

features that enable you to communicate easily with the users
and to get a detailed view of the activity on your network.
“The KBOX Reports Overview,” on page 308

“Creating and Editing Reports,” on page 312
“Exporting Reports,” on page 319
“Importing Reports,” on page 320
307
The KBOX Reports Overview
The KBOX appliance ships with many included stock reports. The reporting engine utilizes XML-based
report layouts to generate reports in HTML, PDF, CSV, XSL and TXT formats.
By default, the KBOX appliance provides reports in the following general categories:
Compliance
Hardware
KBOX
Network
Patching
Security
Software
Template
Types of Reports
Within each of the general categories mentioned above, there are various reports you can run to display
information about the computers on your network. Descriptions of each type of report you can run are
provided below.
Compliance Hotfix Compliance Shows which computers have the specified hot-
fix installed.
Compliance Software Compliance Simple Lists the licenses and counts like the License list
page with details such as vendor, PO#, and
Notes.
Compliance Software License Compliance Lists software and computers that are impacted
Complete by each license record.
Compliance Unapproved Software Lists software found on computers that do not
Installation have approved licenses.
Hardware C drives less than 2G free Shows which computers have less than 2
gigabytes of free space.
Hardware Computer - Video/Ram/Proc by Lists all computers and their video, RAM and
Label processor information sorted by label and name.
Hardware Computer Export This report is intended to generate a CSV listing
for data export to other programs.
Hardware Computer Inventory Detail Detail listing of all computers on the KBOX
Appliances network with full field detail.
Note: When this report is opened in XLS format,
it gives an Apache Tomcat error.
Hardware Computer Listing by Free Disk Lists computer disk drives in order of total free
Space disk space.
Hardware Computer Listing by Label Lists all computers by all the KBOX labels.
Hardware Computer Listing by Memory Lists computer RAM in order of total memory
size.
Hardware Computer Listing by Operating Sorts all computers by Operating System type
System and sums OS Types.
Hardware Computer Uptime Report Reports the uptime of the computers.
KBOX Boot/Login Policies Lists all the activities that could happen at
machine boot time or after the user logs in.
KBOX KBOX Agent Roll Out Log Reports when a computer record was first cre-
ated.
KBOX KBOX Communication Lists by day the latest communication from com-
puters on the network.
KBOX MI's enabled on all machines Lists all the managed installations that are
enabled on all machines.
KBOX Scripts enabled on all machines This report lists the scripts that are enabled on
all machines.
Network Network Info - Domain Listing This report lists computers groups and comput-
ers by domain/workgroup.
Network Network Info - IP Address Lists computers in ascending order of IP Address
Listing
Network Network Scan Report Displays the results of the nightly Network Scan.
Patching Critical Bulletin List Lists all critical bulletins.
Patching For each Machine, what Lists of all patches on each computer in the
patches are installed KBOX network.
Patching For each Patch, what machines Lists the computers having each software patch
have it installed in inventory.
Patching How many computers have Software Inventory listing sorted by software
each Patch installed title showing number of seats deployed.
Patching Installation Status of each Lists the installation status of each enabled
enabled Patch patch.
Patching Needs Review Bulletin List List of all the Bulletins that need review.
Patching Patches waiting to be deployed Lists all patches waiting to be deployed.
Security Number of machines with OVAL Lists, for each OVAL test, how many machines
vulnerabilities failed the test and are therefore vulnerable.
Security OVAL Machine Report Reports all the machines and the OVAL tests
failed by each of them.
Security SANS Top 10 - Q2 2005 Reports all OVAL results from vulnerabilities
reported by SANS.
Security Threatening Items Displays all items of threat level 4 or 5 and the
computers which have them.
Security Top 10 OVAL Vulnerabilities Displays a Pie graph of the top 10 OVAL vulnera-
bilities that have been reported by the OVAL
scan.
Software Software Export Generates a CSV listing for data export to other
programs.
Software Software Installed But Not Used Lists, by software item, where software has
Last 6 Months been installed but not been used according to
the software metering. This only works when
you have attached the metering to a particular
software item which limits you to a particular
version of software.
Software Software Inventory By Vendor Software Inventory listing grouped by vendors
Software Software Listing By Label Lists all software titles organized by all the KBOX
labels.
Software Software not on any computer Listing of all software titles that are not currently
installed on any computers.
Software Software on Computer Listing of all software on each computer in the
KBOX network.
Software Software OS Report List showing the count of Operating Systems
currently deployed on your network.
Software Software Title & Version - Com- This report lists the computers having each soft-
puter List ware title in the inventory.
Software Software Title - Computer List This report lists the computers having each soft-
ware title in the inventory.
Software Software Title - Computer List This report lists computers having each
(MS Only) Microsoft software title in the inventory.
Software Software Title Deployed Count Software Inventory sorted by software titles
Template Computer Listing - XP SP2 Lists all computers, and identifies whether XP
installed? SP2 is installed or not. Change 'Windows XP Ser-
vice Pack 2' to any other Software title you are
interested in. Sorted by installation status.
Template Computer Listing with Software Computer Listing sorted by LABEL with comput-
Template ers having software names like "Microsoft Office
Professional%".
Template Custom Inventory Template Reports the values returned by a custom inven-
tory rule that you can setup in the Software
Item page. Change 'McAfeeDATFile' to be the
name of the Software item with the Custom
Inventory Rule in it.
Template Log File Information Template This is a template that lists the values returned
from a 'Log File Information' action in a script.
Replace 'AccessedDate: ' with the actual
attribute that you returned.
Template Log Registry Value Template This template lists the values returned from a
script using the 'Log Registry Value' action.
Replace the value '!doc =' with the appropriate
value name that you entered in the script.
Template Machines By Label X with Soft- Reports all the machines in label(s) and indi-
ware Y Installed cates if they have a particular software product
installed. Replace the KBOX with the name of
the software you are looking for and QA_LABEL
and KBOX_LABEL with the labels of the
machines you want included.
Running Reports
To run any of the KBOX reports, click the desired format (HTML, PDF, CSV, XLS or TXT). For the HTML
format, the report is displayed in a new window. If you select PDF, CSV, XLS or TXT formats, you can open
the file or save it to your computer.
Creating and Editing Reports

If you have other reporting needs not covered by the reports previously mentioned, you can either create
a new report from scratch, or you can modify one of the templates provided in the KBOX Template
category.
You can create a report in the following ways:
Duplicate an existing report - Another way to create a report is to open an existing report and create
a copy of it, which you can then modify to suit your needs.
Create a new report using the Report Wizard.
Create a new report from scratch.
You can create a report using the Table or Chart presentation type. The table presentation type gives you
a tabular report with optional row groupings and summaries and the Chart presentation type gives you a
bar, line or pie chart.
To create a new report using the table presentation type:
1. Select Reports | Reports. The KBOX Reports page appears.

5. Click the Table presentation type icon.
6. Click Next.
clicking or .
8. Click Next.
b Click Add.

order of rules.
10. Click Next.
11. To choose columns to be displayed in the report:
clicking or .
12. Click Next.
13. You can customize the report layout. You can drag to set column order, width and add spacers. You
can drag and drop between columns as well as between columns and spacer. Click on the column and
report headings for further menu of labels, grouping, summary and other options.
The options available are as follows:
Title Click on the title displayed before spacer to display the field name of spacer, Add as a
group and Add as a column options.
Spacer Click on spacer to display the field name of spacer and Add as a column options.
Column Click on column to display the column name, change label, switch to group, remove col-
umn, summaries and move to right or left depending upon the column alignment options.
14. Click Save to save the report. The KBOX Reports page is displayed with the new report in the list. To
run the new report, click the desired format (HTML, PDF, CSV, XLS or TXT). For the HTML format, the
report is displayed in a new window. If you select PDF, CSV, XLS or TXT formats, you can open the file
or save it to your computer.
You can jump to steps 1-5 of the Reporting Wizard Step. Step 1 and 2 are mandatory
and can not be left blank.
To create a new report using the chart presentation type:

5. Click the Chart presentation type icon.
6. Click Next.
clicking or .
8. Click Next.
b Click Add.

order of rules.
10. Click Next.
11. Select the appropriate chart type from the following:
Simple 3-D Bar: Displays categories along the X-axis, values along the Y-axis.
3-D Pie: Displays a slice for each category. The corresponding value determines the size of the slice.
Line: Displays categories or dates along the X-axis, values along the Y-axis.
12. Select the appropriate category field from the Category Field drop-down list.
13. Select the summary from the Summary drop-down list, beside appropriate Value field name. If you
have more than one Value field, you can change the value field order by clicking or .
14. Select the Show legend check box if you want to display a legend in the chart.
15. Specify the Chart width and Chart height in pixels, in the text fields.
16. Click Save to save the report.
The KBOX Reports page is displayed with the new report in the list.
You can jump to steps 1-5 of the Reporting Wizard Step. Step 1 and 2 are mandatory
and can not be left blank.
To duplicate an existing report:

2. Click the report title you wish to duplicate. The Report Wizard page appears.
3. Click Duplicate.
4. Modify the report details as necessary, then go to the last step - step report layout, and click Save.
To create a new SQL report from scratch:
1. Select Reports | Reports.

2. Select Add New SQL Report from the Choose action drop-down list. The KBOX Report: Edit Detail
page appears.
3. Specify the following report details:
Title Enter a display name for the report. Make this as descriptive as possible, so
Report Category Enter the category for the report. If the category does not already exist, it
is added to the drop-down list on the Reports list page.
Output File Name Enter the name for the file that is generated, when this report is run.
Output Types Specify the formats that should be available for this report.
SQL Select Statement Enter the query statement for generating the report data. For reference,
consult the MYSQL documentation.
Break on Columns A comma-separated list of SQL column names. The report is generated
break headers and sub totals for these columns. This setting refers to the
auto-generated layout.
Query All Orgs Select this check box to query the databases of all organizations.
XML Report Layout When checked, this option creates the XML layout based on the SQL you
enter. Select this check box if you have changed the columns that are being
the new columns.
4. Click Preview. Refer to “Previewing SQL report,” on page 317.

5. Click Save to add this SQL report to the list of reports on the KBOX Reports page. The KBOX Reports
page appears.
For assistance with formatting the report XML, JRXML format is used. You can use
iReports to design reports with JRXML. The documentation is available a http://
jasperforge.org/jaspersoft/opensource/business_intelligence/ireport/.
Once you click the Save button, the report wizard is disabled for that report.
To edit a report using SQL Editor:

2. Click the report you want to edit. The Report Wizard page appears.
3. Click the Edit SQL button.
4. Click OK to proceed. The KBOX Report: Edit Detail page appears.
5. Edit the following report details:
Title Edit the display name for the report if required. Make this as descriptive as
possible, so you can distinguish this report from others.
Report Category Edit or enter the category for the report. If the category does not already
Output File Name Edit or enter the name for the file generate when this report is run.
SQL Select Statement Edit or enter the query statement for generating the report data. For refer-
ence, consult the MYSQL documentation.
Break on Columns A comma-separated list of SQL column names. The report is generated
break headers and sub totals for these columns. This setting refers to the
auto-generated layout.
SQL you enter. You can edit, if necessary.
6. Click Save.
Editing the SQL of a report disables modifying it with the Report Wizard.
To duplicate an existing SQL report:

2. Click the report title you wish to duplicate. The KBOX Report: Edit Detail page appears.
3. Click Duplicate.
4. Modify the report details as necessary, then click Save.
Refer to Appendix B,“Adding Steps to a Task,” starting on page 330.
Previewing SQL report

The KBOX provides preview functionality, to view the report created using SQL Editor. You can also
customize an existing report by changing its title, layout, SQL query, break columns, and then view the
modified report using preview button.
To preview the SQL report:

page appears.
3. Specify title, report category, output file name, description, SQL Select Statement, Break on Columns.
4. Click Preview. The SQL report is displayed in KBOX Report : Preview Page Layout.
5. To customize the column width, hover the mouse over the report column you want to adjust the width.
Drag the mouse pointer to change the size of the column width.
6. Click on Save button to update these settings.
To preview the existing SQL report:
1. Click on existing SQL report. The KBOX Report : Edit Detail page appears.
2. Click Preview to view the report. You can customize the report by changing its title, SQL query, or
layout.
3. Click Preview to view the customized report.
Scheduling Reports
Reports can be scheduled from the Schedule Reports tab. From the Report Schedules List page you can
open existing schedules, create new schedules, or delete them. You can also search schedules using
keywords.
To create a report schedule:
1. Select Reports | Schedule Reports. The Report Schedules page appears.
2. Select Create a New Schedule from the Choose action drop-down list. The Schedule Reports: Edit
3. Specify the following schedule details:
Record Created Displays the date and time when the schedule was first created. This field is
read-only.
Record Last Modified Displays the date and time that the schedule was last modified. This field is
read-only.
Schedule Title Enter a display name for the schedule. Make this as descriptive as possible,
so you can distinguish this schedule from others.
Description Enter the information that the schedule would provide.
Report to Schedule Select the appropriate report you would like to schedule. You can filter the
Report Output Click the desired output report format (HTML, PDF, Excel, CSV, or TXT) that
Formats should be available for this scheduled report.
Recipients
Click the icon to enter the recipient’s e-mail address, or
choose Select user to add from the drop-down list. This
is a mandatory filed.
Email Notification
Subject Enter the subject of the schedule. The subject can help to
quickly identify what the schedule is about.
Message Text Enter the message text in the notification.
Don’t Run on a Schedule Select to run the schedules in combination with an event rather
than on a specific date or at a specific time.
Run Every n hours Select to run the schedules at the specified time.
Run Every day/specific day at Select to run the schedules on specified day at the specified time.
HH:MM AM/PM
5. Click Save or Run Now to run the schedule reports immediately.
To run a schedule:

3. In the Choose action box, select Run Selected Schedules Now.

2. Select the check box beside the schedule(s) you want to delete.
4. Click Yes to confirm deleting the schedule(s)
Exporting Reports
You can export the existing reports of individual organizations in the .jrxml format, which can be viewed
through iReport.
You can customize the exported report by changing the layout, font size or background color in iReport
and import this customized report in the KBOX.
To export a report:

2. Select the check box beside the report(s) that you want to export.
3. Select Export Selected Report(s) from the Choose action drop-down list. The File Download pop-
up window opens.
4. Select Save File to save the reports.zip file to the desktop of your machine.
The reports.zip file contains the exported report in the .jrxml format, which can be viewed in iReport.
You can download iReport from http://jasperforge.org/jaspersoft/opensource/
business_intelligence/ireport/.
To view the exported .jrxml file in iReport:
1. Create a connection between iReport and mysql database of the KBOX.

2. Open the .jrxml file in iReport and execute the report with active connection.
You can view the exported report and change its layout using iReport.
Importing Reports
You can import an existing report exported or a new report created in the .jrxml format, using the iReport
wizard.
To import the report:

2. Select Import Reports from the Choose action drop-down list. The KBOX Reports : Import Reports
page appears.
3. Click Browse and locate the .jrxml file that you want to import and then click Open.
4. Click Upload Reports to upload the .jrxml file in the KBOX.
View the import results to verify the successful import of the report. This report is displayed in the
KBOX Reports page.
The Reporting module of the KBOX currently does not support the subreport feature
of JasperReports.
A P P E N D I X A
Macintosh® Users
This appendix provides information for Macintosh® users.
“Inventory,” on page 323

“Distribution,” on page 324
“Patching,” on page 328
“User Portal and Help Desk,” on page 328
“Asset Management,” on page 329
“AppDeploy Live,” on page 329
“Reporting,” on page 329
“Logs,” on page 329
322
Inventory
The KBOX 1000 Series Inventory feature lets you identify machines and software on your network and
organize computers by using labels and filters. Inventory is collected by the KBOX Agent and reported
when computers check in with the KBOX 1000 Series. The data is then listed on one of the following
Inventory tabs:
Computers
Software
MIA
The inventory data is collected automatically according to the schedule specified under the KBOX Agent
Settings. For information on how to change the Agent settings, Refer to Chapter 2,“KBOX Agent
Settings,” starting on page 44.
You can search for Macintosh® machines in the Computer Search & Filter page using Advanced search.
In the Advanced Search sub tab you can search for Macintosh® machines using attributes like OS
Name, and so on. For more information on how to use Advanced Search, Refer to Chapter 3,“Using
Advanced Search for Computer Inventory,” starting on page 56.
You can use the Create Notification feature to search the inventory for Macintosh® machines that meet
certain criteria, such as disk capacity or OS version, and then send an e-mail automatically to an
administrator. For example, if you wanted to know when computers had a critically low amount of disk
space left, you could specify the search criteria to look for a value of 5 MB or smaller in the Disk Free field,
and then notify an administrator who can take appropriate action. For more information on how to create
notifications, Refer to Chapter 3,“Creating Computer Notifications,” starting on page 57.
Filtering provides a way to dynamically apply a label based on search criteria. It is often helpful to define
filters by inventory attribute. For example, you could create a label called “San Francisco Office” and create
a filter based on the IP range or subnet for machines in San Francisco. Whenever machines check in that
meet that attribute, they would receive the San Francisco label. This is particularly useful if your network
includes laptops that often travel to remote locations.
You can also create a label to group all your Macintosh® machines. Once grouped by a label, software,
reports, or software deployments on your Macintosh® machines can all be managed very easily. For more
information on the labeling feature, Refer to Chapter 3,“Labels,” starting on page 84.
Distribution
The KBOX 1000 Series Distribution feature provides various methods for deploying software, updates, and
files to computers on your network.
Managed Installations enable you to deploy software to the computers on your network that require an
installation file to run. You can create a Managed Installation package from the Distribution | Managed
Installation page.
From the Managed Installations tab you can:
Create or delete Managed Installations
Execute or disable Managed Installations
Specify a Managed Action
Apply or remove a label
Search Managed Installations by keyword
Examples of Common Deployments on Macintosh®

On the Apple MacOS X platform, there is a universal installer with the usual file extension of .pkg. (Note
that this format is not the same as the Solaris .pkg files.) You cannot upload a .pkg file directly, as these
files consist of low level directories and web browsers can't handle uploading entire directories.
You do not require an installer to install plain packages using the KBOX. These are the ".app" packages
you might normally drag to your Applications folder. These packages must be archived as well, since they
consist of low level directories, just like the installer packages.
You can even archive installers along with plain applications. The KBOX will run the installers first and then
copy the applications into the Applications folder.
The supported package deployments are .pkg, .app, .dmg, .zip, .tgz, and tar.gz. If you package the file as
a disk image, the KBOX will mount and unmount it quietly. This section provides examples for each type of
deployment. For each of these examples, you must have already uploaded the file to the KBOX prior to
creating the Managed Installation package. We recommend, that you install the software on a test
machine, wait till the KBOX Agent connects to the KBOX 1000 series appliance. The KBOX will then create
an inventory item and a Managed Installation package for the software.
To create a managed installation:

Page appears.
filter options.
4. By default the kbox agent will attempt to install the .pkg file via the following command, which is
sufficient to install a new package or update an existing one to a new version:
installer -pkg packagename.pkg -target / [Run Parameters]
5. If you have selected a zip/tgz/tar.gz file, then the contents will be unpacked and the root directory is
searched for all .pkg files. The installation command will be run against each of these .pkg files. The
KBOX will search for all the .pkg files on the top level of an archive and execute that same installer
command on all the files in alphabetical order. After that, the KBOX will search for all plain applications
(.app) on the top level of the archive and copy them to /Applications with the following command:
ditto -rscs Application.app /Applications/Application.app
If you wish to execute a script or change any of the above mentioned command lines, you can specify
the appropriate script invocation as the Full Command Line. You can specify wildcard in the filenames
you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will be
extracted into a directory in "/tmp" and that will become the current working directory of the
command.
On MacOS, you do not need to include any other files in your archive other than your
script if that's all you wish to execute.
Ensure that you specify the relative path to the executable in the Full Command Line field, if you wish
to execute a shell script or other executable that you have included inside an archive. Remember, you'll
be executing your command inside a directory alongside the files which have been extracted. For
example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file
and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside
another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh".
Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If
you're using another scripting language, you may need to specify the full path to the command
processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Be sure to include
appropriate arguments for an unattended, batch script.
If you select the uninstall check box in the MI detail, the KBOX will remove each .app it finds in the top
level of your archive from the Applications folder. Thus, if you include two files in your archive named
"MyApp.app" and "MyOtherApp.app", those two applications will disappear from your Applications
folder if they exist there.
Uninstallation in this way will be performed only if the archive or package is downloaded to the client. If
you select the check box for "Run Command Only", you should specify a full command line to ensure
the correct removal command is run on the correct package. Since no package is downloaded in this
case, you should specify the path in the installation database where the package receipt is stored or
run the correct file removal command to delete the files from the Applications folder. In that case, you
can download a script inside an archive and run the script on the Full Command Line.
Run Parameters You can not apply "Run Parameters" to the above mentioned com-
mands.
Full Command Line You do not need to specify a full command line. The server executes
the installation command by itself. The Macintosh® client will try to
install this via:
installer -pkg packagename.pkg -target / [Run Parameters]
or
ditto -rsrc packagename.app /Applications/theapp
If you do not want to use the default command at all, you can replace
it completely by specifying the complete command line here. Remem-
ber that if you have specified an archive file, this command will run
against all of the .pkg files or .app files it can find.
Un-Install using Full Select this check box to uninstall software. If the Full Command Line
Command Line above is filled in, it will be run. Otherwise, by default the agent will
attempt the command, which is generally expected to remove the
package.
Run Command Only Select this check box to run the command line only.This will not down-
load the actual digital asset.
Disabled are the only options available for Macintosh® platform.
Deploy to All Machines Select this check box if you want to deploy to all the machines.
Limit Deployment To Select a label to limit deployment only to machines grouped by that
Selected Labels label. Press Command and click labels to select more than one label.
If you have selected any label that has a replication share or an alter-
nate download location specified, then the KBOX will copy digital
assets from that replication share or alternate download location
instead of downloading them directly from the KBOX.
Note: The KBOX will always use a replication share in preference to an
alternate location.
Limit Deployment To Listed You can limit deployment to one or more machines. From the drop-
Machines down list, select a machine to add to the list. You can add more than
one machine. You can filter the list by entering filter options.
Deploy Order The order in which software should be installed. Lower deploy order
will deploy first.
Max Attempts Enter the maximum number of attempts, between 0 and 99, to indi-
cate the number of times the KBOX 1000 Series appliance will try to
install the package. If you specify 0, the KBOX will enforce the instal-
lation forever.
the run intervals defined in the System Console, under Organiza-
tions | Organizations for this specific organization, override and/or
interact with the deployment window of a specific package.
Allow Snooze This option is not available for Macintosh® platform.

Custom Pre-Install Message This option is not available for Macintosh® platform.
Custom Post-Install Message This option is not available for Macintosh® platform.
Delete Downloaded Files Select the check box to delete the package files after installation.
Use Alternate Download Select the check box to specify details for alternate download. When
Alternate Download Location—Enter the location from
where the KBOX Agent can retrieve digital installation files.
Alternate Checksum—Enter an Alternate Checksum (MD5)
that matches the MD5 checksum on the remote file share (for
security purposes).
Alternate Download User—Enter a user name that will have
the necessary privileges to access the Alternate Download
Location.
Alternate Download Password—Enter the password for the
KBOX will not fetch software from the alternate download location. For
more information on using an alternate location, Refer to Chapter
6,“Distributing Packages through an Alternate Location,” starting on
page 105.
bally. But since that label will not be specific to any managed installa-
tion, you cannot specify an alternate checksum for matching the
9. Click Save.
For more information about Distribution, Refer to Chapter 6,“Distribution,” starting on page 102.
For more information about Managed installations, Refer to Chapter 6,“Managed Installations,” starting on
page 106.
Patching
The KBOX 1000 Series Patching feature enables you to quickly and easily deploy patches to your network.
The Detect and Deploy Patches feature allows you to create schedules for detecting and deploying
patches. Patching schedules are used to define when patch detection and deployment will run on a set of
machines. For more information about Detect and Deploy patches, Refer to Chapter 9,“Detect and Deploy
Patches,” starting on page 172.
The Patch Listing feature allows you to review the list of available patches. You can search for
Macintosh® patches in the Patching Listing page by selecting the appropriate Macintosh® operating
system under View by Operating System from the View by drop-down list. Refer to Chapter 9,“Patch
Listing,” starting on page 169.
You can use the Advanced Search feature to search for Macintosh® patches. In the Advanced Search
sub tab you can select the appropriate Macintosh® operating system from the OS drop-down list. For more
information on how to use Advanced Search, Refer to Chapter 9,“Using Advanced Search for
Patching,” starting on page 170.
You can use the Filter feature to automatically search the patch list using predefined search criteria. In
the Filter sub tab you can select the appropriate Macintosh® operating system from the OS drop-down list.
To allow the KBOX to download Apple Security updates for Macintosh®, you need to select the appropriate
operating system from the Macintosh Platform list in the Patch Subscription Settings page. You can
select more than one Macintosh® operating system. For more information on patch download settings,
Refer to Chapter 9,“Subscription Settings,” starting on page 169.
User Portal and Help Desk

The User Portal provides the ability for users to download software, track computer info, and view a record
of what they have downloaded. You can log onto the User Portal by visiting the root URL of the KBOX 1000
Series machine name (for example, http://kbox/). Although users can access the User Portal even if they
do not have the KBOX Agent installed on their machine, they will not be able to run installations. The User
Portal is administered from the User Portal tab. For more information about the User Portal, Refer to
Chapter 11,“Overview of the User Portal,” starting on page 194.
If you have purchased the optional KBOX 1000 Series Help Desk Module, additional tabs or options are
added. The optional KBOX 1000 Series Help Desk Module provides a ticket submission, tracking, and
management system that allows you to solve problems in real time. The KBOX 1000 Series Help Desk
Module provides integrated access with KBOX 1000 Series capabilities for hardware and software
inventory, software deployment, updates and patching, remote control, and alerting and reporting. After
installation, you can customize the Help Desk settings according to the needs of your organization.
For more information about using the features added by the Help Desk Module, Refer to Chapter
11,“Overview of the Help Desk Module,” starting on page 206.
Asset Management
The KBOX 1000 Series allows you to manage and track assets in your environment in a flexible and
customizable way. By establishing asset types and relationships to other asset types and other objects in
the KBOX, you will be able to report on existing assets as well as track licensing and cost information in a
way that works for you in your environment.
For more information about Asset Management Refer to, Chapter 4,“Asset Management,” starting on
page 86.
AppDeploy Live
AppDeploy.com contains information on installation, deployment and systems management automation.
By putting all of the relevant information in one place, it eliminates the need for searching answers
through vendor sites, discussion boards and technical publications. It offers computer administrators an
easy way to search for answers and solutions.
For more information about AppDeploy Live, Refer to Chapter 3,“AppDeploySM Live,” starting on page 76.
Reporting
The KBOX 1000 Series provides a variety of alert and reporting features that enable you to communicate
easily with users and to get a detailed view of the activity on your network. The KBOX 1000 Series ships
with many included stock reports. The reporting engine utilizes XML-based report layouts to output report
types of HTML, PDF, CSV, and TXT.
You can view various types of reports like, Computer Listing By Label, Computer Listing By Operating
System, Patches installed, Software OS Report - Graph, and so on.
For more information on Reporting, Refer to Chapter 12,“Reporting,” starting on page 225.
Logs
The KBOX provides several log files that can help you detect and resolve errors. The KBOX maintains the
last seven days of activity in the logs. KACE Technical Support may request that you send the KBOX Server
logs if they need more information in troubleshooting an issue. To download the logs, click the Download
Logs link. For more information, Refer to Chapter 16,“Downloading Log Files,” starting on page 301. You
can access the KBOX Server logs by going to the KBOX Settings | Logs tab.
For more information on KBOX Logs, Refer to Chapter 16,“Troubleshooting the KBOX,” starting on
page 301.
A P P E N D I X B
Adding Steps to a Task
This appendix describes steps for adding a script task. The

steps documented here are available on the Scripting tab.
For more information, see “Scripting,” on page 142.
“Adding Steps to Task Sections,” on page 331
330
Adding Steps to Task Sections
Refer to the following table when adding steps to a Policy or Job task. These are the steps available in the
step drop-down lists in the Verify, On Success, Remediation, On Remediation Success, and On Remediation
Failure sections of a task. The Column headings V, OS, R, ORS, and ORF indicate whether a particular step
is available in the corresponding Task sections.
Step Description V OS R ORS ORF
Always Fail X X
Call a Custom DLL Call function "%{procName}" from X X X
Function "%{path}\%{file}"
Create a Custom Create object "%{className}" from X X X
DLL Object "%{path}\%{file}"
Create a message Create a message window named X X X X X
window "%{name}" with title "%{title}", message
"%{message}" and timeout "%{timeout}"
seconds.
Delete a registry Delete "%{key}" from the registry. X X
key
Delete a registry Delete "%{key}!%{name}" from the reg- X X
value istry.
Destroy a message Destroy the message window named X X X X X
window "%{name}".
Install a software Install "%{name}" with arguments X X
package "%{install_cmd}".
Note: This step requires you to choose
from a list of software packages already
uploaded using the functionality in the
Inventory/Software tab. For more infor-
mation, see “Adding Software to Inven-
tory,” on page 68.
Kill a process Kill the process "%{name}". X X X X X

Launch a program Launch "%{path}\%{program}" with X X X X X
params "%{parms}".
Log a registry value Log “%{key}!%{name}”. X
Log file information Log “%{attrib}”from “%{path}\%{file}” X X X
Log message Log “%{message}”to “%{type}” X
Restart a service Restart service “%{name}” X
Table B-1: Adding steps to Tasks in Policy & Job scripts
Run a batch file Run the batch file "%{_fake_name}" with X X X

params "%{parms}".
Note: In this step, you do not need to

upload the batch file. You create the batch
file by pasting the script in the space pro-
vided.
Search the file sys- Search for "%{name}" in "%{startingDi- X
tem rectory}" on "%{drives}" and "%{action}".
Set a registry key Set "%{key}". X X
Set a registry value Set "%{key}!%{name}" to
"%{newValue}". X X
Start a service Restart service “%{name}” X
Stop a service Stop service “%{name}” X
Unzip a file Unzip "%{path}\%{file}" to "%{target}". X X X X
Update message Set the text in the message window X X X X
window text named "%{name}" to "%{text}".
Update Policy and Update policy and job schedule from the X
Job schedule KBOX
Upload a file Upload "%{path}\%{file}" to the server. X X
Upload \ logs Upload the KBOX Agent logs to the KBOX X X X X
Verify a directory Verify that the directory "%{path}" exists. X
exists
Verify a file exists Verify that the file "%{path}\%{file}" X
exists.
Verify a file version Verify that the file "%{path}\%{file}" has X
is exactly version "%{expectedValue}".
is greater than version greater than "%{expectedValue}".
is greater than or version greater than or equal to
equal to... "%{expectedValue}”

is less than version less than "%{expectedValue}".
is less than or equal version less than or equal to "%{expected-
to Value}
Verify a file version Verify that the file "%{path}\%{file}" does X

is not not have version "%{expectedValue}".
Verify a file was Verify that the file "%{path}\%{file}" was X
modified since modified since "%{expectedValue}".
Verify a process is Verify the process "%{name}" is not run- X
not running ning.
Verify a process is Verify the process "%{name}" is running. X
running
Verify a product ver- Verify that the product "%{path}\%{file}" X
sion is exactly.. has version "%{expectedValue}"
sion is greater than has version greater than "%{expected-
Value}".
sion is greater than has version greater than or equal to
or equal to... "%{expected-Value}”

sion is less than has version less than "%{expectedValue}".
sion is less than or has version less than or equal to
equal to "%{expectedValue}”
sion is not does not have version "%{expected-
Value}"
Verify a registry key Verify that "%{key}" does not exist. X
does not exist
Verify a registry key Verify that "%{key}" exists. X
exists
Verify a registry Verify that "%{key}" has exactly X
key’s subkey count "%{expectedValue}" subkeys.
is exactly
Verify a registry Verify that "%{key}" has greater than X
is greater than
Verify a registry Verify that "%{key}" has greater than or X
key’s subkey count equal to "%{expectedValue}" subkeys.
is greater than or
equal to
Verify a registry Verify that "%{key}" has less than X
is less than
Verify a registry Verify that "%{key}" has less than or X

key’s subkey count equal to "%{expectedValue}" subkeys.
is less than or equal
to
Verify a registry Verify that "%{key}" does not have exactly X
is not
Verify a registry Verify that "%{key}" has exactly X
key’s value count is "%{expectedValue}" values.
exactly
Verify a registry Verify that "%{key}" has greater than X
greater than
Verify a registry Verify that "%{key}" has greater than or X
key’s value count is equal to "%{expectedValue}" values.
greater than or
equal to
Verify a registry Verify that "%{key}" has less than X
less than
Verify a registry Verify that "%{key}" has less than or X
key’s value count is equal to "%{expectedValue}" values.
less than or equal to
Verify a registry Verify that "%{key}" does not have exactly X
not
Verify a registry pat- Verify that "%{key}!%{name}=%{expect- X
tern doesn’t match edValue}" doesn't match.
Verify a registry pat- Verify that "%{key}!%{name}=%{expect- X
tern matches edValue}" matches.
Verify a registry Verify that "%{key}!%{name}" does not X
value does not exist exist
Verify a registry Verify that "%{key}!%{name}" exists X
value exists
Verify a registry Verify that "%{key}!%{name}" is equal to X
value is exactly "%{expectedValue}"
Verify a registry Verify that "%{key}!%{name}" is greater X
value is greater than "%{expectedValue}"
than
Verify a registry Verify that "%{key}!%{name}" is greater X
value is greater than or equal to "%{expectedValue}"
than or equal to
Verify a registry Verify that "%{key}!%{name}" is less X

value is less than than "%{expectedValue}"
Verify a registry Verify that "%{key}!%{name}" is less X
value is less than or than or equal to "%{expectedValue}"
equal to
Verify a registry Verify that "%{key}!%{name}" is not X
value is not equal to "%{expectedValue}"
Verify a service Verify the service "%{name}" exists X
exists
Verify a service is Verify the service "%{name}" is running X
running
A P P E N D I X C
Database Tables
This appendix contains a list of the table names used in the

KBOX database. Use this as a reference when creating custom
reports.
“The KBOX Database Tables,” on page 337
336
The KBOX Database Tables
Refer to the following table when creating custom reports for a specific organisation. For more
information, see Chapter 12,“Reporting,” starting on page 225.
Table Used In
ADVISORY HelpDesk
ADVISORY_LABEL_JT HelpDesk
ASSET Asset
ASSET_DATA_1 Asset
ASSET_DATA_2 Asset
ASSET_DATA_3 Asset
ASSET_DATA_4 Asset
ASSET_DATA_5 Asset
ASSET_DATA_6 Asset
ASSET_DATA_7 Asset
ASSET_DATA_8 Asset
ASSET_FIELD_DEFINITION Asset
ASSET_FILTER Asset
ASSET_HIERARCHY Asset
ASSET_HISTORY Asset
ASSET_TYPE Asset
AUTHENTICATION KBOX
CLIENTDIST_LABEL_JT KBOX
CLIENT_DISTRIBUTION KBOX
CUSTOM_FIELD_DEFINITION Custom Fields
CUSTOM_VIEW Custom View
FILTER Labeling
FS File Synchronization
FS_LABEL_JT File Synchronization
FS_MACHINE_JT File Synchronization
GLOBAL_OPTIONS KBOX
HD_ATTACHMENT Help Desk
HD_CATEGORY Help Desk
HD_EMAIL_EVENT Help Desk
HD_IMPACT Help Desk
Table C-1: The KBOX database table names
Table Used In
HD_MAIL_TEMPLATE Help Desk

HD_PRIORITY Help Desk
HD_QUEUE Help Desk
HD_QUEUE_OWNER_LABEL_JT Help Desk
HD_QUEUE_SUBMITTER_LABEL_JT Help Desk
HD_STATUS Help Desk
HD_TICKET Help Desk
HD_TICKET_CHANGE Help Desk
HD_TICKET_FILTER Help Desk
HD_TICKET_RELATED Help Desk
HD_TICKET_RULE* Help Desk
HD_WORK Help Desk
IM_CRON Scheduling
IPHONE_PROFILE* IPhone
IPHONE_PROFILE_LABEL_JT IPhone
KBOT Scripting
KBOT_CRON_SCHEDULE Scripting
KBOT_DEPENDENCY Scripting
KBOT_EVENT_SCHEDULE Scripting
KBOT_FORM Scripting
KBOT_FORM_DATA Scripting
KBOT_LABEL_JT Scripting
KBOT_LOG Scripting
KBOT_LOG_DETAIL Scripting
KBOT_LOG_LATEST Scripting
KBOT_OS_JT Scripting
KBOT_RUN Scripting
KBOT_RUN_MACHINE Scripting
KBOT_RUN_TOKEN Scripting
KBOT_SHELL_SCRIPT Scripting
KBOT_UPLOAD Scripting
KBOT_VERIFY Scripting
KBOT_VERIFY_STEPS Scripting
Table Used In
LABEL Labeling
LDAP_FILTER Labeling
LDAP_IMPORT_USER User
LICENSE Inventory
LICENSE_MODE Inventory
MACHINE Inventory
MACHINE_CUSTOM_INVENTORY Inventory
MACHINE_DISKS Inventory
MACHINE_KUID Inventory
MACHINE_LABEL_JT Inventory
MACHINE_NICS Inventory
MACHINE_NTSERVICE_JT Inventory
MACHINE_PROCESS_JT Inventory
MACHINE_REPLITEM Replication
MACHINE_SOFTWARE_JT Inventory
MACHINE_STARTUP_PROGRAMS Inventory
MACHINE_STARTUPPROGRAM_JT Inventory
MESSAGE Alerts
MESSAGE_LABEL_JT Alerts
MI Managed Installs
MI_ATTEMPT Managed Installs
MI_LABEL_JT Managed Installs
METER Software Metering
METER_COUNTER Software Metering
MSP_MI_TEMPLATE Patching
NODE Network Scan
NODE_LABEL_JT Network Scan
NODE_PORTS Network Scan
NODE_SNMP_IF Network Scan
NODE_SNMP_SYSTEM Network Scan
NOTIFICATION Alerts
NTSERVICE Inventory
NTSERVICE_LABEL_JT Inventory
Table Used In
OPERATING_SYSTEMS Inventory
OVAL_STATUS OVAL
PORTAL User Portal
PORTAL_LABEL_JT User Portal
PROCESS Inventory
PROCESS_LABEL_JT Inventory
PROVISION_CONFIG Provisioning
PROVISION_NODE Provisioning
REPLICATION_LANGUAGE Replication
REPLICATION_PLATFORM Replication
REPLICATION_SCHEDULE Replication
REPLICATION_SHARE Replication
REPORT Reporting
REPORT_FIELD Reporting
REPORT_FIELD_GROUP Reporting
REPORT_JOIN Reporting
REPORT_OBJECT Reporting
REPORT_SCHEDULE Reporting
SCAN_FILTER Labeling
SCAN_SETTINGS Network Scan
SOFTWARE Inventory
SOFTWARE_LABEL_JT Inventory
SOFTWARE_OS_JT Inventory
STARTUPPROGRAM Inventory
STARTUPPROGRAM_LABEL_JT Inventory
THROTTLE KBOX
USER User
USERIMPORT_SCHEDULE User
USER_HISTORY User Portal
USER_KEYS User Portal
USER_LABEL_JT User
USER_ROLE User
USER_ROLE_PERMISSION_VALUE User
Table Used In
VK_APP_IMAGE Virtual container

VK_APP_IMAGE_POD_IMAGE_JT Virtual container
VK_APP_LINEAGE Virtual container
VK_APP_SHORTCUT* Virtual container
VK_APP_VENDOR Virtual container
VK_DISTRIBUTION Virtual container
VK_DISTRIBUTION_LABEL_JT Virtual container
VK_DISTRIBUTION_MACHINE_JT Virtual container
VK_IMAGE Virtual container
VK_IMAGE_LINEAGE Virtual container
VK_IMAGE_SETTINGS Virtual container
VK_IMAGE_SHORTCUT Virtual container
VK_POD Virtual container
VK_PODDED_APP Virtual container
VK_POD_ATTACHMENT Virtual container
VK_POD_SETTINGS Virtual container
Refer to the below table for creating system reports,
Table Used In
ORGANIZATION Organisation
ORGANIZATION_FILTER Organisation
ORG_ROLE Organisation
OVAL_DEFINITION Organisation
PATCHLINK_ARCHITECTURE Patching
PATCHLINK_LANGUAGE Patching
PATCHLINK_OS_TYPE Patching
PATCHLINK_PATCH Patching
PATCHLINK_PLATFORM Patching
PATCHLINK_RESOURCE Patching
REPORT Reporting
REPORT_JOIN Reporting
REPORT_SCHEDULE Reporting
A P P E N D I X D
Manual Deployment of the

KBOX Agent
This appendix contains a list of tasks and commands that

you can carry out using the command line interface.
“Manual Deployment of the KBOX Agent on Linux,” on page 343

“Manual Deployment of the KBOX Agent on Solaris,” on page 345
“Manual Deployment of the KBOX Agent on Macintosh®,” on page 347
342
Manual Deployment of the KBOX Agent on
Linux
Installing and Configuring the KBOX Agent
1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer.
2. Open the command line interface.
3. Type rpm -ivh kboxagent-buildnumber.i386.rpm, and then press ENTER.
The installer creates the following directories on your computer:
/KACE - This is the base directory in which the entire KBOX Agent is installed on the client machine.
/KACE/bin - This directory contains all the executable files.
/KACE/lib - This directory contains data such as version number, default configuration files, and
others for the KBOX Agent.
/KACE/data - This directory contains the application code organized as libraries.
/var/KACE/kagentd - This directory contains the kbot_config.yaml file.
4. Type cd KACE/bin, and then press ENTER.
5. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server.
6. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.
Upgrading the KBOX Agent

1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer.
3. Type rpm -uvh kboxagent-linux_buildnumber.rpm, and then press ENTER.
Removing the KBOX Agent

2. Type rpm -e kboxagent-buildnumber.i386, and then press ENTER.
Verifying Deployment of the KBOX Agent

This section describes tasks to manage the KBOX Agent using the command line interface.
Starting and Stopping the KBOX Agent

3. To start the KBOX Agent, type ./SMMPctl start, and then press ENTER.
To stop the KBOX Agent, type ./SMMPctl stop, and then press ENTER.
Checking whether the Agent is Running
2. Type ps aux | grep kagentd, and then press ENTER.
Checking the Version of the KBOX Agent

2. Type cat /KACE/data/version, and then press ENTER.
Performing an Inventory check

2. Type sudo /KACE/bin/inventory, and then press ENTER.
If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname -
n'.txt, and then press ENTER. This command saves the inventory results to a file named
yourcomputer.txt, where yourcomputer is the name of your computer.
Linux Debugging
Logging on to the Management Service:
2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER.
3. Type sudo /etc/rc.d/init.d/SMMPctl stop, and then press ENTER.
4. Type sudo /etc/rc.d/init.d/SMMPctl start, and then press ENTER.
The debug_agent.log file contains debug logs.
Logging on to the AMP Service:
edit /var/kace/SMMP/SMMP.conf
add a new line debug = true
stop the SMMP service /KACE/bin/SMMPctl stop
start the SMMP service /KACE/bin/SMMPctl start

Solaris
1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer.
3. Type /usr/bin/gunzip KBOX-agent-all-buildnumber.pkg.gz, and then press ENTER.
4. Type /usr/sbin/pkgadd -n -d KBOX-agent-all-buildnumber.pkg all, and then press
ENTER.
/KACE
/KACE/bin
/KACE/lib
/KACE/data
/var/KACE/kagentd. This directory contains the kbot_config.yaml file.

1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer.
3. Type /etc/init.d/SMMPctl stop, and press ENTER.
4. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER.
5. Type /usr/bin/rm -rf /KACE/, and press ENTER.
6. Type /usr/bin/gunzip -v KBOX-agent-all*.pkg.gz, and press ENTER.
7. Type /usr/sbin/pkgadd -n -d KBOX-agent-all*.pkg all, and press ENTER.
8. Type /etc/init.d/SMMPctl start, and press ENTER.
2. Type /etc/init.d/SMMPctl stop, and press ENTER.
3. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER.
4. Type /usr/bin/rm -rf /KACE/, and press ENTER.

This section describes the tasks to manage the KBOX Agent using the command line interface.


2. Type ps ef | grep kagentd, and then press ENTER.

2. Type cat /KACE/data/version, and then press ENTER.

2. Type sudo /KACE/bin/inventory, and then press ENTER.
If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname -
n'.txt, and then press ENTER. This command saves the inventory results to a file named
yourcomputer.txt, where yourcomputer is the name of your computer.
Solaris Debugging

2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER.
3. Type sudo /etc/init.d/SMMPctl stop, and then press ENTER.
4. Type sudo /etc/init.d/SMMPctl start, and then press ENTER.
add a new line debug=true
stop the SMMP service /KACE/bin/SMMPctl stop
start the SMMP service /KACE/bin/SMMPctl start
The KBOX Agent normally checks in using the "Run Interval" schedule specified in the
You can run the file runallkbots located in /KACE/bin to force the KBOX Agent to
check in with the KBOX 1000 appliance.

Macintosh®
To run the commands, you must be logged in as the root user.

A “root” is a user with administrator privileges on the client machine.

1. Double-click KBOX Agent 4.3.buildnumber.dmg.
2. Double-click KBOX Agent.pkg.
3. The Introduction page is displayed. Click Continue.
4. The Read Me page is displayed. Click Continue.
5. The Select Destination page is displayed, select the destination volume where you want to install the
KBOX Agent, and then click Continue.
6. The Installation Type page is displayed. Click Install.
7. The Finish Up page is displayed. Click Close.
/Library/KBOXAgent/Home/bin
/Library/KBOXAgent/Home/data
/Library/KBOXAgent/Home/lib
/var/kace/kagentd - This directory contains the kbot_config.yaml file.
8. Type cd Library/KBOXAgent/Home/bin, and then press ENTER.

1. Double-click KBOX Agent 4.3.buildnumber.dmg.
2. Double-click KBOX Agent.pkg.
3. The Introduction page is displayed. Click Continue.
4. The Read Me page is displayed. Click Continue.
5. The Select Destination page is displayed, select the destination volume where you want to install the
KBOX Agent, and then click Continue.
6. The Installation Type page is displayed. Click Upgrade.
7. The Finish Up page is displayed. Click Close.

1. Browse to /Library/KBOXAgent.
2. Removing the KBOX Agent, you first need to Drag the KBOXAgent folder to the Trash and then kill
the process ID.

This section describes the various tasks you can perform to manage the KBOX Agent using the command
line interface.

1. Open Terminal from the Applications/Utilities folder.
2. Type cd Library/KBOXAgent/Home/bin, and then press ENTER.

2. To check if the kagentd process is running enter the command ps aux | grep kagentd, and then
press ENTER. This indicates that the process is running if you see the following result:
root 2159 0.0 1.1 94408 12044 p2 S 3:26PM 0:10.94 /Library/KBOXAgent/Home/bin/kagentd

2. Type cat Library/KBOXAgent/Home/data/version, and then press ENTER.

2. Type sudo Library/KBOXAgent/Home/bin/inventory, and then press ENTER.
If you want to save the inventory results to a file, type sudo Library/KBOXAgent/Home/bin/
inventory > computer_name.txt. Replace computer_name with the name of your computer,
and then press ENTER. This command saves the inventory results to a file named
computer_name.txt, where computer_name is the computer name that you specified.
Macintosh® Debugging

2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER
3. Type sudo /Library/KBOXAgent/Home/bin/SMMPctl stop, and then press ENTER.
4. Type sudo /Library/KBOXAgent/Home/bin/SMMPctl start, and then press ENTER.

add a new line debug=true
stop the SMMP service /Library/KBOXAgent/Home/bin/SMMPctl stop
start the SMMP service /Library/KBOXAgent/Home/bin/SMMPctl start
The KBOX Agent normally checks in using the "Run Interval" schedule specified in the
You can run the file runallkbots located in /Library/KBOXAgent/Home/bin to
force the KBOX Agent to check in with the KBOX 1000 appliance.
A P P E N D I X E
Agent Customization
This appendix explains the procedure to create a

self-executing zip file that includes custom installation
items like non-standard path or custom server name.
“Agent Customization,” on page 351
350
Agent Customization
You can create a self-executing zip file that includes custom installation items like non-standard path or
custom server name.
To create a self-executing zip that includes custom installation:
1. Copy the necessary files for your customization. You will need the following files:
7zip-v442.exe,
7zip-v442_extra.zip,
The KInstallerSetup.exe, from the client version you want to customize.
The 7zip-v442.exe and 7zip-v442_extra.zip files can be downloaded from the internet. The
KInstallerSetup.exe is file is available at the KACE Support website.
2. Install 7-zip.
3. Unzip the 7zip_v442_extra.zip file into the directory where the 7-zip is installed. (by default the
directory is C:\Program Files\7-Zip).
Ensure that the file 7zS.sfx is in the top-level directory.
The path used for this location is 7-Zip-install. This file is important because it has the actual
executable stub for a self-extracting installer executable.
4. Start the 7-Zip File Manager from the Start menu.
5. Select the KInstallerSetup.exe executable for the client version to customize using the 7-Zip File
Manager.
6. Click the extract button to extract it into a directory of your choice. Keep the Current Path names
selected in the Path mode box. The Overwrite without prompt option can be selected for the
Overwrite mode. Do not specify a password.
7. Navigate to the desired folder and edit the kinstaller.exe.config file with a text editor to change any
settings for customization. The display_mode can have the values interactive, quiet, and silent. The
hostname of the server is server_name.
8. Save your changes. Execution of the kinstaller.exe file in this directory installs with the settings as
specified in the .config file.
9. Open the 7-Zip File Manager and select kinstaller.exe, kinstaller.exe.config, es-ES and
install_files.
10. Click the Add button. The archive format is 7z, Create SFX archive in the options box is cleared.
11. Save the .7z file and note down the path. Here the .7z file is "jkboxInstaller.7z" and the path to it
is <<jkbox-installpath>>
12. Create a text file - config.txt - which includes the settings for the self-executing zip. Ensure that the
file is saved with UTF-8 encoding. The file should contain the following commands, which will indicate
to 7-zip that the kinstaller should run when the self-executing zip runs:
;!@Install@!UTF-8!
Progress="no"
RunProgram="kinstaller.exe"
Directory=""
;!@InstallEnd@!
13. Open a new command-line window.
14. Execute the following command to create a self-executing file from the .7z file:
Copy /b "<<7-Zip-install>>\7zS.sfx" + "<<config-file-path>>\config.txt" +
"<<jkbox-installpath>>\jkboxInstaller.7z" "<<Installer_Name>>.exe"
A P P E N D I X F
Understanding the Daily Run

Output
The daily run output is sent to the System Administrator via e-

mail. This email is automatically sent to system administrators
every night at 3:00 AM.
This appendix contains a sample of the daily run output.

Your output may vary slightly from the sample shown.
354
The following syntaxes are the standard freebsd maintenance messages:
Removing stale files from /var/preserve:
Cleaning out old system announcements:
Removing stale files from /var/rwho:
Backup passwd and group files:
Verifying group file syntax:
Backing up mail aliases:
Disk status:
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/twed0s1a 2026030 36780 1827168 2% /
devfs 1 1 0 100% /dev
/dev/twed0s1f 134105316 1003568 122373324 1% /kbox
Table F-1: Disk Status

/dev/twed0s1e 10154158 6365810 2976016 68% /usr
/dev/twed0s1d 2026030 3858 1860090 0% /var
/dev/twed1s1d 151368706 2722542 136536668 2% /kbackup
Last dump(s) done (Dump '>' file systems):
The above table reports information about your disks.

Of interest are /kbox and /kbackup.
/kbox is where all the software for the kbox server is located. It is also holds the
software packages uploaded to the server. If this drive starts getting close to full you
must remove old unused packages or contact KACE for an upgrade.
/kbackup is the drive where /kbox is backed up. It is generally as full as the /kbox. If
it is close to full you must remove old unused packages or contact KACE for an upgrade.
Network interface status:

Name Mtu Network Address Ipkts Ierrs Opkts Oerrs
Coll
em0 1500 00:30:48:73:07:4c 332146 0 204673 0
0
em0 1500 192.168.2 kboxdev 308055 - 201832 -
-
em0 1500 fe80:1::230:4 fe80:1::230:48ff: 0 - 4 -
-
0
plip0 1500 0 0 0 0
0
lo0 16384 699 0 699 0
0
lo0 16384 your-net localhost 699 - 699 -
-
lo0 16384 localhost ::1 0 - 0 -
-
lo0 16384 fe80:4::1 fe80:4::1 0 - 0 -
-
The above table reports information about the network status of the KBOX.
Make sure the Ierrs/Oerrs are zero. Other values indicate some sort of network failure.
If you notice consistent errors, contact KACE support for assistance.
Local system status:

3:04PM up 3 days, 4:12, 0 users, load averages: 0.05, 0.20, 0.15
The above indicates the amount of time the KBOX has been up since the last time it
was powered off.
There will not be any users logged onto the machine.
The load averages will vary depending on the load on the KBOX was when this report
was run.
Mail in local queue:

/var/spool/mqueue is empty
Total requests: 0
Mail in submit queue:
/var/spool/clientmqueue is empty
Total requests: 0
Security check:
(output mailed separately)
Checking for rejected mail hosts:
Checking for denied zone transfers (AXFR and IXFR):
tar: Removing leading /' from member names
The message above are the standard freebsd messages regarding the health of the
mail systems.
There should not be mail in the queues. However, if an item still exists, check your
SMTP settings from the KBOX Settings page.
[Thu Mar 17 15:05:31 PST 2005] KBOX Backup: Backup Complete.

Backup files available for off-box storage via ftp.
The above message indicates a KBOX specific message telling you that the backups
have been successfully completed and are on the /kbackup disk, available through the
ftp interface.
[Thu Mar 17 15:05:31 PST 2005] KBOX RAID Status

Disk Array Detail Info not available during a rebuild.
If Rebuild in progress, % completion listed below
Disk Array Detail Status:
Unit UnitType Status %Cmpl Port Stripe Size(GB) Blocks
-----------------------------------------------------------------------
u0 RAID-1 OK - - - 149.05 312579760
u0-0 DISK OK - p0 - 149.05 312579760
u0-1 DISK OK - p1 - 149.05 312579760
Disk Array REBUILD Status:
/c0/u0 is not rebuilding, its current state is OK
The above table indicates the status of your raid drives. If you ever see the disks
DEGRADED or not REBUILDING properly, contact KACE support to address the problem.
[Thu Mar 17 15:05:31 PST 2005] KBOX Database Maintenance

Daily routines to maintain database performance.
DB Table Maintenance Log:
# Connecting to localhost...
# Disconnecting from localhost...
KBDB.ADVISORY OK
KBDB.AUTHENTICATION OK
KBDB.CATEGORY OK
KBDB.CLIENT_DISTRIBUTION OK
KBDB.FILTER OK
KBDB.FS OK
KBDB.FS_LABEL_JT OK
KBDB.GLOBAL_OPTIONS OK
KBDB.LABEL OK
KBDB.LDAP_FILTER OK
KBDB.LICENSE OK
KBDB.LICENSE_MODE OK
KBDB.MACHINE OK
KBDB.MACHINE_CUSTOM_INVENTORY OK
KBDB.MACHINE_DISKS OK
KBDB.MACHINE_LABEL_JT OK
KBDB.MACHINE_NICS OK
KBDB.MACHINE_PROCESS OK
KBDB.MACHINE_SOFTWARE_JT OK
KBDB.MACHINE_STARTUP_PROGRAMS OK
KBDB.MESSAGE OK
KBDB.MESSAGE_LABEL_JT OK
KBDB.MI OK
KBDB.MI_LABEL_JT OK
KBDB.NETWORK_SETTINGS OK
KBDB.NOTIFICATION OK
KBDB.OPERATING_SYSTEMS OK
KBDB.PORTAL OK
KBDB.PORTAL_LABEL_JT OK
KBDB.PRODUCT_LICENSE OK
KBDB.REPORT OK
KBDB.SCHEDULE OK
KBDB.SERVER_LOG OK
KBDB.SOFTWARE OK
KBDB.SOFTWARE_LABEL_JT OK
KBDB.SOFTWARE_OS_JT OK
KBDB.THROTTLE OK
KBDB.TIME_SETTINGS OK
KBDB.TIME_ZONE OK
KBDB.USER OK
KBDB.USER_HISTORY OK
KBDB.USER_KEYS OK
KBDB.USER_LABEL_JT OK
-- End of daily output --
The database is checked every night for any inconsistencies and these are automatically
repaired.
If you see any failures from this output, contact KACE Support for assistance.
A P P E N D I X G
Warranty, Licensing, and

Support
“Warranty and Support Information,” on page 361.

“Third Party Software Notice,” on page 361
360
Warranty and Support Information
Information concerning hardware and software warranty, hardware replacement, product returns,
technical support terms and product licensing can be found in the KACE End User License agreement
accessible at:
http://www.kace.com/license/standard_eula
Third Party Software Notice

The KBOX TM is licensed as per the accompanying Third Party License Agreements in addition to the KBOX
license noted above. The KBOX includes software redistributed under license from the following vendors.
In addition, the KBOX contains paid licence to MySQL and JRXML that have been purchased and
embedded within the KBOX by KACE, Copyright 2009, KACE Networks, Inc. and other copyrights.
FreeBSD
Apache
OpenLDAP
OpenSSL
Exim
Samba
OVAL
PHP
Sendmail
#ZipLib
Other Copyrights
FreeBSD
This product (KBOX) includes software developed by Free Software Foundation, Inc. GNU GENERAL
PUBLIC LICENSE, Version 2, June 1991. Copyright (C) 1989, 1991 Free Software Foundation, Inc.,675
Mass Ave, Cambridge, MA 02139, USA. The verbatim copies of the license document can be distributed,
but the document should not be changed.
Preamble
The licenses for most software are designed to take away your freedom to share and change it. By
contrast, the GNU General Public License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This General Public License applies to most of
the Free Software Foundation's software and to any other program whose authors commit to using it.
(Some other Free Software Foundation software is covered by the GNU Library General Public License
instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are
designed to make sure that you have the freedom to distribute copies of free software (and charge for this
service if you wish), that you receive source code or can get it if you want it, that you can change the
software or use pieces of it in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask
you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute
copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the
recipients all the rights that you have. You must make sure that they, too, receive or can get the source
code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which
gives you legal permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there
is no warranty for this free software. If the software is modified by someone else and passed on, we want
its recipients to know that what they have is not the original, so that any problems introduced by others
will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that
redistributors of a free program will individually obtain patent licenses, in effect making the program
proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free
use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND
MODIFICATION
1. This License applies to any program or other work which contains a notice placed by the copyright
holder saying it may be distributed under the terms of this General Public License. The “Program”,
below, refers to any such program or work, and a “work based on the Program” means either the
Program or any derivative work under copyright law: that is to say, a work containing the Program or a
portion of it, either verbatim or with modifications and/or translated into another language.
(Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is
addressed as “you”.
Activities other than copying, distribution and modification are not covered by this License; they are
outside its scope. The act of running the Program is not restricted, and the output from the Program is
covered only if its contents constitute a work based on the Program (independent of having been made
by running the Program). Whether that is true depends on what the Program does.
2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any
medium, provided that you conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the notices that Refer to this License and to
the absence of any warranty; and give any other recipients of the Program a copy of this License along
with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer
warranty protection in exchange for a fee.
3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on
the Program, and copy and distribute such modifications or work under the terms of Section 1 above,
provided that you also meet all of these conditions:
a You must cause the modified files to carry prominent notices stating that you changed the files and
the date of any change.
b You must cause any work that you distribute or publish, that in whole or in part contains or is derived
from the Program or any part thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License.
c If the modified program normally reads commands interactively when run, you must cause it, when
started running for such interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a notice that there is no warranty (or
else, saying that you provide a warranty) and that users may redistribute the program under these
conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is
interactive but does not normally print such an announcement, your work based on the Program is
not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are
not derived from the Program, and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those sections when you distribute
them as separate works. But when you distribute the same sections as part of a whole which is a
work based on the Program, the distribution of the whole must be on the terms of this License,
whose permissions for other licensees extend to the entire whole, and thus to each and every part
regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely
by you; rather, the intent is to exercise the right to control the distribution of derivative or collective
works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with
a work based on the Program) on a volume of a storage or distribution medium does not bring the
other work under the scope of this License.
4. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or
executable form under the terms of Sections 1 and 2 above provided that you also do one of the
following:
a Accompany it with the complete corresponding machine-readable source code, which must be
distributed under the terms of Sections 1 and 2 above on a medium customarily used for software
interchange; or,
b Accompany it with a written offer, valid for at least three years, to give any third party, for a charge
no more than your cost of physically performing source distribution, a complete machine-readable
copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above
on a medium customarily used for software interchange; or,
c Accompany it with the information you received as to the offer to distribute corresponding source
code. (This alternative is allowed only for noncommercial distribution and only if you received the
program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For
an executable work, complete source code means all the source code for all modules it contains, plus
any associated interface definition files, plus the scripts used to control compilation and installation
of the executable. However, as a special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary form) with the major components
(compiler, kernel, and so on) of the operating system on which the executable runs, unless that
component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated
place, then offering equivalent access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not compelled to copy the source along
with the object code.
5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under
this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and
will automatically terminate your rights under this License. However, parties who have received copies,
or rights, from you under this License will not have their licenses terminated so long as such parties
remain in full compliance.
6. You are not required to accept this License, since you have not signed it. However, nothing else grants
you permission to modify or distribute the Program or its derivative works. These actions are prohibited
by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any
work based on the Program), you indicate your acceptance of this License to do so, and all its terms
and conditions for copying, distributing or modifying the Program or works based on it.
7. Each time you redistribute the Program (or any work based on the Program), the recipient
automatically receives a license from the original licensor to copy, distribute or modify the Program
subject to these terms and conditions. You may not impose any further restrictions on the recipients'
exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties
to this License.
8. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of
this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License
and any other pertinent obligations, then as a consequence you may not distribute the Program at all.
For example, if a patent license would not permit royalty-free redistribution of the Program by all those
who receive copies directly or indirectly through you, then the only way you could satisfy both it and
this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the
balance of the section is intended to apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims
or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of
the free software distribution system, which is implemented by public license practices. Many people
have made generous contributions to the wide range of software distributed through that system in
reliance on consistent application of that system; it is up to the author/donor to decide if he or she is
willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of
this License.
9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by
copyrighted interfaces, the original copyright holder who places the Program under this License may
add an explicit geographical distribution limitation excluding those countries, so that distribution is
permitted only in or among countries not thus excluded. In such case, this License incorporates the
limitation as if written in the body of this License.
10. The Free Software Foundation may publish revised and/or new versions of the General Public License
from time to time. Such new versions will be similar in spirit to the present version, but may differ in
detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this
License which applies to it and “any later version”, you have the option of following the terms and
conditions either of that version or of any later version published by the Free Software Foundation. If
the Program does not specify a version number of this License, you may choose any version ever
published by the Free Software Foundation.
11. If you wish to incorporate parts of the Program into other free programs whose distribution conditions
are different, write to the author to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
Our decision will be guided by the two goals of preserving the free status of all derivatives of our free
software and of promoting the sharing and reuse of software generally.
NO WARRANTY
12. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE
PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN
WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS”
WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH
YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY
SERVICING, REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE
PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL,
SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO
USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
FREEBSD FOUNDATION
Diablo Version 1.5.0-0 (Software)
OEM LICENSE AGREEMENT
IMPORTANT LEGAL NOTICE CONCERNING SUN MICROSYSTEMS, INC. (Sun) JAVA STANDARD EDITION
(JSE) TECHNOLOGY: There are certain branding and other requirements associated with your commercial
use and redistribution of JSE that You must fulfill. You will need to sign a Trademark License Agreement
with Sun. In addition, if you are interested in using the combined FreeBSD and JSE technology in a field-
of-use other than "Java-enabled general purpose desktop computers and general purpose servers", you
will need to sign an additional commercial use license with Sun permitting redistribution in the desired field
of use. Before downloading the Software, you must review and comply with the terms and conditions set
forth in the Sun Licensed Rights Notice, which is attached as Exhibit A.
You must be an OEM to download this Software. An OEM is a person who will download the Software and
bundle it with other software before distributing the bundled product to its end users. You must have
obtained a current Trademark License Agreement from Sun before downloading the Software. By pressing
the ACCEPT button below you may continue your download, which is your representation and warranty
that you have signed Suns Trademark License Agreement and (if applicable) an additional commercial use
license with Sun. By completing your download you also agree to be bound by all of the terms of this
License Agreement.
IMPORTANT READ CAREFULLY: This OEM License Agreement (Agreement) is a legal agreement between
you (in your capacity as an individual and as an agent for your company, institution, or other entity) and
the FreeBSD Foundation (Foundation). Accessing, downloading, installing, using or copying of the
Software (as hereafter defined) by you or a third party on your behalf indicates your agreement to be
bound by the terms and conditions of this Agreement. If you do not agree to these terms and conditions,
do not access, download, install, use or copy the Software. In the absence of this Agreement, you have no
rights in the Software.
1. LICENSE GRANT.
a Subject to all third party intellectual property claims and without warranty of any nature, Foundation
hereby grants to you, and you hereby accept, a non-exclusive license (License) to: (i) download,
install and use one copy of the Software in binary executable form on a single computer system
located on your premises; (ii) use the Software in binary executable form to create or develop other
software products; (iii) distribute and sublicense the Software to third parties in binary executable
form, as an integrated component of another software product, only for use as an integrated
component of that software product, and subject to the terms of this Agreement; (iv) to download
and/or use one copy of the related materials provided by Foundation (Related Materials) in electronic
format and/or hard copy format; and (v) distribute and sublicense the Related Materials in electronic
and/or hard copy format in conjunction with the distribution of the Software as provided in this
Agreement; all subject to the following terms and conditions:
(i) you may not distribute any copies of the Software to third parties except in binary executable
form, as an integrated component of another software product, only for use as an integrated
component of that software product, and subject to the terms of this Agreement;
(ii) you may not distribute copies of the Related Materials to third parties except in conjunction
with the distribution of the Software in binary executable form as an integrated component of another
software product;
(iii) you agree to take reasonable precautions to prevent other parties from reverse engineering,
decompiling, or disassembling your copy of the Software;
(iv) you may not rent, lease, or lend the Software or the Related Materials; and
(v) in the event that you breach any of the terms of this Agreement, Foundation may terminate
the License and you must destroy all copies of the Software and Related Materials.
b Subject to the terms and conditions of this Agreement, you may create a hyperlink between an
Internet website owned and controlled by you and the Foundations website, which hyperlink
describes in a fair and accurate manner where the Software may be obtained, provided that you do
not frame the Website or otherwise give the false impression that Foundation is somehow associated
with, or otherwise endorses or sponsors your website. Any goodwill associated with such hyperlink
shall inure to the sole and exclusive benefit of Foundation. Other than the creation of such hyperlink,
nothing in this Agreement shall be construed as conferring upon you any right to make any reference
to Foundation or to its trademarks, service marks or any other indicia of origin owned by Foundation,
or to indicate in any way that your products or services are in any way sponsored, approved,
endorsed by or affiliated with Foundation.
2. RIGHTS RESERVED.
a This License does not grant you any right to enhancements or updates to, or support or maintenance
for, the Software or any modifications made by Foundation;
b Foundation is free to license the Software on terms different from those contained herein;
c Foundation and its licensors hereby expressly reserve all rights in the Software which are not
expressly granted to you under the License; and, without limiting the generality of the foregoing,
Foundation and its licensors retain all title, copyright, and other intellectual property and proprietary
rights in the Software and any copies thereof, and you do not acquire any rights, express or implied,
other than those expressly set forth in this Agreement.
3. COPYRIGHT. You hereby acknowledge and agree that the Software is protected by United States
copyright law and international treaty provisions. You must reproduce all copyright notices, trademark
notices and other proprietary notices of Foundation and its licensors on any copies of the Software and
Related Materials and you must not remove such notices;
4. MAINTENANCE AND SUPPORT. Foundation is under no obligation whatsoever to provide
maintenance or support for the Software or to notify you of bug fixes, patches, or upgrades to the
features, functionality or performance of the Software (Enhancements) (if any), whether developed by
Foundation or others. If, in its sole discretion, Foundation makes an Enhancement available to you and
does not enter into a separate written license agreement with you relating to such Enhancement, then
that Enhancement will be deemed incorporated into the Software and subject to this Agreement.
5. WARRANTY DISCLAIMER. THE SOFTWARE IS PROVIDED TO YOU AS IS WITHOUT WARRANTY OF
ANY TYPE OR NATURE, AND FOUNDATION AND ITS LICENSORS HEREBY EXPRESSLY DISCLAIM ANY
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO, ANY IMPLIED WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT OR
ANY WARRANTIES ARISING BY USAGE OF TRADE, COURSE OF DEALING OR COURSE OF
PERFORMANCE. IN ADDITION, FOUNDATION AND ITS LICENSORS EXPRESSLY DISCLAIM ANY
LIABILITY FOR THE ACCURACY, COMPLETENESS OR USEFULNESS OF THE SOFTWARE AND DO NOT
WARRANT THAT THE SOFTWARE WILL FUNCTION UNINTERRUPTED, THAT IT IS ERROR-FREE OR
THAT ANY ERRORS WILL BE CORRECTED. YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR
USE OF THE SOFTWARE, INCLUDING, BUT NOT LIMITED TO ANY DEFECTS OR INACCURACIES
THEREIN.
6. LIMITATION OF LIABILITY. IN NO EVENT SHALL FOUNDATION OR ITS LICENSORS BE LIABLE FOR
ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES OF ANY KIND OR
NATURE, INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS OR LOSS OF DATA, FOR ANY REASON
WHATSOEVER, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT
(INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF FOUNDATION HAS BEEN
ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. IN NO EVENT SHALL FOUNDATIONS
LIABILITY FOR DAMAGES ARISING FROM OR IN CONNECTION WITH THIS AGREEMENT EXCEED THE
GREATER OF $500 OR THE AMOUNT PAID BY YOU FOR THE SOFTWARE. BECAUSE SOME STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL
DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. IN THE EVENT THAT APPLICABLE LAW
DOES NOT ALLOW THE COMPLETE EXCLUSION OR LIMITATION OF LIABILITY OF CLAIMS AND
DAMAGES AS SET FORTH IN THIS AGREEMENT, FOUNDATIONS LIABILITY IS LIMITED TO THE
GREATEST EXTENT PERMITTED BY LAW.
7. INDEMNIFICATION. You shall defend, indemnify and hold harmless Foundation and its licensors and
their respective directors, officers, agents, employees and volunteers from and against any and all
claims, suits, losses, damages, costs, fees and expenses arising out of or in connection with this
Agreement. You shall pay all costs incurred by Foundation in enforcing this provision, including
reasonable attorneys fees and court costs. You agree that under no circumstances will Foundation
indemnify you or any other person.
8. TERM AND TERMINATION. The License will continue perpetually unless terminated by Foundation
in accordance with this Agreement. If you breach any term of this Agreement and failure to cure such
breach within thirty (30) days after receipt of written notice specifying the breach, this Agreement shall
automatically terminate. Upon the termination of this Agreement, you shall immediately cease using
the Software and provide Foundation with written certification of your compliance with the foregoing.
The termination of this Agreement shall not relieve you of your obligations arising prior to such
termination. Notwithstanding any provision in this Agreement to the contrary, Sections 5 through 7
shall survive the termination of this Agreement.
9. EXPORT CONTROLS. You shall observe all applicable United States and foreign laws and regulations
(if any) with respect to the export, re-export, diversion or transfer of the Software, related technical
data and direct products thereof, including, but not limited to the Export Administration Regulations.
10. THIRD PARTY SOFTWARE. You acknowledge and agree that the Software includes Java Standard
Edition (the Technology) and you agree to be bound by the terms of the Sun Community Source
License (Copyright 1994-2006 Sun Microsystems, Inc. All rights reserved). You also represent and
warrant that you have obtained all appropriate trademark and other licenses from Sun. You also agree
to install and use the Software on a product which (i) has a principle purpose that is substantially
different from that of the stand-alone Technology; (ii) represents a significant functional and value
enhancement to the Technology; (iii) operates in conjunction with the Technology; and (iv) is not
marketed as a technology which replaces or substitutes for the Technology. In addition, you must brand
your product with the applicable Java logo.
GENERAL. You shall not assert against Foundation or its licensors any claim for infringement or
misappropriation of any intellectual property rights in any way relating to the Software. This Agreement
shall be governed by, construed and enforced in accordance with the laws of the State of California,
excluding its rules governing conflicts of laws. In the event that any provision of this Agreement is deemed
illegal or unenforceable, Foundation may, but is not obligated to, post on the Website a new version of this
Agreement which, in Foundations opinion, reasonably preserves the intent of this Agreement. This
Agreement is binding upon and shall inure to the benefit of Foundation and its successors and assigns.
This Agreement represents the entire understanding of the parties, and superceded all previous
communications, written or oral, relating to the subject of this Agreement.
Exhibit A
Dear Valued Customer,
Thank you for choosing the Java Standard Edition platform technology (Java SE) with your FreeBSD
Operating Environment (FreeBSD). Your license with FreeBSD and Sun Microsystems, Inc. (Sun) currently
only permits you to use and distribute the FreeBSD and Java SE technologies within a limited, non-
commercial field of use. In an effort to maximize your options for both platforms, the FreeBSD Foundation
and Sun want to share with you the process for enabling you to make commercial use of the FreeBSD and
Java SE technologies in a broader field if you so desire.
I. Current Field of Use for Java SE
You may currently redistribute the combined FreeBSD and Java SE technologies so long as it is bundled
with or integrated in Java-enabled general purpose desktop computers and servers, pursuant to your
license with FreeBSD Foundation and you have executed a Trademark License with Sun (see Section III
below). You may not distribute Java SE in any other devices or fields of use, including, without limitation,
embedded applications, embedded devices, cell phones, wireless devices, TV devices, telematics devices
and home gateway devices.
II. Additional Fields of Use Commercial Use
If you are interested in using the combined FreeBSD and Java SE technology in a field-of-use other than
"Java-enabled general purpose desktop computers and general purpose servers", you will need to sign an
additional commercial use license with Sun permitting redistribution in the desired field of use. There are
fees associated with the commercial use license. In order to obtain the additional license for review and
execution, please send an e-mail to Freebsd_Sun_Info@sun.com with the following information: Name
of the company; Name, Title, Contact information of the person that will execute the license, field-of use
of the product, name of the product. After you receive confirmation from a Sun representative, you will
receive the commercial license agreement permitting the additional field of use for Java SE. Please review,
sign and send two originals of this agreement to your Sun representative.
III. Trademark Licensee
There are certain branding requirements associated with your use and distribution of Java SE that You
must fulfill. You will also need to sign a Trademark License Agreement with Sun. There are no additional
fees associated with the Trademark License Agreement. In order to obtain the Trademark License
Agreement for review and execution, lease send an e-mail to Freebsd_Sun_Info@sun.com with the
following information: Name of the company; Name, Title, Contact information of the person that will
execute the license, field-of use of the product, name of the product.
After you receive confirmation from a Sun representative, you will receive the Trademark License
Agreement. Please review, sign and send two originals of the Trademark License Agreement to your Sun
representative.
Thank you for your attention regarding this matter.
Sincerely,
FreeBSD Foundation
Apache
This product (KBOX) includes software developed by The Apache Software Foundation (http://
www.apache.org/). Apache License Version 2.0, January 2004 http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions. “License” shall mean the terms and conditions for use, reproduction, and distribution as
defined by Sections 1 through 9 of this document. “Licensor” shall mean the copyright owner or entity
authorized by the copyright owner that is granting the License. “Legal Entity” shall mean the union of
the acting entity and all other entities that control, are controlled by, or are under common control with
that entity. For the purposes of this definition, “control” means (i) the power, direct or indirect, to cause
the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty
percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. “You” (or
“Your”) shall mean an individual or Legal Entity exercising permissions granted by this License.
“Source” form shall mean the preferred form for making modifications, including but not limited to
software source code, documentation source, and configuration files. “Object” form shall mean any
form resulting from mechanical transformation or translation of a Source form, including but not limited
to compiled object code, generated documentation, and conversions to other media types. “Work” shall
mean the work of authorship, whether in Source or Object form, made available under the License, as
indicated by a copyright notice that is included in or attached to the work (an example is provided in
the Appendix below).
“Derivative Works” shall mean any work, whether in Source or Object form, that is based on (or derived
from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works
shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof. “Contribution” shall mean any work of authorship, including the
original version of the Work and any modifications or additions to that Work or Derivative Works thereof,
that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an
individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this
definition, “submitted” means any form of electronic, verbal, or written communication sent to the Licensor
or its representatives, including but not limited to communication on electronic mailing lists, source code
control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the
purpose of discussing and improving the Work, but excluding communication that is conspicuously marked
or otherwise designated in writing by the copyright owner as “Not a Contribution.”
“Contributor” shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has
been received by Licensor and subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform,
sublicense, and distribute the Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor
hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and
otherwise transfer the Work, where such license applies only to those patent claims licensable by such
Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their
Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent
litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct or contributory patent infringement,
then any patent licenses granted to You under this License for that Work shall terminate as of the date
such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in
any medium, with or without modifications, and in Source or Object form, provided that You meet the
following conditions:
a You must give any other recipients of the Work or Derivative Works a copy of this License; and
b You must cause any modified files to carry prominent notices stating that You changed the files; and
c You must retain, in the Source form of any Derivative Works that You distribute, all copyright,
patent, trademark, and attribution notices from the Source form of the Work, excluding those notices
that do not pertain to any part of the Derivative Works; and
d If the Work includes a “NOTICE” text file as part of its distribution, then any Derivative Works that
You distribute must include a readable copy of the attribution notices contained within such NOTICE
file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of
the following places: within a NOTICE text file distributed as part of the Derivative Works; within the
Source form or documentation, if provided along with the Derivative Works; or, within a display
generated by the Derivative Works, if and wherever such third-party notices normally appear. The
contents of the NOTICE file are for informational purposes only and do not modify the License. You
may add Your own attribution notices within Derivative Works that You distribute, alongside or as an
addendum to the NOTICE text from the Work, provided that such additional attribution notices
cannot be construed as modifying the License.
e You may add Your own copyright statement to Your modifications and may provide additional or
different license terms and conditions for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the
Work otherwise complies with the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally
submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions. Notwithstanding the above, nothing herein
shall supersede or modify the terms of any separate license agreement you may have executed with
Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade names, trademarks, service
marks, or product names of the Licensor, except as required for reasonable and customary use in
describing the origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides
the Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation,
any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or
redistributing the Work and assume any risks associated with Your exercise of permissions under this
License.
8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence),
contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts)
or agreed to in writing, shall any Contributor be liable to You for damages, including any direct,
indirect, special, incidental, or consequential damages of any character arising as a result of this
License or out of the use or inability to use the Work (including but not limited to damages for loss of
goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or
losses), even if such Contributor has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works
thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or
other liability obligations and/or rights consistent with this License. However, in accepting such
obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any
other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for
any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any
such warranty or additional liability.
OpenLDAP
This product (KBOX 1000 Series) includes software developed by The OpenLDAP Foundation. The
OpenLDAP Public License, Version 2.8, 17 August 2003. Redistribution and use of this software and
associated documentation. (“Software”), with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions in source form must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of
conditions, and the following disclaimer in the documentation and/or other materials provided with the
distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by
a version number. You may use this Software under terms of this license revision or under the terms of
any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS `ÀS IS''
AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR
OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to
promote the sale, use or other dealing in this Software without specific, written prior permission. Title
to copyright in this Software shall at all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation.
Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved.
Permission to copy and distribute verbatim copies of this document is granted.
OpenSSL
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License
Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org/)"
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their
names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY EXPRESSED OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL
PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License

Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation
was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are adhered
to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc.,
code; not just the SSL code. The SSL documentation included with this distribution is covered by the same
copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of the
library used. This can be in the form of a textual message at program startup or in documentation (online
or textual) provided with the package.
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following
disclaimer.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word
'cryptographic' can be left out if the routines from the library being used are not cryptographic related
:-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application
code) you must include an acknowledgement:
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `ÀS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or
derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another
distribution licence [including the GNU Public Licence.]
Exim
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document,
but changing it is not allowed.
Preamble
(Some other Free Software Foundation software is covered by the GNU Lesser General Public License

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
holder saying it may be distributed under the terms of this General Public License. The "Program",
below, refers to any such program or work, and a "work based on the Program" means either the
(Hereinafter, translation is included without limitation in the term "modification".) Each licensee is
addressed as "you".
with the Program.
regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your
rights to work written entirely by you; rather, the intent is to exercise the right to control the
distribution of derivative or collective works based on the Program.
following:
interchange; or,
to this License.
circumstances.
this License.
License which applies to it and "any later version", you have the option of following the terms and
10. If you wish to incorporate parts of the Program into other free programs whose distribution
conditions are different, write to the author to ask for permission. For software which is copyrighted by
the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions
for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of
our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED
IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY
Samba
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is
not allowed.
Preamble
is no warranty for this free software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so that any problems introduced by
others will not reflect on the original authors' reputations.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
holder saying it may be distributed under the terms of this General Public License. The "Program",
below, refers to any such program or work, and a "work based on the Program" means either the
Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it, either verbatim or with modifications
and/or translated into another language. (Hereinafter, translation is included without limitation in the
term "modification".) Each licensee is addressed as "you".
with the Program.
regardless of who wrote it.
following:
interchange; or,
to this License.
circumstances.
this License.
License which applies to it and "any later version", you have the option of following the terms and
10. If you wish to incorporate parts of the Program into other free programs whose distribution
conditions are different, write to the author to ask for permission. For software which is copyrighted by
the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions
for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of
our free software and of promoting the sharing and reuse of software generally.
NO WARRANTY
WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
OVAL
Berkeley Software Design, Inc. License
Copyright (c) 2005, The MITRE Corporation All rights reserved.
Redistributions of source code must retain the above copyright notice, this list of conditions and the
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
PHP
This product (KBOX) includes software developed by The PHP Group. The PHP License, version 3.0.
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, is permitted provided that
the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the
3. The name “PHP” must not be used to endorse or promote products derived from this software without
prior written permission. For written permission, please contact group@php.net.
4. Products derived from this software may not be called “PHP”, nor may “PHP” appear in their name,
without prior written permission from group@php.net. You may indicate that your software works in
conjunction with PHP by saying “Foo for PHP” instead of calling it “PHP Foo” or “phpfoo”.
5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version
will be given a distinguishing version number. Once covered code has been published under a particular
version of the license, you may always continue to use it under the terms of that version. You may also
choose to use such covered code under the terms of any subsequent version of the license published
by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to
covered code created under this License.
6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product
includes PHP, freely available from <http://www.php.net/>”.
THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM `ÀS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY
OF SUCH DAMAGE.
This software consists of voluntary contributions made by many individuals on behalf of the PHP Group.
The PHP Group can be contacted via E-mail at group@php.net.
For more information on the PHP Group and the PHP project, please see http://www.php.net. This
product includes the Zend Engine, freely available at http://www.zend.com.
Sendmail
This product (KBOX) includes software developed by Sendmail, Inc.
SENDMAIL LICENSE
The following license terms and conditions apply, unless a different license is obtained from Sendmail,
Inc., 6425 Christie Ave, Fourth Floor, Emeryville, CA 94608, USA, or by electronic mail at
license@sendmail.com.
License Terms:
Use, Modification and Redistribution (including distribution of any modified or derived work) in source and
binary forms is permitted only if each of the following conditions is met:
1. Redistributions qualify as “freeware” or “Open Source Software” under one of the following terms:
a Redistributions are made at no charge beyond the reasonable cost of materials and delivery.
b Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to provide a
copy of the Source Code for up to three years at the cost of materials and delivery. Such
redistributions must allow further use, modification, and redistribution of the Source Code under
substantially the same terms as this license. For the purposes of redistribution “Source Code” means
the complete compilable and linkable source code of sendmail including all modifications.
2. Redistributions of source code must retain the copyright notices as they appear in each source code
file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below.
3. Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the
disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other
materials provided with the distribution. For the purposes of binary distribution the “Copyright Notice”
refers to the following language: “Copyright (c) 1998-2003 Sendmail, Inc. All rights reserved.”
4. Neither the name of Sendmail, Inc. nor the University of California nor the names of their contributors
may be used to endorse or promote products derived from this software without specific prior written
permission. The name “sendmail” is a trademark of Sendmail, Inc.
5. All redistributions must comply with the conditions imposed by the University of California on certain
embedded code, whose copyright notice and conditions for redistribution are as follows:
a Copyright (c) 1988, 1993 The Regents of the University of California. All rights reserved.
b Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met: (i) Redistributions of source code must retain the
above copyright notice, this list of conditions and the following disclaimer. (ii) Redistributions in
binary form must reproduce the above copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided with the distribution. (iii) Neither
the name of the University nor the names of its contributors may be used to endorse or promote
products derived from this software without specific prior written permission.
6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY SENDMAIL, INC. AND
CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE
UNIVERSITY OF CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
#ZipLib
The license is released under the GPL with an exception which allows the linking to non GPL programs.
The exception to the GPL is as follows:
Linking this library statically or dynamically with other modules is making a combined work based on this
library. Thus, the terms and conditions of the GNU General Public License cover the whole combination. As
a special exception, the copyright holders of this library give you permission to link this library with
independent modules to produce an executable, regardless of the license terms of these independent
modules, and to copy and distribute the resulting executable under terms of your choice, provided that
you also meet, for each linked independent module, the terms and conditions of the license of that
module. An independent module is a module which is not derived from or based on this library. If you
modify this library, you may extend this exception to your version of the library, but you are not obligated
to do so. If you do not wish to do so, delete this exception statement from your version.
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC
LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
holder saying it may be distributed under the terms of this General Public License. The “Program”,
below, refers to any such program or work, and a “work based on the Program” means either the
(Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is
addressed as “you”. Activities other than copying, distribution and modification are not covered by this
License; they are outside its scope. The act of running the Program is not restricted, and the output
from the Program is covered only if its contents constitute a work based on the Program (independent
of having been made by running the Program). Whether that is true depends on what the Program
does.
with the Program.
not required to print an announcement.) These requirements apply to the modified work as a whole.
If identifiable sections of that work are not derived from the Program, and can be reasonably
considered independent and separate works in themselves, then this License, and its terms, do not
apply to those sections when you distribute them as separate works. But when you distribute the
same sections as part of a whole which is a work based on the Program, the distribution of the whole
must be on the terms of this License, whose permissions for other licensees extend to the entire
whole, and thus to each and every part regardless of who wrote it.
following:
interchange; or,
The source code for a work means the preferred form of the work for making modifications to it. For an
executable work, complete source code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to control compilation and installation of the
executable. However, as a special exception, the source code distributed need not include anything that
is normally distributed (in either source or binary form) with the major components (compiler, kernel,
and so on) of the operating system on which the executable runs, unless that component itself
accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place,
then offering equivalent access to copy the source code from the same place counts as distribution of
the source code, even though third parties are not compelled to copy the source along with the object
code.
to this License.
circumstances.
this License.
License which applies to it and “any later version”, you have the option of following the terms and
10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions
are different, write to the author to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this.
Our decision will be guided by the two goals of preserving the free status of all derivatives of our free
software and of promoting the sharing and reuse of software generally.
NO WARRANTY
WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS”
Other Copyrights
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in
compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is
distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
or implied. See the License for the specific language governing permissions and limitations under the
License.
The PHP License, version 3.0
Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.
Copyright (c) 1998-2003 Sendmail, Inc.; All rights reserved.
Index
A
Adding computers to inventory 65
Adding Software to Inventory 68
Administrator Console 2, 3
Advanced Search - Computer Inventory 56
Advanced Search - Software Inventory 66
Agent Customization 351, 354
Alert Messages 238
AMP Message Queue 51
AMP Settings 24
AppDeploy Live 329
AppDeploySM Live 76
Asset Association 88
Asset Management 87
Managing Assets 91
Asset Types 87
Auto Provisioning 31
B
Backing up KBOX 1000 Series data 295
Downloading backup files 295
C
Client bundle 49
Client Check-In Rate 9, 273
Clients Connected 11
Common Deployments on Linux 115
Standard RPM Example 115
Standard TAR.GZ Example 119
Common Deployments on Macintosh® 124
Common Deployments on Solaris™ 120
Standard TAR.GZ Example 123
Common Deployments on Windows 110
Standard EXE Example 114
Standard MSI Example 110
Standard ZIP Example 114
Compression mode 114
Computer Asset 88
Computer Details 58
Activities 62
Failed Managed Installs 62
Help Tickets 62
Labels 62
To Install List 62
Asset 64
Asset History 64
Asset Information 64
Related Assets 64
Inventory Information 59
Hardware 59
KBOX Agent 60
Network Interfaces 60
Notes 61
Operating System 61
Printers 60
User 61
Logs 63
KBOX Agent Logs 63
Portal Install Logs 64
Scripting Logs 64
Security 63
Oval Vulnerabilities 63
Patching Detect/Deploy Status 63
Threat Level 5 List 63
Software 61
Custom Inventory Fields 62
Installed Patches via Inventory 62
Installed Programs 61
Running Processes 62
Services 62
Startup Programs 62
Uploaded Files 62
Summary 58
Computer Notifications 57
Computer statistics 13, 275
Computers 290
Configuration Policies 157
Conventions xiii
Custom Data Fields 71
Custom Inventory ID (rule) 69
Customize download page 137
CVE 179
D
Daily Run Output 354
Database Tables 337
Date & Time Settings 26
Default Role 284
Delete a configuration 40, 41
Deployment Options 15
Desktop Settings
Desktop Settings 158
Desktop Shortcuts Wizard 159
Detect and Deploy Patches 172
Digital Asset 72
Disable a configuration 42
Disk log status data 303
Distribution 103
Distributing Packages through an Alternate Location 105
Distributing Packages through KBOX 104
Types of Distribution Packages 104
DNS 4
Download Location 105
Duplicate a configuration 40
E
Edit Mode Link xiii
E-mail Alerts 239
Enable a configuration 41
Enable Tether xvii
Escalation process 221
Event Log Reporter 160
F
Factory settings 297
File Synchronizations 124
G
General settings 16
Generating Reports 94
Global Search 14
H
Help Desk 206
Help Desk E-mail 213
Help Desk fields 210
Category Values 210
custom value fields 212
Help Desk Customization page 210
Impact values 212
Priority values 211
Status Values 210
Ticket List View 213
Help Desk Reports 223
Help Desk Tickets 217
Helpdesk Queues 207
Home Module 9
I
Importing Asset 95
Installation Parameters 106
Inventory 55
IP Scan 97
iPhone 131
Administrative Access 131, 132
Asset Collection Script 134
Collection Settings Configuration 133
Configuration 135
Configuration Profiles 132
Profile Details 132
J
JumpStart Program xvii
K
KACE Professional Services xviii
KBOX Agent Update 47
Agent Patches 48
Update KBOX Agent Automatically 47
KBOX Appliance Components 2
KBScriptRunner 45
Knowledge Base 197
L
Labels 84
LDAP Browser 243
LDAP Browser Wizard 245
LDAP Easy Search 244
LDAP Filters 247
License Compliance 11
License key 298
Licensing 93
Log-in Script 16
Logs 301
M
Macintosh® Users 322
AppDeploy Live 329
Asset Management 329
Distribution 324
Inventory 323
Logs 329
Patching 328
Reporting 329
User Portal and Help Desk 328
Manage Enterprise Distribution 132
Managed Installations 106
Windows Platform 107
Managed Operating Systems 12
Manual Deployment of KBOX Agent 342
Linux 343
Macintosh® 347
Solaris 345
Manual Provisioning 34, 37
McAfee SuperDAT Updater 189
MIA Computers 83
MIA Settings 83
Minimum server version 297
Mobile UI into KBOX 137
MSI Installer policy 160
Multiple Machine Provisioning 29
N
Network Scan Summary 14, 276
Network Settings 258
Network Utilities 268
O
Organizational Components 3
Organizational Filters 287
Data Filter 287
LDAP Filter 287
Organizational Roles 284
Organizations 278
OVAL 179
OVAL definitions 300
OVAL Reports 183
OVAL Settings and Schedule 182
OVAL Tests 180
P
Patch Bulletin Information 13, 276
Patch Definitions 299
Deleting 299
Enhanced Content 299
Updating 299
Patching 167
Advanced Search 170
Enhancements 168
Patch Label 171
Patch Listing 169
Quality Assurance 167
Reports 176
Saved Search 170
Subscription Settings 169
Workflow 168
Processes 77
Provisioned Configurations 40
Provisioning Results 42, 43
Q
Quarantine Policy 190
Lift Quarantine Action 191
R
Rebooting KBOX 300
Redirecting computer(s) 291
Refiltering computer(s) 291
Registry Settings 157
Remote behavior 158
Replication 127
Replication Enhancements in KBOX Agent 4.3 130
Replication Share Details 129
Replication Share for patches 176
Reports 226, 308
Types of Reports 226, 308
Restoring KBOX 1000 Series Settings 296
Roles 203
Run Now Function 154
S
Satisfaction survey 222
Scheduled Scans 97
Script Detail 155
Scripting 143
Adding Scripts 145
Duplicating an existing script 153
Duplicating scripts 153
Editing Scripts 150
Importing scripts 152
Scripting Log Files 156
Search Filters - Computer Inventory 56
Search Filters - Software Inventory 67
Security 179
Security Policies 184
Disallowed Programs Settings 187
Internet Explorer Settings 184
McAfee AntiVirus Settings 188
Symantec AntiVirus Settings 189
XP SP2 Firewall Settings 186
Security Settings 262
Server Network Configuration 5
Server update 298
Service 81
Setting up your first KBOX Agent 14
Setting Up Your New KBOX server 4
Setup Location 4
Shutting down KBOX 300
Single Sign-On 269
Software Asset 71
Software Deployment Components 3
Software Distribution Summary 13, 275
Software Inventory 66
Software Library 195
Software Metering 74
Software statistics 13, 275
Software Threat Level 10
SSL Certificate Wizard 23, 264
Startup 79
Steps for Task sections 331
Summary 9
Support xiv
Support page xiv
Support ticket xv
System Console 2
System Console Users 260
System requirements 29
T
Tasks In Progress 12
Test Organization Filter 290
The KBOX Modules 6
The KBOX Summary 273
Ticket Attributes 218
Ticket Rules 214
Token Replacement Variables 153
Troubleshooting Tools 268
U
UltraVNC Wizard 162
Un-Installer 163
Unpacking the Appliance 4
Upgrading KBOX 294
Use Markdown 198
User Authentication 249
User Portal 3, 194
Administrator view 194
End user view 194
Users 199
Adding users automatically 201
Adding users manually 199
Importing users 201
V
Version 13
W
Wake-on-LAN 140
Troubleshooting Wake-on-LAN 141
Wake-on-LAN Request 140
Web Server Load 274
Windows Automatic Update Settings 164
Windows Debugging 302
Windows Update Policy 176

KBox 1000 Series Administrator Guide Ver 4.3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KBox 1000 Series Administrator Guide Ver 4.3

Uploaded by

Copyright:

Available Formats

A D M I N G U I D E

Administrator Guide for KBOXTM 1000 Series

Version 4.3 - 1200

Welcome to KBOX 1000 ownership!

KACE Technical Support

Kace Networks, Inc.

Ch. 1 Getting Started ......................................................1

Setting Up the KBOX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Setting Up KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Administrator Guide for KBOX 1000 series, version 4.3 - 1200 i

Configuring AMP Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Ch. 2 Agent Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Overview of Agent Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Single Machine Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Overview of the Inventory feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Adding Computers to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Adding Software to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Administrator Guide for KBOX 1000 series, version 4.3 - 1200 ii

Ch. 4 Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Overview of Asset Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Ch. 6 Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Distribution feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Managed Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Examples of Common Deployments on Windows . . . . . . . . . . . . . . . . . . . . . 110

Examples of Common Deployments on Linux . . . . . . . . . . . . . . . . . . . . . . . . . 115

Examples of Common Deployments on Solaris™ . . . . . . . . . . . . . . . . . . . . . . 120

Examples of Common Deployments on Macintosh® . . . . . . . . . . . . . . . . . . 124

Ch. 7 Wake-on-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Wake-on-LAN feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Ch. 8 Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Scripting Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Using the Run Now function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Administrator Guide for KBOX 1000 series, version 4.3 - 1200 iv

Ch. 9 Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Overview of the Patch Management feature . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Subscription Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Detect and Deploy Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Ch. 10 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Security Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

OVAL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Administrator Guide for KBOX 1000 series, version 4.3 - 1200 v

Overview of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Understanding the Software Library feature . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Using the Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Overview of the Help Desk Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Managing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Running Help Desk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Ch. 12 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

The KBOX Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Creating and Editing Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

E-mail Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Administrator Guide for KBOX 1000 series, version 4.3 - 1200 vi

Ch. 13 LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

LDAP Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Ch. 14 KBOX Settings - System Admin . . . . . . . . . . . . . . . . . . . . . . . 255

Configuring General Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Configuring Network Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Configuring AMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

The KBOX Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Ch. 15 Organizations - System Admin . . . . . . . . . . . . . . . . . . . . . . . . 277

Overview of Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278