A D M I N G U I D E

Administrator Guide for KBOXTM 1000 Series
Version 4.3 - 1200

© 2004-2009 KACE Networks, Inc. All rights reserved. Welcome to KBOX 1000 ownership! Welcome to version 4.3 of the KBOXTM 1000 Series appliance. This Administrator Guide is designed to help you install, configure, use, and maintain your KBOX 1000 Series appliance. KACETM is dedicated to customer success with our primary goal being your ability to quickly utilize your KBOX 1000 Series appliance to save time and eliminate the tedious task of manual inventory, software, and desktop management. If at any time you experience a problem, or have a question regarding your KBOX 1000 Series appliance, please contact our support representatives for assistance.

Support Contact: KACE Technical Support (888) 522-3638 for support select option 2 http://www.kace.com/support Company Contact: Kace Networks, Inc. 1616 North Shoreline Blvd. Mountain View, California 94043 (888) 522-3638 office for all inquiries (650) 649-1806 fax

Contents
About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
How this Guide is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii Additional Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
KBOX 1000 Series JumpStart Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii KACE Professional Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xviii

Ch. 1 Getting Started

......................................................1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 KBOX Appliance Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Hardware Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Organizational Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Software Deployment Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Setting Up the KBOX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 The KBOX Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Home Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The KBOX Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Client Check-In Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Software Threat Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 License Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Clients Connected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Managed Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Tasks in Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 KBOX Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Computer Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Software Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Software Distribution Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Alert Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Patch Bulletin Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 OVAL Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Network Scan Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Global Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Setting Up KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Alternative Options to Deploy KBOX Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Key Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Configuring General Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Configuring Network Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
List of Open Ports Required for KBOX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

i

Configuring Security Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
SSL Certificate Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Configuring AMP Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Configuring Date & Time Settings of the KBOX Server . . . . . . . . . . . . . . . . . 26

Ch. 2 Agent Provisioning

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Overview of Agent Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
System Requirements for the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Single Machine Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Advanced Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Provisioned Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Provisioning Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 KBOX Agent Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 KBOX Agent Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 KBOX Agent Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 AMP Message Queue. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Ch. 3 Inventory

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Overview of the Inventory feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Using Advanced Search for Computer Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Creating Search Filters for Computer Inventory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Creating Computer Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Filtering Computers by Organizational Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Computers Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Inventory Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Adding Computers to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Adding Computers automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Adding Computers manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Using Advanced Search for Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Creating Search Filters for Software Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Adding Software to Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Adding Software Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Adding Software Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Custom Inventory ID (rule) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Creating Software Asset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Custom Data Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Attaching a Digital Asset to a Software Title . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

ii

Software Metering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Adding a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Editing Software Meter Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Deleting a Software Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Configuring the Software Metering Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

AppDeploySM Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Enabling AppDeploy Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Viewing AppDeploy Live content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Monitoring Out-Of-Reach Computers (MIA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring the MIA Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Creating Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Viewing Computer Details by Label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Deleting labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Ch. 4 Asset Management

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Overview of Asset Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Managing Asset Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Asset Association . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Managing Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Monitoring licenses of a Software family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Importing Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Ch. 5 IP Scan

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

IP Scan Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Viewing Scheduled Scans list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Creating an IP Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Scan Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Ch. 6 Distribution

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Distribution feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Types of Distribution Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Distributing Packages through the KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Distributing Packages through an Alternate Location . . . . . . . . . . . . . . . . . . . . . . . . . 105 Difference between Replication Share and Alternate Download Location . . . . . . . . . 105

Managed Installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Installation Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

iii

Creating a Managed Installation for Windows Platform . . . . . . . . . . . . . . . . . . . . . . . 107

Examples of Common Deployments on Windows . . . . . . . . . . . . . . . . . . . . . 110
Standard MSI Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Standard EXE Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Standard ZIP Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Examples of Common Deployments on Linux . . . . . . . . . . . . . . . . . . . . . . . . . 115
Standard RPM Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Examples of Common Deployments on Solaris™ . . . . . . . . . . . . . . . . . . . . . . 120
Standard TAR.GZ Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Examples of Common Deployments on Macintosh® . . . . . . . . . . . . . . . . . . 124 File Synchronizations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Creating a file synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Creating a Replication Share . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Viewing Replication Share Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Replication enhancements in the KBOX version 4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . 130

iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Setting up Administrative Access to iPhone Profile Management . . . . . . . . . . . . . . . . 131 Creating Configuration Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Adding an iPhone Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 To view or edit profile details: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Configuring Collection Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 iPhone Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Configuring iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Ch. 7 Wake-on-LAN

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Wake-on-LAN feature Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Issuing a Wake-on-LAN request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Troubleshooting Wake-on-LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Ch. 8 Scripting

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Scripting Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Using Scripts that are installed with the KBOX . . . . . . . . . . . . . . . . . . . . . . . . 144 Creating and Editing Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Adding Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Editing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Importing Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Duplicating Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Token Replacement Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Using the Run Now function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Run Scripts using the Run Now tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Run Now from the Script Detail page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Monitoring Run Now Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Run Now Detail Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

iv

Searching Scripting Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Configuration Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Enforce Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Remote Desktop Control Troubleshooter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Enforce Desktop Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Desktop Shortcuts Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Event Log Reporter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 MSI Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 UltraVNC Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Un-Installer Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Windows Automatic Update Settings policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Ch. 9 Patching

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Overview of the Patch Management feature . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Patch Quality Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Patching enhancements in 4.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Patching Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Subscription Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Patch Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Using Advanced Search for Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Detect and Deploy Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Patching Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Creating a Replication Share for Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Create New Windows Update Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Ch. 10 Security

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Security Module Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
About OVAL and CVE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Running OVAL Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 OVAL Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

OVAL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Vulnerability Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Computer Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Creating Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Enforce Internet Explorer Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Enforce XP SP2 Firewall Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Enforce Disallowed Programs Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 Enforce McAfee AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 McAfee SuperDAT Updater . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Enforce Symantec AntiVirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Quarantine Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Lift Quarantine Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

v

Ch. 11 User Portal and Help Desk

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Overview of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
End User View of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Administrator View of the User Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Understanding the Software Library feature . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Creating a software library to deploy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Using the Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Adding Knowledge Base Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Editing and Deleting Knowledge Base Articles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Adding Users Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Adding Users automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Importing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Creating and Editing Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Overview of the Help Desk Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Helpdesk Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Customizing Help Desk fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Help Desk E-mail Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Ticket Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 Creating and Editing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Submitting Help Desk Tickets through E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Setting Ticket Attributes via E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Editing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 Searching Help Desk tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Managing Help Desk Tickets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Understanding the Escalation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 About the Satisfaction Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Running Help Desk Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Ch. 12 Reporting

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

The KBOX Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Creating and Editing Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Previewing SQL report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Creating Alert Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

E-mail Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Creating E-mail Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 Exporting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

vi

Importing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Ch. 13 LDAP

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

LDAP Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 LDAP Easy Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 LDAP Browser Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 LDAP Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Ch. 14 KBOX Settings - System Admin

. . . . . . . . . . . . . . . . . . . . . . . 255

Configuring General Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
List of Open Ports required for the KBOX Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Configuring Network Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Managing System Console Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Configuring Security Settings for the Server . . . . . . . . . . . . . . . . . . . . . . . . . . 262
SSL Certificate Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Configuring AMP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Configuring Date & Time Settings of the KBOX Server . . . . . . . . . . . . . . . . 268 Troubleshooting Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Linking KBOX Appliances Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Manage Linked KBOX Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

The KBOX Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Client Check-In Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Web Server Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 Tasks in Progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274 KBOX Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Computer Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Software Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Software Distribution Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Alert Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Patch Bulletin Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 OVAL Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Network Scan Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Ch. 15 Organizations - System Admin

. . . . . . . . . . . . . . . . . . . . . . . . 277

Overview of Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Default Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Creating and Editing Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

Organizational Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Default Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Creating and Editing Organizational Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Organizational Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

vii

Creating and Editing Organizational Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

KBOX Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Test Organization Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Refiltering Computer(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Redirecting Computer(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 Understanding Computer Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Ch. 16 Server Maintenance - System Admin

. . . . . . . . . . . . . . 293

The KBOX Maintenance Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Upgrading the KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Backing up the KBOX Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Backing up the KBOX Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295 Downloading Backup Files to another location. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Restoring the KBOX Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Restoring from most recent backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Uploading Files to Restore Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Restoring to Factory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Updating the KBOX Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Verifying Minimum Server Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Updating the license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Applying the server update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Verifying the update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Patch Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Updating Patch Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Deleting Patch files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Enhanced Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 Rebooting and shutting down the KBOX appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Updating OVAL Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Troubleshooting the KBOX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Accessing the KBOX Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Downloading Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Understanding Disk Log Status Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Ch. 17 Reporting - System Admin

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

The KBOX Reports Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Types of Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Creating and Editing Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Previewing SQL report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 Scheduling Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Exporting Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Importing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Appendix A

Macintosh® Users

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

viii

Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Examples of Common Deployments on Macintosh® . . . . . . . . . . . . . . . . . . . . . . . . . . 324 Patching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 User Portal and Help Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Asset Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 AppDeploy Live . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Appendix B

Adding Steps to a Task

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Adding Steps to Task Sections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Appendix C

Database Tables

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

The KBOX Database Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Appendix D

Manual Deployment of the KBOX Agent

. . . . . . . . . . . . . . 342

Manual Deployment of the KBOX Agent on Linux . . . . . . . . . . . . . . . . . . . . . 343
Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Upgrading the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Manual Deployment of the KBOX Agent on Solaris . . . . . . . . . . . . . . . . . . . . 345
Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Upgrading the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345 Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Manual Deployment of the KBOX Agent on Macintosh® . . . . . . . . . . . . . . 347
Installing and Configuring the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347 Upgrading the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Removing the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Verifying Deployment of the KBOX Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Appendix E

Agent Customization

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Agent Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Appendix F Appendix G

Understanding the Daily Run Output Warranty, Licensing, and Support

. . . . . . . . . . . . . . . . . . 354

. . . . . . . . . . . . . . . . . . . . . . 360

Warranty and Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Third Party Software Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
FreeBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

ix

OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371 OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Exim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374 Samba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 OVAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384 #ZipLib . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385 Other Copyrights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

x

P R E F A C E About this Guide
This chapter provides an overview of the Administrator Guide and links to resources that will help you better administrate your KBOX.
“How this Guide is Organized,” on page xii “Conventions,” on page xiii “Additional Resources,” on page xiv “Support,” on page xiv

xi

How this Guide is Organized
This Administrator Guide contains detailed information about the KBOX 1000 Series Systems Management appliance, and is intended for system administrators. This guide provides detailed step-by-step instructions on deployment, configuration, and upgrades on the KBOX 1000 Series Systems Management Appliance. This guide is organized into the following sections: Orientation and Setup Chapter 1,“Getting Started,” starting on page 1 Chapter 2,“Agent Provisioning,” starting on page 28 Chapter 3,“Inventory,” starting on page 54 Chapter 4,“Asset Management,” starting on page 86 Chapter 5,“IP Scan,” starting on page 96 Chapter 6,“Distribution,” starting on page 102 Configuration Chapter 7,“Wake-on-LAN,” starting on page 139 Chapter 8,“Scripting,” starting on page 142 Chapter 9,“Patching,” starting on page 166 Chapter 10,“Security,” starting on page 178 Maintenance and Support Chapter 11,“User Portal and Help Desk,” starting on page 193 Chapter 12,“Reporting,” starting on page 225 Chapter 13,“LDAP,” starting on page 242 Chapter 14,“KBOX Settings - System Admin,” starting on page 255 Chapter 15,“Organizations - System Admin,” starting on page 277 Chapter 16,“Server Maintenance - System Admin,” starting on page 293 Chapter 17,“Reporting - System Admin,” starting on page 307 Reference Appendix A,“Macintosh® Users,” starting on page 322 Appendix B,“Adding Steps to a Task,” starting on page 330 Appendix C,“Database Tables,” starting on page 336 Appendix D,“Manual Deployment of the KBOX Agent,” starting on page 342 Appendix E,“Agent Customization,” starting on page 350 Appendix F,“Understanding the Daily Run Output,” starting on page 354 Appendix G,“Warranty, Licensing, and Support,” starting on page 360

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

xii

Conventions
The KBOX 1000 application and guide uses the following formatting conventions: Format Bold | (pipe) Description Represents buttons, tab labels, and menu selections. Represents the selection order. For example, Inventory | Computers. Here Inventory is the module and Computers is the tab under the Inventory module.

Table ii-1: Formatting Conventions Text in a blue box represents a note. A note can include configuration questions, specific KBOX behavior, or instructions of additional importance.

Edit Mode Link This convention is used on the application and thus reflected in the guide. Certain screens of the Admin or System consoles are write-protected to restrict unintentional changes to the current settings. To make these pages editable, click [Edit Link].

Modules: Click the module names to view tabs under it. Tabs: Displays the tabs within the selected module. Click the tab to view its contents. Sub tabs: Displays the sub tabs within the selected module. Click to perform tasks like Creating a Filter, Creating a

Figure ii-2: Conventions

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

xiii

Additional Resources
You can refer to the following resources to install, configure, and maintain the KBOX: Silent Mode Installation Tips and Tricks - http://www.kace.com/support/customer/doc/ SilentInstallationWhitepaper.pdf Installation and Scripting resources - http://www.kace.com/support/customer/ additional_resources.php Tutorial Videos - http://www.kace.com/support/customer/training.php

Contact Kace Support if you do not have a user name and password to access these resources.

Support
The KBOX 1000 Series pack includes software updates, telephone support, and access to an on-line support portal, which includes: Software and documentation - Software updates for all purchased KBOX components (Operating System, Middleware and applications) and their upgrade information on www.kace.com/support portal Knowledge base of frequently asked questions Details on the most common software package installation switches Other IT management information - Information like white papers, video tutorials for configuring the KBOX Server as per customer requirements, and others To access the Support portal: 1. Select KBOX Settings| Support or click Support page appears. 2. The Support page displays the following links: KBOX Administrator Guide - Link to the KBOX 1000 Series Administrator Guide that includes steps to install and operate KBOX 1000. KACE Customer Support - Link to the KACE Support page on the KACE website. It displays Updates, Video Tutorials, FAQs, Current News, and Customer Forums. AppDeploy.com - Link to open the AppDeploySM website. AppDeploy is an Online community of IT professionals sharing information about the deployment of thousands of applications. New KACE Ticket - Link to the New KACE Support Ticket page. This page helps you to raise a ticket, send a bug report, or submit a feature request. View KACE Tickets - Link to the Tickets page on support.kace.com, where you can track your ticket status. Contact KACE - Link to the your default e-mail client to send an e-mail to support@kace.com. on the modules toolbar. The KBOX Settings: KACE

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

xiv

Troubleshooting Tools - Link opens the KBOX Support: Troubleshooting Tools page. This page contains tools to help the KBOX administrators and KACE Technical Support to troubleshoot problems with this KBOX. You can use Network Utilities to test various aspects of this KBOX's network connectivity, see page xvi. To create a new support ticket: 1. Select Settings | Support or click Support page appears. on the modules toolbar. The KBOX Settings: KACE

2. Click New KACE Ticket. The New KACE Support Ticket page appears. 3. Enter the following details: From Name To CC Subject Ticket Type Enter a valid e-mail address for creating the ticket. This is a mandatory field. Enter name of the person who is creating the ticket. For example, Jim. A read-only field that displays the KACE support e-mail address. Enter the e-mail address of a recipient, to send them a copy of the message. Enter the subject of the ticket to identify the problem addressed in the ticket. Select the Ticket Type from the drop-down list. The Ticket Type list includes: Help Request - Is selected for any issues regarding the KBOX Server Feature Request - Is selected for additional features to enhance the KBOX Server functionality Bug Report - Is selected for bugs found in the KBOX Server and further sending report to KACE Support Impact Select the impact of the problem from this list: Many people can't work Many people inconvenienced 1 person can't work 1 person inconvenienced Priority Select the priority from the drop-down list, which can be: High - A ticket with this priority is responded on the same day Medium - A ticket with this priority is responded within 24 hours Low - A ticket with this priority is responded within 24 hours Category Select the category of the ticket from the drop-down list. This selection helps you to segregate the tickets based on the issue. For example, “Windows KBOX Agent not functioning properly.” Enter the phone number on which the KACE support team can contact you. Enter the method by which KACE should respond to this request. You can select either e-mail or phone. This is a read-only field that displays the KBOX 1000 Series Server Version, Server Serial Number and the KBOX Model name.

Phone Number Please Respond by

Steps to Reproduce Enter the steps you performed to discover this issue. This is a mandatory field. Additional Details

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

xv

4. Click Send to support@kace.com. Your request is automatically entered into the ticketing system and you receive an e-mail confirmation with additional information based on the ticket you created. This comprises of a direct link to view the ticket details for tracking purposes. To use Network Utilities: You can use Network Utilities to test various aspects of the KBOX's network connectivity. 1. Select KBOX Settings | Support or click KACE Support page appears. 3. Click the [Edit Mode] link. a Enter the IP Address in the text box, on which you want to execute a network command. b Select the appropriate network command from the drop-down list. The commands are as follows: Command ping arp dig ifconfig iostat Description This command helps in determining IP addresses and issues with the network, and assists in resolving them. This command displays the arp information from network devices. (IP Address-MAC Address) This command performs DNS lookups and displays the answers that are returned from queried name server(s). This command allows you to view information about the configured network interfaces on the KBOX Server. This command monitors the KBOX Server's system input/output (I/O) device loading, by observing the time the physical disks are active in relation to their average transfer rates. This command displays the TCP/IP network protocol statistics and information for the KBOX Server. This command lists the current Samba connections to the KBOX Server. This command displays system summary information and a list of tasks currently managed on the KBOX Server. This command lists the various services running on KBOX Server and their status. on the modules toolbar. The KBOX Settings:

2. Click Troubleshooting Tools. The Troubleshooting Tools page appears.

netstat smbstatus top

email sending This command tests if the KBOX server can send e-mail to the specified recipient(s). services

Table ii-3: Network Utilities 4. Click Test. The test details pertaining to the command you selected is displayed. Click the “click here” link in “To download logs, click here” to download the KBOX Troubleshooting Logs. This contains a variety of logs like Access logs, KBOX Server updates, and so on. These help the support team in troubleshooting the issues.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

xvi

To view details on KBOX Agent Messaging, click the “tasks” link in “See status of KBOX Agent tasks” under KBOX Agent Messaging. For more details, see section “KBOX Agent Tasks,” on page 43. Click the “message queue” link in “See list of pending communications in the KBOX Agent message queue”. For more details, see section “AMP Message Queue,” on page 51. Select the Enable Tether check box under KACE Support Tether to allow KACE Technical Support access to your KBOX. KACE Support sends a tether key to the user when they observe issues such as, Admin cannot login, Database getting corrupted, and others in the KBOX Server. This tether key, when uploaded, creates a secure connection with the user’s KBOX and enables KACE Support to access the affected KBOX Server at the user interface and SSH level.

KBOX 1000 Series JumpStart Program
The KBOX 1000 Series JumpStart Program guarantees that your KBOX 1000 Series appliance is correctly installed and configured. It provides you with a customizable, hands-on training to familiarize you with the products. The KBOX Systems Management Appliance JumpStart Program activities and training are focused specifically on the systems management and end-point security capabilities of the KBOX Systems Management Appliance. The JumpStart Program includes the following: Installation Assistance - Your KBOX appliance is installed and configured. Best Practices - Includes training on best practices such as how to organize devices into groups (labels) for management and reporting purposes, automating the KBOX backups, setting up alerts, and so on. Reporting - Provides walkthroughs for creating new reports and customizing existing reports with the KBOX wizard-based authoring tool. If you are already standardized on an ODBC compliant reporting tool and want to use that tool to generate reports, the JumpStart Program shows you how to make the connection to the KBOX database. Agent Deployment Assistance - Provides a customized roll out plan that includes deployment of up to 150 agents on your network and the capturing of the initial computer inventory. Software Distribution & Patch Management Assistance - Provides customized training and one managed installation created and deployed using remote administration. Directory Services Integration - Assistance with LDAP or Active Directory integration. Scripting and Policy - Provides walk throughs for creating and deploying scripts and policies. Security Audit and Enforcement Module (standard with KBOX 1200, optional with KBOX 1100) - Includes training on how to set up OVAL vulnerability scans, and configure security policies such as enforcing XP firewall and Internet Explorer settings. Refer Security Audit and Enforcement Module for more details. Help Desk Module (optional with both KBOX 1100 & KBOX 1200) - Includes training on configuring the Help Desk module with custom escalation and routing rules, using custom fields, and importing user data via LDAP. Refer Help Desk Module for more details. For more information on the JumpStart program, you can refer the following resources: KBOX Jumpstart Datasheet Contact the KACE Customer Support for more information on the support services.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

xvii

KACE Professional Services
KACE professional services are delivered by KACE partners or KACE engineers, tailored to match your specific needs, and improve your organization's IT efficiency, compliance, and security. Some common KBOX 1000 Series services include the following: 1. Leverage more functionality of your KACE appliances - KACE has created a collection of the most requested services offerings using the knowledge gained from hundreds of the KBOX deployments. This service is designed to help you leverage all the sophisticated functionality of your KBOX. 2. Optimize your interactions with KACE experts - This service compliments your JumpStart training, and provides more in depth instructions related to specific capabilities of your KBOX and associated modules. 3. Obtain quick and economical practical functionalities - This service helps you in implementing the KBOX features quickly and economically. 4. Help Desk Configuration Offering - This service is designed to offer detailed guidance in implementing the following: a Ticket Assignment Workflow b Ticket Escalation Workflow c Ticket Notification Workflow d Custom Field Creation e Custom Ticket Reporting 5. Scripting for Advanced Deployment Offering - This service provides expert assistance in creating managed deployments using: a Custom Script Creation b Advanced Managed Installs c Advanced Inventory Tracking 6. Customer Report Offering - This service provides customized KBOX reports created as per your requirements: a Custom Inventory Reporting b Custom Asset Reporting c Custom Deployment Reporting d Any Custom Reporting 7. JumpStart Refresher - This service is designed for a new administrator taking over an existing KBOX configuration. It is a condensed version of our standard Jump Start and includes: a Review Existing KBOX Configuration Settings b Review Agent Deployment c Review Software Packaging and Deployment d Review Script Creation e Reviewing Patching

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

xviii

To learn more about professional services, refer Professional Services and contact your Kace account manager.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

xix

C H A P T E R 1 Getting Started
This chapter guides you to install and set up the KBOX 1000 Series System Management appliance to work in your environment.
“Introduction,” on page 2 “Setting Up the KBOX Server,” on page 4 “Setting Up KBOX Agent,” on page 14 “Alternative Options to Deploy KBOX Agents,” on page 15 “Key Configuration Settings,” on page 16 “Configuring General Settings for the Server,” on page 16 “Configuring Network Settings for the Server,” on page 19 “Configuring Security Settings for the Server,” on page 21 “Configuring AMP Settings for the Server,” on page 24 “Configuring Date & Time Settings of the KBOX Server,” on page 26

1

Introduction
This section provides an introduction to your KBOX 1000 Series Systems Management Appliance and an overview of the total system management workflow. This section also lists the basic administrative procedures and the best practices for system management.

KBOX Appliance Components
The KBOX Appliance consists of the following components: 1. Server Console—It is used by the KBOX administrator only to change the network settings. At the login prompt enter: Login ID: konfig Password: konfig Using UP and DOWN arrows, modify the static IP address, subnet mask, default gateway, and DNS settings to match your network 2. KBOX Agent—It is the KBOX 1000 Series technology that sits on each desktop that the KBOX 1000 Series manages. It includes an application component that manages downloads, installations, and desktop inventory. The KBOX Agent also includes the KBOX Agent Management Service that initiates scheduled tasks such as inventory or software updates.

Hardware Specifications
The KBOX 1000 Series Systems Management Appliance includes high-performance server with the following hardware configuration: Hardware CPU in Gigahertz (GHz) Memory in Gigabyte (GB) Ethernet Ports Redundant Disk Array Hard Drives KBOX 1100 2 Xeon Quad Core (2 GHz) 2 GB Dual Gigabit Ethernet Ports RAID 1 configuration 3 X 250 GB SATA 7.2K RPM hot-swappable KBOX 1200 2 Xeon Quad Core (2 GHz) 4 GB Dual Gigabit Ethernet Ports RAID 5 configuration 3 X 147 GB SAS 15K RPM & 500 GB SATA 7.2K RPM hot-swappable

Table 1-1: Hardware Specifications

User Interfaces
The KBOX 1000 Series solution is comprised of the following primary user interfaces accessed by the system administrators: System Console—It is designed primarily to enforce the policies across the organizations. It is accessible by browsing to http://kbox/system. Administrator Console—It is a web-based interface to access and direct the functionality and capabilities within your organizations. It is accessible by browsing to http://kbox/admin. The administrator console supports five primary modules:

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

2

Inventory Management Software Distribution User Portal Reporting Settings In addition it can also include the following additional components: Asset Scripting Security Help Desk Virtual Kontainers User Portal—It is used to make software titles available to users on a self-service basis. The end-user portal is not intended to replace traditional push software distribution (as is handled by the Administrator Console and the KBOX Agent). However, the User Portal provides a repository for software titles that are not required by all users. If you have installed the optional Help Desk module, the User Portal also provides a way for users to submit and track help desk tickets. It is also designed to help users in routine tasks like software installation, and getting help through Knowledge base. It is accessible by browsing to http://kbox/. For more information on sales, purchase and evaluate how KACE can save you time and money, contact the KACE sales team at sales@kace.com or via phone at 1-888-522-3638.

Organizational Components
The KBOX 1000 Series supports a flexible data model for managing computers, software, users, and license keys: LDAP Support—The KBOX 1000 Series enables you to automatically discover information via the KBOX Agent or to interface with Active Directory or LDAP organizational units. Filters—The KBOX 1000 Series provides filters that enable you to apply labels to users and computers by saving searches on inventory data or LDAP servers. They work much like Search Folders in Outlook, or Smart Folders in Mac OS X. Labels—The KBOX 1000 Series offer advanced labeling capabilities that put ad-hoc organizational capabilities in the hands of the software administrator. You can apply labels either dynamically or manually. For more information on how to manually apply labels, Refer to Chapter 3,“Adding Computers to Inventory,” starting on page 65. Dynamic labelling is also referred as "Filters" on either LDAP data sources or computer inventory. For more information on how to dynamically apply labels, Refer to Chapter 3,“Creating Search Filters for Computer Inventory,” starting on page 56.

Software Deployment Components
This section describes the packages that can be deployed by the KBOX Server on the agents. The KBOX supports several types of distribution packages, and this section lists the components used for deployment of packages: Managed Installations—That can be configured by the administrator to run silently or in the forefront of the user’s desktop view. Within a “Managed Installation Definition” the administrator can

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

3

define install, uninstall, or command-line parameters. See “Managed Installations,” on page 106 for detailed information on Managed Installations. File Synchronization—It is another way to distribute content to computers with the KBOX agent software. Unlike Managed Installations, File Synchronization is used to distribute files that need to be placed on a users’ machine without running an installer. See “File Synchronizations,” on page 124 for detailed information on File Synchronization. User Portal Packages—They are earmarked by administrators for user self-service. Many KACE customers use the portal for handling occasional user applications, print drivers, and so on. You also can use the User Portal to resolve Help Desk issues by allowing users to download and install fixes. See “Overview of the User Portal,” on page 194 for detailed information on User Portal Packages. KBOX Agent—It is a special tab to manage the KBOX Agent. See the Chapter 2,“Agent Provisioning,” starting on page 28 for details on how to configure and carry out these tasks. MSI Installer Wizard—It creates a policy and helps you set the basic command line arguments for running msi based installers. The wizard generates a script used for deploying the software. See the “MSI Installer Wizard,” on page 160 for more details. The package types are mostly setup.msi or setup.exe files. The sections that follow describe how to configure the KBOX to meet the needs of your organization.

Setting Up the KBOX Server
While setting up your new KBOX server, perform the following steps: 1. Unpacking the Appliance Make sure that the box in which the appliance was shipped is unpacked and is undamaged. The box should include a set of inner and outer rail assemblies and the mounting screws that are needed to install the system into the rack. 2. Updating DNS The KBOX requires its own unique static IP address. By default its hostname is "kbox". Whatever name used should be specified in the appropriate “A” record created in the customer's internal Domain Name System (DNS) servers. An “MX” record containing the hostname defined by the “A” record is required so that the users can e-mail tickets to the help desk. A Split DNS is required if the KBOX is connected to the Internet via a reverse proxy or by being placed in the DMZ (demilitarized zone or Screened Subnet). The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN). 3. Server Setup Location Determine the placement of the appliance in the rack before you install the rails. The appliance should be situated in a clean, dust-free, and well ventilated area. Avoid areas where heat, electrical noise, and electromagnetic fields are generated. Place the appliance near a grounded power outlet. Use a regulated Uninterruptible Power Supply (UPS) to protect the server from power surges or voltage spikes, and to keep your system operational in power failures. Leave approximately 30 inches of clearance in the back of the rack for sufficient airflow and easy access for maintenance.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

4

4. Server Network Configuration Attach a power cord, keyboard, and monitor, but do not connect a network cable at this time. Turn on the KBOX. The KBOX may require 5 to 10 minutes when you boot it for the first time. At the login prompt enter: Login ID: konfig Password: konfig Using UP and DOWN arrows, modify the static IP address, subnet mask, default gateway, and DNS settings to match your network. Field Suggested Value Factory Settings

KBOX Server It is recommended that you add a static IP entry for “kbox” to kbox (DNS) Hostname your DNS, and use the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your Web Server kbox network is the value of Hostname concatenated with Domain Name (for example, kbox.kace.com). Clients will connect to KBOX using the Web Server Name, which can be the hostname, fullyqualified domain name, or IP address (for example, kbox). Static IP Address Enter the IP address of the KBOX Server. Domain Subnet mask Default gateway Primary DNS Enter the domain that the KBOX is situated on. Enter your subnet mask. Enter the network gateway for the KBOX Server. Enter the IP address of the primary DNS server the KBOX should use to resolve hostnames. 192.168.2.100 corp.kace.com 255.255.255.0 192.168.2.1 192.168.2.209

Table 1-2: Server Network Configuration Settings 5. Click Apply after entering all values. The KBOX reboots after the reconfiguration is completed. While the KBOX reboots, plug the Ethernet cable into the port closest to the KBOX power supply, and connect it to a router or hub on your network. Check if the KBOX is online by browsing to http://kbox/ admin on any other computer. If this URL does not open the KBOX, try using the http://defaultip/ admin, where the default IP is the static IP address assigned by you to the KBOX. The EULA (End User License Agreement) page appears when the KBOX UI is opened for the first time after a fresh installation. Read the terms and conditions carefully, and accept the license agreement. After you accept the EULA (End User License Agreement), log into the KBOX Server with the following details: The Login ID is: admin The Password is: admin If you can access the KBOX Management Center successfully, it indicates that the KBOX network settings are entered correctly. It is recommended that you change the password after your first login. For more information on how to change the password, Refer to Chapter 11,“Managing Users,” starting on page 199.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

5

You can restore the factory setting of the KBOX 1000 Series. For more information on how to restore KBOX settings, Refer to Chapter 16,“Restoring the KBOX Settings,” starting on page 296.

The KBOX Modules
Depending upon the license you purchase, following are the list of modules and tabs available on the KBOX:

Figure 1-3: The KBOX Modules The modules are illustrated above and the tabs are as follows: Admin Console: 1. Home Summary Search 2. Inventory Computers Software Processes Startup Service IP Scan MIA Label 3. Virtual Kontainers (KBOX Virtual Kontainers module license) Management Deployment Creation 4. Asset (KBOX Asset Management module license) Assets Asset Types Asset Import Metering 5. Distribution Managed Installations File Synchronization

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

6

Wake-On-Lan Replication iphone (KBOX Mobile Management module license) 6. Scripting (KBOX Policy & Scripting module license) Scripts Run Now Run Now Status Search Logs Configuration Policy Security Policy 7. Security (KBOX Security Enforcement and Audit module license) Patching Oval 8. Help Desk (KBOX Help Desk module license) Tickets Software Library Knowledge Base Users Roles Configuration 9. Reporting Reports Schedule Reports Alerts Email Alerts Filter LDAP Filter Scan Filters LDAP Browser 10. Settings Control Panel KBOX Agent Support

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

7

User Portal: 1. Welcome 2. Software Library 3. My Computer 4. License Keys 5. Help Desk (KBOX Help Desk module license) 6. Knowledge Base 7. Download Log System Console: 1. Home Summary 2. KBOX Settings Control Panel Logs Server Maintenance Support 3. Reports Reports Schedule Reports 4. Organizations Organizations Roles Filters Computers

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

8

Home Module
The Home module displays the KBOX Summary and displays the results of Global Search field.

The KBOX Summary
The KBOX Summary page provides information about the configuration and operation of your KBOX. When you log on to the KBOX Administrator Console, the Home module displaying the Summary tab appears by default. To view KBOX Summary: 1. Select Home | Summary. The KBOX Summary page appears. 2. The sections that follow provide a description of the summary information that is displayed. 3. Click Refresh to refresh the information displayed.

Client Check-In Rate
Displays the total number of clients that have checked into the server in an hour.

The counter automatically adjusts if the number increases beyond 100.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

9

Distributions
Displays the number of managed installations, scripts, and file synchronizations that are enabled. This also displays the number of alerts that you have configured.

The counter automatically adjusts if the number goes beyond 30.

Software Threat Level
Displays the various threat levels for softwares installed on various machines.

The number of machines displayed on the Y axis automatically adjust if the number of machines found on a particular threat level increase beyond 12.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

10

License Compliance
Displays the number of machines that use a particular licensed software. For example, the following figure displays a licensed software Adobe flash player 9, which can be installed on 1000 machines. In this example, this software is used by 12 machines.

Clients Connected
Displays the percentage of clients connected to the server.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

11

Managed Operating Systems
Displays various operating systems present in the inventory in percentage as a pie chart.

Tasks in Progress
Displays the total number of tasks in progress on server.

To view KBOX Summary details: 1. Select Home | Summary. The KBOX Summary page appears. 2. Scroll down, and then click View Details. The KBOX Summary Details page appears. The sections below provide a description of the summary details. This summary is for a particular organization only. As this page is refreshed, the record count information is refreshed. The new KBOX installations contain mostly zero or no record counts.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

12

KBOX Version
Provides information of the KBOX version that you are currently running. For example, the KBOX Server build at your end is 4.3.16712. KACE comes up with a new patch for the server build 4.3.16712. The patch name is 4.3.16800 and it is pushed to the corporate server. Login to KBOX System Console. On the KBOX Settings | Server Maintenance page, click the Check for upgrade button. The latest build is available in the Upgrade KBOX field on the KBOX Server Maintenance page. Click Upgrade now to upgrade your KBOX Server to the build 4.3.16800 build. The An upgrade to 4.3.16800 is now available link also appears in the Home | Summary page.

Computer Statistics
Provides a summary of the computers on your network, including a breakdown of the operating systems in use. In addition, if the number of computers on your network exceeds the number allowed by your KBOX license key, you are notified of it here.

Software Statistics
Provides a summary of the software in KBOX Inventory. The summary the number of software titles that have been uploaded to the KBOX.

Software Distribution Summary
Provides a summary of the packages that have been distributed to the computers on your network, separated out by distribution method. The summary also indicates the number of packages that are enabled and disabled.

Alert Summary
Provides a summary of the alerts that have been distributed to the computers on your network, separated by message type. This also indicates the number of alerts that are active and expired. The IT Advisory refers to the number of Knowledge Base Articles in Help Desk.

Patch Bulletin Information
Provides a summary of the patches received from Microsoft. The summary includes the date and time of the last patch (successful and attempted), total patches, and total packages downloaded.

OVAL Information
Provides a summary of the OVAL definitions received and the number of vulnerabilities detected on your network. The summary includes the date and time of the last OVAL download (successful and attempted) and the number of OVAL tests in the KBOX, in addition to the numbers of computers that have been scanned.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

13

Network Scan Summary
Provides a summary of the results of Network Scans run on the network. The summary includes the number of IP addresses scanned, the number of services discovered, the number of devices discovered, as well as the number of detected devices that are SNMP-enabled.

Global Search
The Search tab in Home module displays the search results of the text typed in Global Search. You can refine the results by entering a keyword and selecting an criteria from All Items drop-down list to search in. Click the links displayed to go to the appropriate topic.

Setting Up KBOX Agent
Install the KBOX Agent on the required workstation and servers in your network. This section helps you install the KBOX Agent. To enable Agent Provisioning functionality: 1. Go to http://kbox/admin in your web browser to open the KBOX Management Center webpage. 2. Click Settings | Control Panel. 3. Click General Settings. The KBOX Settings: General page appears. 4. Modify the Samba Share Settings. For more information on how to modify samba share settings, Refer to “Configuring General Settings for the Server,” on page 16. To set up a Provisioning Configuration for a Windows PC: 1. Go to http://kbox/admin in your web browser to open the KBOX Management Center webpage. 2. Click Settings | KBOX Agent. 3. Click Provisioned Configurations. The Provisioned Configurations page appears. 4. Select Create New Configuration from the Choose action drop-down list. The Provisioning Setup page appears. For detailed information on all of the available options and instructions, Refer to Chapter 2,“Agent Provisioning,” starting on page 28. 5. Under Windows Platform Provisioning Settings, select the Provision this platform check box. 6. Enter appropriate values in the relevant fields. 7. Click Save to save the new configuration. To set up a Provisioning Configuration for a Linux, Macintosh®, or Solaris PC: 1. Go to http://kbox/admin in your web browser to open the KBOX Management Center webpage. 2. Click Settings | KBOX Agent. 3. Click Provisioned Configurations. The Provisioned Configurations page appears. 4. Select Create New Configuration from the Choose action drop-down list. The Provisioning Setup page appears. Refer to Chapter 2,“Agent Provisioning,” starting on page 28 for details on all the available options and instructions.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

14

5. Under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings, select the Provision this platform check box. 6. For detailed information on all of the available options and instructions, Refer to Chapter 2,“Agent Provisioning,” starting on page 28. 7. Click Save to save the new configuration. The Provisioning Configuration name is displayed on the Configurations page. To provision your machine: 1. Select the check box next to your Provisioning Configuration, and then select Run Select Configuration(s) Now in the Choose action drop-down list. 2. The machine that you have selected to receive agent is displayed. Click the Refresh button at the bottom of the page, the status in DNS Lookup column is updated from (unknown) to In progress… After the installation is completed the status displays the IP address or hostname of the machine that you selected. To verify your agent has checked into the KBOX: 1. After the installation is completed, the new KBOX Agent instantly checks into KBOX Server and provides the inventory information about the machine and its software to the KBOX Server. 2. Click Inventory at the top of KBOX Management Center webpage to view the list of machines checked into the KBOX Server. The hostname of machines are listed in the order of the checking in time. You can also deploy multiple machines simultaneously by creating a configuration, identifying an IP range. For detailed information on different options and other platforms, Refer to Chapter 2,“Agent Provisioning,” starting on page 28.

Alternative Options to Deploy KBOX Agents
You can install clients using the installer files for all supported platforms on the KBOX at \\kbox\client\agent_provisioning\ Ensure that you have enabled the file share to access this folder.

You can use the following methods to install the KBOX Agent: E-mail: An e-mail notification can be sent to your users either containing either: Install file Link to the KBOX 1000 Series Other Web location to retrieve the required installation file Users can click on the link and install the appropriate file.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

15

Log-in Script: Some companies use login scripts that provide a great mechanism to deploy the KBOX Agent while you log onto a machine. If you use login scripts, simply post the appropriate file in an accessible directory and create a login script for the KBOX Agents to retrieve it. Given below is a sample Windows login script that checks for the presence of Microsoft’s .NET framework on the client machine, and installs the appropriate components in order to deploy the KBOX Agent: ---------------------------------------------------------------------------------------------------@echo off if not exist "%windir%\microsoft.net" goto neednet echo .NET already installed. goto end :neednet start /wait \\location\ dotnetfx.exe /q:a /c:"install /l /q" :end if not exist "C:\Program Files\KACE\KBOX" goto needkbox echo KBOX Agent already installed. goto end :needkbox MsiExec.exe /qn /l* kbmsi.log /I \\location\KInstallerSetupSilent.msi ALLUSERS=2 :end -----------------------------------------------------------------------------------------------

Key Configuration Settings
It is important to properly configure the server on the KBOX Agent before you begin inventorying and actively managing the software on your network. For details on agent connection settings, Refer to Chapter 2,“Agent Provisioning,” starting on page 28.

Configuring General Settings for the Server
This section covers the general server configuration settings you should modify before you use the KBOX. To configure General Settings for the Server: 1. Select Settings | Control Panel. 2. Click General Settings. The KBOX Settings: General page appears. If fields are grayed out, you may need to click [Edit Mode] before you can edit the field values. 3. In the General Options area, specify the following settings: Organization Name Company-Institution Name User Email Suffix Enter the name of your organization. For example, KACE Headquarters. Enter the name of your company. This name appears in every pop-up window or alerts displayed to your users. For example, KACE. Enter the domain to which your users send e-mail. For example, kace.com.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

16

Administrator Email

Enter the e-mail address of the KBOX administrator. This address will receive system-related alerts, including any critical messages, and also the daily run output and security run output. For information on daily run output, Refer to Appendix F, “Understanding the Daily Run Output,” starting on page 354.

4. Click Set Options, to save your changes. 5. Specify the following Logo Override settings to use your custom logo. Click [Edit Mode] to edit the field values. User Portal (.jpg) Displayed at the top of the User Portal page. 224x50 pixels is the normal size. 104x50 pixels is shorter and doesn't clip the blue highlight around the 'Log Out' link 300x75 pixels is maximum size that does not impact the layout Report (.jpg) Displayed at the top of reports generated by the KBOX 1000 Series for this organization. Upload any .jpg file to display the customized logo for the reports of this Organization. If .jpg file is not uploaded, then the reports of this organization display the logo uploaded in System UI, under Custom Report Logo field in General Settings. The report image dimensions are 120x32 pixels, this is specified in the autogenerated XML layout. You can adjust the xml report if you need a different layout size. Displayed in the KBOX Agent. The client bmp image is scaled to 20x20 pixels only and cannot be customized to any other size. It is displayed on snooze pop-ups, install progress pop-ups, alerts, and message windows created by scripts

KBOXClient (.bmp)

The splash screen logo displayed at boot and login is currently not customizable.

6. Click Upload Logos. 7. The Machine Actions allow setting up of a scripted action that you can perform against individual machines in your environment. They are used to connect to machines remotely, so you can access or execute a specified task on the target machine directly from the KBOX 1000 Series user interface. You can configure two actions by selecting them from the Action Item drop-down list. The actions can execute two different tasks. The default Machine Action is mstsc.exe (Remote Desktop Connection). Under the Machine Actions section, associate the appropriate actions and then click Set Actions. For example: Select ping.exe -t KACE_HOST_IP from the Action #1 Click Set Actions. Select Inventory | Computers. drop-down. . Specify http://KACE_HOST_IP in command line field for Action #2

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

17

Click besides target machine IP to ping the machine and click besides target machine IP to launch a web browser. The KBOX substitutes the KACE_HOST_IP variable with the target machine IP address and open a new browser window with that URL. There are 16 pre-programmed actions available. The Machine Actions can also be programmed for other tasks. If the machine action does not include the string ".exe", then KBOX assumes it as a URL, and opens a new browser window for it. Since it does not require ActiveX, all types of internet browsers are supported. Most actions in the Action Icon drop-down list require you to install additional software for them to function. For example, using TightVNC requires you to install TightVNC on your machine as well as on the machine you want to access. Click Action #1 or Action #2 execute the Machine Action. next to the target machine on the Inventory | Computers tab to

8. In the Optional Ignore Client IP Settings section, enter IP addresses you would like ignored as the client IP and then click Save List. This might be appropriate in cases where multiple machines could report themselves with the same IP address, like a proxy address.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

18

Configuring Network Settings for the Server
You can verify or change the default network settings when you logged into the KBOX Server for the first time. Any changes made to the Network settings on this page forces the KBOX to reboot after saving. Total reboot downtime should be 1 to 2 minutes provided that the changes result in a valid configuration. To configure the KBOX Network Settings: 1. Select KBOX Settings | Control Panel. 2. Click Network Settings. The KBOX Network Settings page appears. If fields are grayed out, you may need to click [Edit Mode] before you can edit the field values. 3. Specify the following network settings: KBOX Server (DNS) Hostname KBOX Web Server Name We recommend adding a static IP entry for “kbox” to your DNS, and using the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your network is the value of Hostname concatenated with Domain. For example, kbox.kace.com. The clients will connect to KBOX using the Web Server Name, which can be the hostname, fully-qualified domain name, or IP address. For example, kbox. The IP address of the KBOX server. Note: Be extremely careful when changing this setting. If the IP address is entered incorrectly, Refer to the KBOX console and use the konfig login to correct it. The domain that the KBOX is on. The default value is corp.kace.com The domain that the KBOX is on. The default value is 255.255.255.0 Your default gateway. The primary DNS server the KBOX should use to resolve hostnames. The secondary DNS server the KBOX should use to resolve hostnames. This is an optional setting. Your network speed. The network speed setting should match the setting of your local LAN switch. When set to auto negotiate the system automatically determines the best value. This requires the switch to support auto-negotiate. Otherwise contact your network administrator for the exact setting to be used.

Static IP Address

Domain Subnet mask Default gateway Primary DNS Secondary DNS Network Speed

4. To set Network Server Options, perform the following steps: a Set the SMTP Server, enable e-mail notifications. To set SMTP Server, select the Use SMTP Server check box. b Enter the SMTP Server name in the SMTP Server box. The server named here must allow anonymous (non-authenticated) outbound mail transport.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

19

Ensure that network policies allow KBOX to contact the SMTP server directly. The mail server must be configured to allow relaying of mail from the KBOX without authentication. You can test the e-mail service by using Network utilities. For more information on how to use Network Utilities, Refer to “Support,” on page xiv. c Select the Use Proxy Server check box to set Proxy Server, and then specify the following proxy settings as required: Proxy Type Proxy Server Proxy Port Proxy (Basic) Auth Proxy Username Proxy Password The proxy type, either HTTP or SOCKS5 The name of the proxy server The port for the proxy server, the default port is 8080 Select this check box to use the local credentials for accessing the proxy server The user name for accessing the proxy server The password for accessing the proxy server

The KBOX supports a proxy server that requires realm-based authentication. The proxy server prompts you to enter the user name and password to authenticate the proxy settings as shown in the following figure.

If your proxy server uses any other kind of authentication you must add the IP address of the KBOX on the exception list of the proxy server.

5. Click Set Options to set the Network Server options.

List of Open Ports Required for KBOX Server
Ensure that the following ports are not blocked by your firewall. These ports are required to access KBOX server. Port Number 21 25 80 Use To access backup files through FTP If KBOX SMTP Server is to be used HTTP

Table 1-4: Open Ports List

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

20

Port Number 443 3306 8080 8443 52230 SSL To access KBOX database Connects directly to Tomcat Connects directly to Tomcat

Use

For KBOX Agent(s) to connect to the KBOX SERVER via AMP

Table 1-4: Open Ports List

Configuring Security Settings for the Server
Security Settings are not mandatory but are required to enable certain functionalities like Samba Share, SSL settings, SNMP, SSH, Offbox DB Access, and FTP access on the KBOX Server. To use any of the Security Settings features, you must enable them. For more information, see section “To configure Security Settings:,” on page 21. If you make any changes to the Security Settings, restart the KBOX for them to take effect.

To configure Security Settings: 1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears.. 2. Click Security Settings. The KBOX Security Settings page appears. 3. Click [Edit Mode] to edit the security settings fields. 4. In the General Security Settings area, specify the following security settings: SSH Enabled Enable backup via ftp Select this check box if you want to permit someone to login to the KBOX via SSH. Select this check box if you want to enable backup via ftp. The KBOX creates a backup of the database and the files stored on it, daily. By default, these files can be accessed by you via a read-only ftp server. If you do not need this feature and want to disable the FTP server, clear this check box.Refer to Chapter 16,“To access the backup files through ftp:,” starting on page 295. Select this check box if you want to prevent users from accessing the KBOX backup files without logging on to the KBOX. Note: Even if the Secure backup files check box is not selected, you can still access the KBOX backup files. You can do this by entering the full URL in the browser without logging on to KBOX.

Secure backup files

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

21

Enable SNMP monitoring

Select this check box if you want to allow SNMP monitoring. The SNMP is a network or appliance monitoring protocol that is supported by many third party products. If you do not want to expose the KBOX SNMP data, clear this check box. Select this check box if you want to allow the KBOX database access. The KBOX database is accessible via port 3306, to allow you to run reports via an off board tool like Access or Excel. If you do not want to expose the database in this way, clear this check box.

Enable database access

5. In the Samba Share Settings area, specify the following settings: Enable Organization File Shares Select this check box if you want to allow each organization to leverage the KBOX's client share as an install location for the client. The KBOX has a built-in windows file server that can be used by the provisioning service to assist in distributing the KBOX Client on your network. KACE recommends that this file server only be enabled when performing client software installs. Select this check box if you want to allow NTLMv2 authentication for the KBOX files shares. When you enable this option, the clients connecting to the KBOX File Shares require support for NTLMv2 and have to authenticate to the KBOX using NTLMv2. Enabling this option disables "lanman auth" and "ntlm auth" on the samba server. Note: NTLMv2 is more secure than NTLM and LANMAN, but nonNTLMv2 configurations are more common, and this option is usually turned off. Certain functions on the KBOX are supported via samba client functions (e.g. Agent Provisioning). Select this check box if you want to force these functions to authenticate to off-board network file shares using NTLMv2. Enabling this option enables the "client ntlmv2 auth" option on samba client functions. Note: NTLMv2 is more secure than NTLM and LANMAN, but nonNTLMv2 configurations are more common, and this option is usually turned off.

Require NTLMv2 on KBOX File Shares

Require NTLMv2 on KBOX Samba Client Usage

6. In the Optional SSL Settings area, specify the following settings, if required: Enable port 80 access When you activate SSL, port 80 continues to be active, unless Enable port 80 access check box is unchecked. By default, the standard KBOX Agent installers attempt to contact the KBOX via port 80, and then switch to SSL over port 443, after getting the server configuration. If you disable port 80, you need to contact KACE Support to adjust the agent deployment scripts to handle SSL. For ease of agent deployment, leave port 80 active.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

22

SSL Enabled on port 443

Select this check box if you want to allow the clients check in to the KBOX server using https. Refer to “SSL Certificate Wizard,” on page 23. If you have your own SSL certificate and SSL private key, click [Edit Mode] to edit the field values. In the Set SSL Private Key File field, browse to the SSL Private Key file and browse to the signed SSL Certificate, in the Set SSL Certificate File field. Note: Once you switch over to SSL, this is a one-way automatic shift for the clients. The clients need to be reconfigured manually, if you later decide not to use SSL.

7. Click Set Security Options, to save the changes and reboot the KBOX. 8. In the Download New Patch Definitions area, click [Edit Mode] to edit the fields and specify as follows: Disable download of new patches Download Every day/specific day at HH:MM AM/PM Download on the nth of every month/specific month at HH:MM AM/PM Select to disable download of new patches. Select to download the patches on specified day at the specified time. Select to download the patches on the specified time on the 1st, 2nd or any other date of every month or only the selected month.

9. In the Stop Download Of Patch Definitions area, click [Edit Mode] to edit the field values and specify the following: Allow download of patch definitions to complete Stop patch download process by at HH:MM AM/PM Select to allow download of the patch definitions to complete. Select to stop the download the patches at the specified time.

10. Click Set Patching Options, to save the changes and reboot the KBOX.

SSL Certificate Wizard
A properly signed SSL Certificate is required to enable SSL. Certificates should be supported by a valid Certificate Authority. SSL settings should only be adjusted after you have properly deployed the KBOX 1000 Series on your LAN in non-SSL mode. If you are enabling SSL, you will need to identify the correct SSL Private Key File and SSL Certificate File. The files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based Web servers and not in the PCKS-12 format used by some Web servers. It is possible to convert a PCKS-12 certificate into a PEM format using software like the OpenSSL toolkit. Contact KACE Technical Support if you wish to enable SSL on your KBOX. To enable SSL, you need the correct SSL Private Key file and a signed SSL Certificate. If your private key has a password it will prevent the KBOX from restarting automatically. Contact KACE support if you have this issue.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

23

To generate a SSL certificate using the wizard: 1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears. 2. Click Security Settings. The KBOX Security Settings page appears. 3. Click SSL Certificate Wizard. The KBOX Advanced SSL Settings page appears. 4. Click [Edit Mode] to edit the fields and specify the following: Country Name State or Province Name Locality Name Organization Name Organization Unit Name Common Name e-mail Enter the name of your country. Enter the name of your State or Province. Enter your locality name. Enter the name of your organization. Enter the name of unit your organization belongs to. Enter a common name of the KBOX you are creating the SSL certificate for. Enter your e-mail address.

5. Click Set CSR Options. Your Certificate Signing Request is displayed in the field below the Set CSR Options button. You need to copy the text between the lines “-----BEGIN CERTIFICATE REQUEST----and -----END CERTIFICATE REQUEST-----” along with these lines, and then send it to the person who provides your company with web server certificates. 6. Your Private Key is displayed under Private Key field. It will be deployed to the KBOX when you upload a valid certificate and subsequently click Deploy. Do not send the private key to anyone. It is displayed here in case you want to deploy this certificate to another web server. Click Create Self Signed Certificate and for Deploy to be displayed. 7. Click Create Self Signed Certificate. The SSL certificate is generated. This certificate will not be accepted by any of the KBOX clients until it is added into the trusted certificate database on every machine running the KBOX client. 8. Click Deploy to deploy the certificates and turn on SSL on the KBOX. Click OK to reboot the KBOX.

Configuring AMP Settings for the Server
Agent Messaging Protocol (AMP) is the KBOX Communications Protocol used by the KBOX Server with its respective KBOX Agents. KACE's AMP includes server, client, and communications components to perform optimized real-time communications for control of systems management operations. AMP provides: Persistent connection between the KBOX Server Server driven inventory updates Higher scalability in terms of number of nodes supported on one KBOX 1000 Server

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

24

Better scheduling control and reliability These settings are specific to the AMP infrastructure and do not affect other KBOX configuration settings or runtime operations. These settings control both the runtime state of the AMP server and also the operational state of the KBOX Agent. Changing these settings temporarily interrupts communications between the KBOX Appliance and the KBOX Agents. Exercise caution when changing these settings and contact KACE Technical Support for any questions regarding these parameters. To configure AMP Settings: 1. Select KBOX Settings | Control Panel. 2. Click Agent Messaging Protocol Settings. The Agent Messaging Protocol Settings page appears. 3. Specify the AMP General Settings: Server Port Enter the Server Port. The AMP Server on the KBOX SERVER will listen on port 52230 by default. In order for the KBOX AGENT(s) to connect to the KBOX SERVER via AMP, you must have the AMP Protocol Port 52230 open and available OUTBOUND. (i.e. the KBOX AGENT must be able to connect through this port number OUTBOUND without restriction from any OUTBOUND filter/firewall.) Example of an OUTBOUND restriction: “Windows XP Firewall blocking outbound port 52230”. Allow outbound Protocol Port 52230. This can be configured in your Filter/Firewall Software or Hardware as an allowed OUTBOUND Exception. In order for the KBOX SERVER to accept connections via AMP it must have the AMP Protocol Port 52230 open and available INBOUND to the KBOX IP ADDRESS. (i.e. the KBOX SERVER must be able to accept connections through this port number INBOUND without restriction from an INBOUND filter/firewall.) Example of an INBOUND restriction: “A NAT Firewall such as Cisco or SonicWall blocking INBOUND port 52230 to the KBOX IP ADDRESS.” Allow inbound Protocol Port 52230 to the KBOX SERVER. This can be allowed through a One-to-One Inbound NAT Policy. Note: If you change the default AMP Port of 52230 you must update the ALLOWED OUTBOUND/INBOUND port on your filter/firewall. Enable Server Debug Select this check box to enable different levels of "server" debug/logging to the server's log file.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

25

Enable SSL for AMP

Select this check box to enable SSL for AMP. The activation of SSL is for AMP Only. The check box must be selected to activate SSL over AMP even though the General KBOX settings may have SSL enabled already. This allows the separate configuration of AMP traffic to be un-encrypted even though all other KBOX communication is SSL encrypted. Note: Select this check box only if SSL is already enabled on the KBOX and you want the client to server AMP traffic to be encrypted.

4. Click Save and Restart to the save the settings and restart the AMP Server. 5. You can click Restart to restart the AMP server without saving the settings. Restarting the AMP Server does not restart the KBOX.

Configuring Date & Time Settings of the KBOX Server
Ensure that the date and time of the KBOX Server is accurate as most time calculations are made on the server. When you update the time zone, the KBOX Server restarts and reflects the date and time settings. Active connections may be dropped during the restart of the KBOX Server. After saving the changes, the KBOX Date & Time Settings page will automatically refresh after 15 seconds. To configure Date & Time Settings: 1. Select KBOX Settings | Control Panel. 2. Click Date & Time Settings. The KBOX Date & Time Settings page appears. 3. Click [Edit Mode] link to edit the field values. 4. Specify the following information: Last Updated Current Time Time Zone Automatically synchronize with an Internet time server The date and time when the settings were last updated. It is a read-only field. The current date and time. It is a read-only field. Select the appropriate time zone from the drop-down list. Select this check box to automatically synchronize the KBOX time with an Internet Time Server. Enter the time server in the text box. For example, time.kace.com

Set the clock on Select this check box to manually set the KBOX clock. the KBOX manually Select the appropriate time and date from the drop-down lists. 5. Click Set Options to set the date and time settings.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

26

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

27

C H A P T E R 2 Agent Provisioning
The Agent Provisioning feature enables you to directly install the KBOX Agent onto machines in your environment. This chapter contains the following sections:
“Overview of Agent Provisioning,” on page 29 “Single Machine Provisioning,” on page 30 “Advanced Provisioning,” on page 31 “Provisioned Configurations,” on page 40 “Provisioning Results,” on page 42 “KBOX Agent Tasks,” on page 43 “KBOX Agent Settings,” on page 44 “KBOX Agent Update,” on page 47 “AMP Message Queue,” on page 51

28

Overview of Agent Provisioning
KBOX Agent Provisioning helps you to easily deploy the KBOX Agent software on your network. You can deploy the agent on multiple machines simultaneously by creating a configuration that identifies a range of IPs to target. The procedure for Agent Provisioning varies for Windows and non-Windows operating systems. A provisioning configuration identifies one or more IP addresses for the first time deployment or removal of the KBOX Agent. The target IP address is tested for the existence of an agent and if the agent is not detected, then it will remotely install the agent directly from the KBOX. The provisioning installers are located on the KBOX in the following network share: \\KBOX\client\agent_provisioning Here "KBOX" represents the hostname of your KBOX. The provisioning files are located in their respective "platform" subdirectories (for example, Windows files located in the "windows_platform" directory). IMPORTANT: To activate the provisioning functionality you must enable KBOX's file share via the Network Settings Page. For Windows platform installations, the following configuration settings are required: Turn off 'Simple File Sharing'. KBOX Provisioning requires standard file sharing with its associated security model. Having "Simple File Sharing" enabled could cause a "LOGON FAILURE" as simple file sharing does not support administrative file shares and associated access security. If Windows Firewall is turned ON, "File and Print Sharing" must be enabled in the Exceptions list of the Firewall Configuration. Microsoft Windows KBOX agents of version 3.0 or later will work with .NET Framework 2.0.

By default the KBOX will verify the availability of ports 139 and 445 on each target machine before attempting to execute any remote installation procedures.

System Requirements for the KBOX Agent
System requirements to install the KBOX Agent are: Windows: Vista (32-bit and 64-bit) Windows 2003 (32-bit and 64-bit) Windows XP (32-bit and 64-bit) Windows 2000 (32-bit) Microsoft Windows Server 2008 (32-bit and 64-bit) All Windows platforms require Microsoft Internet Explorer 5.01 or greater and Microsoft .NET Framework 1.1/2.0, 90 MHz or faster processor, and 128 MB RAM & 10MB free disk space (minimum).

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

29

Linux: Red Hat Enterprise Linux (RHEL) 3, 4, and 5 (32-bit) Macintosh®: Mac OS X 10.3 PowerPC Mac OS X 10.4 Intel and PowerPC Mac OS X 10.5 Intel and PowerPC Solaris: The KBOX Agent 4.3 does not support Solaris. The last client build supported is 4.1.15780. Upgrades supported: Supports upgrading from KBOX Client 3.3, 4.0, 4.1, 4.2 GA builds to 4.3 For information on manual deployment of KBOX Agent on Linux, Solaris and Macintosh® platforms, Refer to Appendix D, “Manual Deployment of the KBOX Agent, ” starting on page 342.

Single Machine Provisioning
Single Machine Provisioning provides an easy way to deploy the KBOX Agent Technologies for the first time. The Single Machine Provisioning assumes some default values for settings such as TCP ports, Time outs, KBOX Server name, and so on. To deploy KBOX Agent Technologies on a single machine: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Single Machine Provisioning. The Single Machine Provisioning page appears. 3. Enter the following details: Target IP Action Platform KBOX Agent Version Domain (or Workgroup) Enter the IP address of the target machine. Click Install Agent to install the Agent or click Remove Agent to remove the Agent. Click the appropriate platform option. This field displays the KBOX Agent Version number. This is a read-only field. Enter the domain or workgroup name associated with the credentials you enter below. Note: This field is available only if the platform selected is Windows. Enter the password for the account listed above.

User Name (admin level) Enter a user name with the privileges to install the KBOX Agent. Password

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

30

4. Click Run Now, the system saves the configuration with a default name as Simple configuration IP Address and then runs the configuration against the targeted IP. You will be redirected to the Provisioned Configurations page where the newly created configuration is displayed.

Advanced Provisioning
You can choose between Auto Provisioning, Manual Provisioning by IP, or Manual Provisioning by Hostnames for provisioning. Auto Provisioning allows you to provide target IP Range for Provisioning. Manual Provisioning by IP allows you to specify IP addresses manually and also pick up machines from IP Scan and Inventory. Manual Provisioning by Hostnames allows you to enter hostnames manually. To add a new item using Auto Provisioning: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Advanced Provisioning. The Advanced Provisioning page appears. 3. Select the Auto Provisioning option under the General Settings section. 4. Enter the following general settings details: Config Friendly Name Enter a name for your agent provisioning configuration. Use a specific configuration name, to differentiate between two configurations.

Provisioning IP Range Enter IP or IP range. Use hyphens to specify individual IP class ranges. For example: 192 168 2-5 1-200. Configuration Enabled Select the check box to enable the configuration and run scheduled configurations. KBOX Server Name This field, by default, displays the name of the KBOX Server. Update this field if you have multiple KBOX servers. Enter the name of the server where you wish to install the agent from. The share folder name in KBOX, where the KBOX Agents are located. Select the check box to enable DNS lookup. By default, the field displays KBOX’s primary DNS Server mentioned under Network Settings. You can change the default DNS Server to the required one and also specify the hostname or IP address. Enter the time period in seconds, after which a DNS lookup will time out.

KBOX Client Share Name DNS Lookup Enabled Name Server for Lookup Lookup Time Out

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

31

5. Enter the following details under Windows Platform Provisioning Settings section, if the target machine(s) operate on the Windows platform: Provision this platform KBOX Agent Version Agent Identification Port Select the check box to enable provisioning on Windows platform. This field displays the KBOX Agent Version number. This is a read-only field. The agent identification port is the default port currently in use by the agents and indicates that you should not install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here.

Required open TCP Ports Enter the list of required open TCP ports separated by commas. These are the ports KBOX uses to access the target machine for installation of the KBOX Agent. Port Scan Time Out Bypass Port checks Enable Debug Info Install .NET 1.1 on x64 Systems Remove KBOX Agent Enter time period in seconds, during which KBOX scans the port for response. Select the check box to avoid port checks while KBOX installs the agent. Select the check box to view debug information in the machine’s provisioning results. Select the check box to install .NET 1.1 on a 64-bit system prior to KBOX agent installation. The KBOX Agent setup fails, if .NET 1.1 is not available on the 64-bit system. Select the check box to reverse the logic of the provisioning configuration. Hence, you are using provisioning configuration, to remove the KBOX agent from machines rather than installing it. This overrides any current provisioning activity. Select the check box to remove the Config.xml file while removing the Agent. The Config.xml file contains the KBOX name and other server configurations that the target machine checks into. For example: If you are using multiple KBOX servers and you remove a KBOX Agent ‘A1’ that was checking into the KBOX server ‘A1’, you do not remove the Config.xml file. You then reinstall the KBOX Agent ‘B1’, which was checking into the KBOX server ‘B1’. This new agent continues to check into the KBOX server ‘A1’ as you have not removed the Config.xml file. Thus it is advisable to remove the Config.xml file. Note: If you want to save your configurations for future use do not remove the Config.xml file.

Remove Config.xml file

6. Enter the following details under Windows Network Administrative Credentials section, if the target machine(s) operate on the Windows platform: Domain (or Workgroup) Enter the domain or workgroup name associated with the login credentials you enter below.

User Name (admin level) Enter a user name with the necessary privileges to install the agent on the targeted machines.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

32

Password

Enter the password for the account listed above.

7. Enter the following details under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings section, if the target machine(s) operate on the Linux, Macintosh®, or Solaris platform: Provision this platform Select the check box to enable provisioning on Linux, Macintosh®, or Solaris platform.

Required open TCP Ports Enter the list of required open TCP ports separated by commas. These are the ports KBOX uses to access the target machine for installation of the KBOX Agent. Port Scan Time Out Bypass Port Checks Remove KBOX Agent Enter a time period in seconds. Port scan time out indicates the time for which the KBOX will scan the port for response. Select the check box to avoid port checks. This indicates that the KBOX tries the installation, without checking ports. Select the check box to reverse the logic of the provisioning configuration. Hence, you are using provisioning configuration, to remove the KBOX agent from machines rather than installing it. This overrides any current provisioning activity. The kace folder has two sub folders, SMMP and kagentd. The SMMP folder has 4 files; SMMP.conf, agent.log, pid, and pluginRunProcess.log. The kagentd folder has 3 files; KBOX_LOG.txt, kbot_config.yaml, and kuid.txt. Select the check box to remove the complete ‘kace’ folder. If the check box is not selected /var/kace/kagentd/kuid.txt file is left behind.

Remove /var/kace/ files

8. Enter the following details under Network Root Credentials section, if the target machine(s) operate on the Linux or Macintosh® platform: User Name Under Network Root Credentials for the appropriate platform, enter a user name that has the necessary privileges to install the agent on the targeted machines. Enter the password for the account listed above. This is a read-only field that displays the KBOX Agent version number.

Password KBOX Agent Version

9. Select the appropriate check box under the Scheduling area, and schedule to run the configuration: Don’t Run on a Schedule Run Every n minutes/hours Run Every day/specific day at HH:MM AM/PM Run on the nth of every month/ specific month at HH:MM AM/PM Select when you do not want to run the provisioning configuration on a schedule. Select to run the provisioning configuration at the specified time. Select to run the provisioning configuration on specified day at the specified time. Select to run the provisioning configuration on the specified time on the 1st, 2nd, or any other date of every month or only the selected month.

By choosing a regular schedule, the KBOX periodically checks machines in the specified IP range to make sure that they have the KBOX Agent, and install/reinstall/uninstall as required.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

33

10. Click Save to save the provisioned configuration. The Provisioned Configurations page appears. The provisioned configuration you just created, appears in the list of configurations. 11. Click the saved provisioned configuration. The Advanced Provisioning page appears. 12. You can edit this provisioned configuration. Click Run Now to save the changes and instantly run the current configuration against the defined IP range. To cancel the configuration, click Cancel. You can also deploy the KBOX agent manually. For more information on the manual deployment of the KBOX agent on Linux, Solaris, and Macintosh®, see Appendix D, “Manual Deployment of the KBOX Agent, ” starting on page 342. To add a new item using Manual Provisioning by IP: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Advanced Provisioning. The Advanced Provisioning page appears. 3. Select the Manual Provisioning by IP option under the General Settings section. 4. Enter the General Settings details as shown in the following table.: Config Friendly Name Target IPs Enter a name for your agent provisioning configuration. Use a specific configuration name, to differentiate between two configurations. Enter the IP address of the target machine or click Help me pick machines. Note: Multiple IP addresses should be comma-separated. Click Help me pick machines to enable following: Provisioning IP Enter IP or IP range. Use hyphens to specify individual IP Range class ranges. For example: 192 168 2-5 1-200. Click Add All to add all the IP addresses displayed in the list. IP Scan Computer Select a machine from the IP Scan Computers drop-down list, to add to the Target IPs list. This list is populated from the Network Scan Results. You can filter the list by entering any filter options. Click Add All to add all machines displayed in the list. Select a machine from Inventory Computers drop-down list, to add to the Target IPs list. This list contains all the computers in the inventory. You can filter the list by entering any filter options. Click Add All to add all machines displayed in the list.

Inventory Computers

Configuration Enabled KBOX Server Name KBOX Client Share Name

Select the check box to enable the configuration. Note: Scheduled configurations will run only if this check box is selected. This field, by default, displays the name of the KBOX Server. Update this field if you have multiple KBOX servers. Enter the name of the server where you wish to install the agent from. The share folder name on the KBOX, where the KBOX Agents are located.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

34

DNS Lookup Enabled Name Server for Lookup Lookup Time Out

Select the check box to enable DNS lookup. By default, the field displays KBOX’s primary DNS Server mentioned under Network Settings. You can change the default DNS Server to the required one and also specify the hostname or IP address. Enter the time period in seconds, after this period has lapsed the DNS lookup will automatically time out.

5. Enter the following details under Windows Platform Provisioning Settings section, if the target machine(s) operate on the Windows platform: Provision this platform KBOX Agent Version Select the check box to enable provisioning on Windows platform. This field displays the KBOX Agent version number.

Agent Identification Port The agent identification port is a port that installed agents would already have open and in use, indicating that you should not install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here. Required open TCP Ports Enter the list of required open TCP ports separated by commas. These are the ports KBOX uses to access the target machine for installation of the KBOX Agent. Port Scan Time Out Bypass Port checks Enable Debug Info Install .NET 1.1 on x64 Systems Remove KBOX Agent Enter a time period in seconds. Port scan time out indicates the time for which the KBOX will scan the port for response. Select the check box to avoid port checks. This indicates that the KBOX tries the installation, without checking ports. Select the check box to enable debug info. By enabling this check box more debug info will be displayed in the machine’s provisioning results. Select the check box to install .NET 1.1 on a 64-bit system prior to KBOX agent installation. The KBOX Agent setup fails, if .NET 1.1 is not available on the 64-bit system. Select the check box to reverse the logic of the provisioning configuration. Hence, you are using provisioning configuration, to remove the KBOX agent from machines rather than installing it. This overrides any current provisioning activity. Select the check box to remove the Config.xml file while removing the Agent. The Config.xml file contains the KBOX name and other server configurations that the target machine checks into. For example: If you are using multiple KBOX servers and you remove a KBOX Agent ‘A1’ that was checking into the KBOX server ‘A1, you do not remove the Config.xml file. You then reinstall the KBOX Agent ‘B1’, which was checking into the KBOX server ‘B1’. This new agent continues to check into the KBOX server ‘A1’ as you have not removed the Config.xml file. Thus it is advisable to remove the Config.xml file. Note: If you want to save your configurations for future use do not remove the Config.xml file.

Remove Config.xml file

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

35

6. Enter the following details under Windows Network Administrative Credentials section, if the target machine(s) operate on the Windows platform: Domain (or Workgroup) Enter the domain or workgroup name associated with the login credentials you enter below.

User Name (admin level) Enter a user name with the necessary privileges to install the agent on the targeted machines. Password Enter the password for the account listed above.

7. Enter the following details under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings section, if the target machine(s) operate on the Linux, Macintosh®, or Solaris platform: Provision this platform Select the check box to enable provisioning on Linux, Macintosh®, or Solaris platform.

Required open TCP Ports Enter the list of required open TCP ports separated by commas. These are the ports KBOX uses to access the target machine for installation of the KBOX Agent. Port Scan Time Out Bypass Port checks Remove KBOX Agent Enter a time period in seconds. Port scan time out indicates the time for which the KBOX will scan the port for response. Select the check box to avoid port checks. This indicates that the KBOX tries the installation, without checking ports. Select the check box to reverse the logic of the provisioning configuration. Thus, you are using provisioning configuration, to remove the KBOX agent from machines rather than installing it. This overrides any current provisioning activity. The kace folder has two sub folders, SMMP and kagentd. The SMMP folder has 4 files; SMMP.conf, agent.log, pid, and pluginRunProcess.log. The kagentd folder has 3 files; KBOX_LOG.txt, kbot_config.yaml, and kuid.txt. Select the check box to remove the complete ‘kace’ folder. If the check box is not selected /var/kace/kagentd/kuid.txt file is left behind.

Remove /var/kace/ files

8. Enter the following details under Network Root Credentials section, if the target machine(s) operate on the Linux or Macintosh® platform: User Name Under Network Root Credentials for the appropriate platform, enter a user name that has the necessary privileges to install the agent on the targeted machines. Enter the password for the account listed above. This is a read-only field that displays the KBOX Agent version number.

Password KBOX Agent Version

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

36

9. Select the appropriate check box under the Scheduling area, and schedule to run the configuration: Don’t Run on a Schedule Run Every n minutes/hours Run Every day/specific day at HH:MM AM/PM Run on the nth of every month/ specific month at HH:MM AM/PM Select when you do not want to run the provisioning configuration on a schedule. Select to run the provisioning configuration at the specified time. Select to run the provisioning configuration on specified day at the specified time. Select to run the provisioning configuration on the specified time on the 1st, 2nd, or any other date of every month or only the selected month.

By choosing a regular schedule, the KBOX periodically checks machines in the specified IP range to make sure that they have the KBOX Agent, and install/reinstall/uninstall as required. 10. Click Save to save the provisioned configuration. The Provisioned Configurations page appears. The provisioned configuration you just created, appears in the list of configurations. 11. Click the saved provisioned configuration. The Advanced Provisioning page appears. 12. You can edit this provisioned configuration. Click Run Now to save the changes and instantly run the current configuration against the defined IP range. To cancel the configuration, click Cancel. To add a new item using Manual Provisioning by Hostname: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Advanced Provisioning. The Advanced Provisioning page appears. 3. Select the Manual Provisioning by Hostname option under the General Settings section. 4. Enter the General Settings details as shown in the following table: Config Friendly Name Target Hostnames Configuration Enabled KBOX Server Name Enter a name for your agent provisioning configuration. Use a specific configuration name, to differentiate between two configurations. Enter the hostname(s) of the target machine. Note: Multiple host names should be comma-separated. Select the check box to enable the configuration. Note: Scheduled configurations will run only if this check box is selected. This field, by default, displays the name of the KBOX Server. Update this field if you have multiple KBOX servers. Enter the name of the server from where you wish to install the agent. Select the check box to enable DNS lookup.

KBOX Client Share Name The share folder name on the KBOX, where the KBOX Agents are located. DNS Lookup Enabled Name Server for Lookup By default, the field displays KBOX’s primary DNS Server mentioned under Network Settings. You can change the default DNS Server to the required one and also specify the hostname or IP address. Lookup Time Out Enter the time period in seconds, after this period has lapsed the DNS lookup will automatically time out.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

37

5. Enter the following details under Windows Platform Provisioning Settings section, if the target machine(s) operate on the Windows platform: Provision this platform KBOX Agent Version Select the check box to enable provisioning on Windows platform. This field displays the KBOX Agent version number.

Agent Identification Port The agent identification port is a port that installed agents would already have open and in use, indicating that you should not install the agent again. By default that port number is 52230. If you are using a different port number for this, you can change the port number listed here. Required open TCP Ports Enter the list of required open TCP ports separated by commas. These are the ports KBOX uses to access the target machine for installation of the KBOX Agent. Port Scan Time Out Bypass Port checks Enable Debug Info Remove KBOX Agent Enter a time period in seconds. Port scan time out indicates the time for which the KBOX will scan the port for response. Select the check box to avoid port checks. Selecting this indicates that the KBOX should simply try to install the agent, without checking the ports. Select the check box to enable debug info. By enabling this check box more debug info will be displayed in the machine’s provisioning results. Select the check box to reverse the logic of the provisioning configuration. Thus, you are using provisioning configuration, to remove the KBOX agent from machines rather than installing it. This overrides any current provisioning activity. Select the check box to install .NET 1.1 on a 64-bit system prior to KBOX agent installation. The KBOX Agent setup fails, if .NET 1.1 is not available on the 64-bit system. Select the check box to remove the Config.xml file while removing the Agent. The Config.xml file contains the KBOX name and other server configurations that the target machine checks into. For example: If you are using multiple KBOX servers and you remove a KBOX Agent ‘A1’ that was checking into the KBOX server ‘A1, you do not remove the Config.xml file. You then reinstall the KBOX Agent ‘B1’, which was checking into the KBOX server ‘B1’. This new agent continues to check into the KBOX server ‘A1’ as you have not removed the Config.xml file. Thus it is advisable to remove the Config.xml file. Note: If you want to save your configurations for future use do not remove the Config.xml file.

Install .NET 1.1 on x64 Systems Remove Config.xml file

6. Enter the following details under Windows Network Administrative Credentials section, if the target machine(s) operate on the Windows platform: Domain (or Workgroup) Enter the domain or workgroup name associated with the login credentials you enter below.

User Name (admin level) Enter a user name with the necessary privileges to install the agent on the targeted machines.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

38

Password

Enter the password for the account listed above.

7. Enter the following details under Unix (Linux, MacOSX, Solaris) Platform Provisioning Settings section, if the target machine(s) operate on the Linux, Macintosh®, or Solaris platform: Provision this platform Select the check box to enable provisioning on Linux, Macintosh®, or Solaris platform.

Required open TCP Ports Enter the list of required open TCP ports. These are the ports KBOX will use to access the target machine for installation of the KBOX Agent. Port Scan Time Out Bypass Port checks Remove KBOX Agent Enter a time period in seconds. Port scan time out indicates the time for which the KBOX will scan the port for response. Select the check box to avoid port checks. This indicates that the KBOX tries the installation, without checking ports. Select the check box to reverse the logic of the provisioning configuration. Hence, you are using provisioning configuration, to remove the KBOX agent from machines rather than installing it. This overrides any current provisioning activity. The kace folder has two sub folders, SMMP and kagentd. The SMMP folder has 4 files; SMMP.conf, agent.log, pid, and pluginRunProcess.log. The kagentd folder has 3 files; KBOX_LOG.txt, kbot_config.yaml, and kuid.txt. Select the check box to remove the complete ‘kace’ folder. If the check box is not selected /var/kace/kagentd/kuid.txt file is left behind.

Remove /var/kace/ files

8. Enter the following details under Network Root Credentials section, if the target machine(s) operate on the Linux or Macintosh® platform: User Name Under Network Root Credentials for the appropriate platform, enter a user name that has the necessary privileges to install the agent on the targeted machines. Enter the password for the account listed above. This is a read-only field that displays the KBOX Agent version number.

Password KBOX Agent Version

9. Select the appropriate check box under the Scheduling area, and schedule to run the configuration: Don’t Run on a Schedule Run Every n minutes/hours Run Every day/specific day at HH:MM AM/PM Run on the nth of every month/ specific month at HH:MM AM/PM Select when you do not want to run the provisioning configuration on a schedule. Select to run the provisioning configuration at the specified time. Select to run the provisioning configuration on specified day at the specified time. Select to run the provisioning configuration on the specified time on the 1st, 2nd, or any other date of every month or only the selected month.

By choosing a regular schedule, the KBOX periodically checks machines in the specified IP range to make sure that they have the KBOX Agent, and install/reinstall/uninstall as required.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

39

10. Click Save to save the provisioned configuration. The Provisioned Configurations page appears. The provisioned configuration you just created, appears in the list of configurations. 11. Click the saved provisioned configuration. The Advanced Provisioning page appears. 12. You can edit this provisioned configuration. Click Run Now to save the changes and instantly run the current configuration against the defined IP range. To cancel the configuration, click Cancel. To run provisioned configurations: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Provisioned Configurations. The Provisioned Configurations page appears. 3. Select the check box beside the configuration(s) you want to run. 4. In the Choose action box, choose Run Selected Configuration(s) Now. To duplicate a configuration: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Provisioned Configurations. The Provisioned Configurations page appears. 3. Click the configuration you want to duplicate. The Advanced Provisioning page appears. 4. Scroll down and click Duplicate. To delete a configuration: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Provisioned Configurations. The Provisioned Configurations page appears. 3. Click the configuration you want to delete. The Advanced Provisioning page appears. 4. Scroll down and click Delete.

Deleting a configuration will delete all associated target machines in the provisioning inventory list. Altering or updating a configuration will reset the data in the associated target machines list to the default settings until the subsequent provisioning run.

Provisioned Configurations
The Provisioned Configurations page displays: A list of computers which match Agent Provisioning configurations established in Advanced Provisioning. All the provisioning configurations created and their statuses.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

40

The Provisioned Configurations page contains the fields described in the table below: Field Config Name Total Target Running Not Started Succeeded Failed % Succeeded IP Range Schedule Enabled Description Displays the configuration name. Click the config name displays the Advanced Provisioning page. Indicates the total number of target machines. Click the total number of target machines to display the Provisioning Results page. Indicates the total number of target machines on which provisioning is currently running. Click the total number of target machines to display the Provisioning Results page. Indicates the total number of target machines on which provisioning has not yet started. Click the total number of target machines to display the Provisioning Results page. Indicates the total number of target machines on which provisioning has succeeded. Click the total number of target machines to display the Provisioning Results page. Indicates the total number of target machines on which provisioning has failed. Click the total number of target machines to display the Provisioning Results page. Indicates in percentage the total number of target machines on which provisioning has succeeded. Indicates the IP range of the target machine. Indicates the provisioning schedule run as specified. For example: Every ‘n’ minutes, Every ‘n’ hours or Never. Indicates a blank or a green check in the check box for the configuration name depending on the provisioning success.

Table 2-1: Configuration List page fields To create a new configuration: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Provisioned Configurations. The Provisioned Configurations page appears. 3. Select Create New Configuration from the Choose action drop-down list. The Single Machine Provisioning page appears. For more information, see section Appendix 2, “To deploy KBOX Agent Technologies on a single machine:, ” starting on page 30. To delete a configuration: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Provisioned Configurations. The Provisioned Configurations page appears. 3. Select the check box beside the configuration(s) you want to delete. 4. In the Choose action drop-down list, select Delete Selected Item(s). 5. Click OK to confirm the deletion. To enable a configuration: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

41

2. Click Provisioned Configurations. The Provisioned Configurations page appears. 3. Select the check box beside the configuration(s) you want to enable. 4. In the Choose action drop-down list, select Enable Selected Item(s). To disable a configuration: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Provisioned Configurations. The Provisioned Configurations page appears. 3. Select the check box beside the configuration(s) you want to enable. 4. In the Choose action drop-down list, select Disable Selected Item(s).

Provisioning Results
Provisioning Results page displays a list of computers which match the current Agent Provisioning Configurations. This list includes all the machines discovered by the configurations created in Advanced Provisioning and Single Machine Provisioning. You can view target provisioning and configuration information. The target’s information results from the most recent provisioning run or execution on that target. Execution of a Provisioning Configuration targets the IP addresses and for each target (node) the execution evaluates the availability of IP addresses, agent status, port configuration, and so on. The results and logs of each provisioning step are displayed. To view Provisioning Results: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Provisioned Configurations. The Provisioned Configurations page appears. 3. Click Total Target/Running/Not Started/ Succeeded/ Failed/IP Range in the Provisioned Configurations list. The Provisioning Results page appears. 4. Click the IP Address of the required machine to view the provisioning target information and provisioning configuration information. The KBOX Agent Provisioning page appears. 5. Click Printer Friendly Version to see a print view of the page. You can take print outs of this page. You can also view computer inventory by clicking computer inventory under Provisioning Target Info section. The provisioning process collects the MAC address of the target machine and compares to the data associated with the current "KBOX Computer Inventory". If a match is found, a link to "Computer Inventory" for that association is displayed next to the MAC Address. For more information on computer inventory, see “Adding Computers to Inventory,” on page 65.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

42

6. Click the required DNS Lookup Enabled on the Provisioning Results page to view the DNS lookup details. When selected, live addresses are checked against the DNS Server to see if they have Agent Provisioning configured. The Provisioning Results page contains the fields described in the table below: Field IP Address DNS Action Result Error Connect status Description Indicates the IP address of the target machine. Indicates the DNS of the target machine. Indicates the appropriate action taken on the target machine. For example, it is ‘I’ for installing an agent or ‘R’ for removing an agent. Indicates the appropriate result on the target machine. For example, it is ‘S’ for Success or ‘F’ for Failure. Displays the 16 in-built reasons for failure. A icon indicates that after an agent install, a successful AMP connection was also established. Indicates the configuration name of the target machine. Indicates the date and time when the last run was performed.

Configuration Last Run

Table 2-2: Provisioning Results page fields

KBOX Agent Tasks
KBOX Agent Tasks option displays a list of all the KBOX Agent tasks that are currently running or are scheduled for a machine connected to the KBOX. Each machine displays the computer inventory information. Client machines connected to the server over AMP (port: 52230), are indicated by a on the Inventory list page. icon

You can view the KBOX Agent Tasks and Task Types from the Tasks drop-down list, which are described in the table below: Tasks All Tasks In Progress Overdue Tasks Task Type bootstrap inventory krash upload patching This selection lists all the agent tasks. This selection lists all the agent tasks that are in progress. This selection lists all the agent tasks that are overdue. The server requests the client to sync up. The server requests the client to update the computer inventory. The server requests the client to upload the dump file to the server (Windows only) Shows any of the client’s patching tasks, if running (Windows and Mac only).

scripting update Updates the current status of the scripting tasks.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

43

To view KBOX Agent Tasks: 1. Select KBOX Settings | Support or click KACE Support page appears. on the modules tool bar. The KBOX Settings:

2. Click Troubleshooting Tools. The KBOX Troubleshooting Tools page appears. 3. Click the tasks link in “See status of KBOX Agent tasks”, under the KBOX Agent Messaging area. The KBOX Agent Tasks page appears. 4. Click the Machine Name from the KBOX Agent Tasks list to view the computer inventory information. The Computers: Detail Item page appears. 5. Click Printer Friendly Version to see a print view of the page and print it. The KBOX Agent Tasks page contains the fields described in the table below: Field Description

Machine Name Indicates the machine name on which some tasks are scheduled/running/in progress. Task Type Started Completed Next Run Timeout Priority Indicates the type of agent task. Indicates the start time of the task type. Indicates the time when the task type is completed. Indicates the next schedule or run time of the agent task type. Indicates when the task type has to be timed out. Indicates the importance or the priority value of the task type.

Table 2-3: KBOX Agent Tasks page fields

KBOX Agent Settings
The KBOX Agent Settings options configure the KBOX to operate in your computing environment. These options specify how often the client runs on the user desktop and within that run how often a full desktop computer inventory is performed. The "KBOX Agent" options specify how often a KBOX Agent checks into the KBOX and how often the KBOX Agent performs a full computer inventory. For example, a default Run Interval of 30 minutes means that those computers with KBOX Agents installed will check into the KBOX 1000 Series appliance every 30 minutes. To configure KBOX Agent: 1. Select Organizations | Organizations. The KBOX Organizations page appears. 2. Click organization for which you want to configure the KBOX Agent. The KBOX Organization: Edit Detail page appears. 3. To edit agent settings, click [Edit Mode]. The KBOX Organization: Edit Detail page appears with the current agent setting details. These are the settings that control the schedule and frequency of your checked-in KBOX agents.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

44

4. Specify the following KBOX Agent options under the KBOX Agent Settings For This Organization area: Communications Window The time interval when the KBOX Agent can communicate with the KBOX 1000 Series appliance. For example, to allow the KBOX Agent to connect between 1:00 AM and 6:00 AM only, select 1:00 AM from the first dropdown list, and 6:00 AM from the second. The default setting is 12:00 AM to 12:00 AM. Agent “Run interval” The interval that the KBOX Agent checks into the KBOX 1000 Series. Each time a KBOX Agent connects, it resets its connect interval based on this setting. The default setting is once per hour. The interval that the KBOX Agent checks into the KBOX 1000 Series. Each time a KBOX Agent connects, it resets its connect interval based on this setting. The default setting is once per hour.

Agent “Inventory Interval”

Agent “Splash Page Text” The message that appears to users when communicating with the KBOX 1000 Series. The default message is KBOX is verifying your PC Configuration and managing software updates. Please Wait. Scripting Update Interval The KBOX Agent downloads new script definitions after scripting update interval is over. The default interval is 15 minutes. Scripting Ping Interval Agent Log Retention The KBOX Agent tests the connection to the KBOX 1000 Series appliance after scripting ping interval is over. The default interval is 600 seconds. The Agent Log Retention disallows the server to store the scripting result information that arises from the agents. By default, this stores all the results generated and can affect the performance of KBOX. Turn off the Agent Log Retention to allow the agent checkins to process faster.

5. Click Save to save the KBOX agent settings configuration. The KBOX Agent Settings page appears in read-only mode. These changes are reflected the next time agent checks into KBOX. The KBOX Agent normally checks in using the "Run Interval" schedule specified in KBOX Agent Settings page. For debugging and testing purposes, KACE provides ways that can be used to force a check-in outside this normal schedule. You can run the file KBScriptRunner located in C:\program files\kace\kbox to force the KBOX Agent to check in with the KBOX 1000 appliance. The KBScriptRunner.exe only forces a check-in (bypassing the "Run Interval") but does not force an inventory if you have set a non-zero Inventory Interval. You must change the inventory interval to zero while debugging/testing package deployments. Also refer Chapter 14,“Configuring General Settings for the Server,” starting on page 256 for Agent-Server Task settings.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

45

To troubleshoot clients which fail to show up in the inventory: Sometimes it may happen that your machine does not show up in KBOX Inventory after installing the KBOX Agent. By default the KBOX Agent communicates with KBOX using http: over port 80. Assuming network connectivity is in place, the most common reason newly-installed KBOX Agents fail to connect to the KBOX during first-time setup is a problem with the default "KBOX" host name in DNS. 1. If you set up the KBOX in your DNS using a host name other than the default "kbox", or need agents to reach KBOX by IP address instead of the DNS name, you must install the KBOX Agent specifying the SERVER property. For example, Windows: c:\>KInstallerSetup.exe -server=mykbox -display_mode=silent or c:\>KInstallerSetup.exe -server=192.168.2.100 -display_mode=silent Macintosh®: /Library/KBOXAgent/Home/bin/setkbox mykbox or /Library/KBOXAgent/Home/bin/setkbox 192.168.2.100 Linux: /KACE/bin/setkbox mykbox or /KACE/bin/setkbox 192.168.2.100 Solaris: /KACE/bin/setkbox mykbox or /KACE/bin/setkbox 192.168.2.100 2. To correct the server name for an already-installed client: Windows: Verify the "ServerHost", "ServerURLPrefix", and "ServerPort" entry values in: c:\program files\kace\kbox\config.xml Verify the "ServerHost", and "ServerPort" entry values in: c:\program files\kace\kbox\smmp.conf For further debug and troubleshooting, add the following line in smmp.conf: debug = true Verify that the connection text in smmp.log indicates a successful connection between the agent and server is established. After the successful connection between the agent and server is established, smmp_connected file is generated. Macintosh®: /var/kace/kagentd/kbot_config.yaml

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

46

Linux: /var/KACE/kagentd/kbot_config.yaml Solaris: /var/KACE/kagentd/kbot_config.yaml 3. Verify that you are able to ping the KBOX and reach it via a web browser at http://kbox. 4. Verify that Internet Options are not set to use proxy, or proxy is excluded for the local network or the KBOX. 5. Verify that no firewall or anti-spyware software is blocking communication between KBOX and any of agent components, including: KBOXManagementService.exe KBOXClient.exe KUpdater.exe kagentd (OS X/ Unix) 6. Verify that the KBOXManagementService (Windows), and KBOXSMMPManagementService or the kagentd (OS X/ Unix) processes are running. The agent will show up as 'perl' in the OS X Activity Monitor. If after verifying these items, you are still unable to get the agent to connect to the KBOX, contact KACE Support at support@kace.com for further assistance.

KBOX Agent Update
The KBOX Agent Update feature allows you to automatically update the KBOX Agent software for some or all machines that are checking in your KBOX. KBOX Agent deployments are automatically updated as new agent updates are posted to this area. The KBOX Agent package that you post to the server from this page should be an official KBOX Agent Release received from KACE directly. Before updating the KBOX Agent, ensure that you have downloaded and locally saved the following files: update_4.3.XXXX.bin for WINDOWS, where XXXX is the build number. update_mac_4.3.XXXX.bin for Macintosh®, where XXXX is the build number. update_linux_4.3.XXXX.bin for Linux, where XXXX is the build number. update_solaris_4.1.15780.bin for Solaris, where XXXX is the build number. To update KBOX Agent automatically: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Agent Updates from KACE. The Agent Updates from KACE page appears. 3. Click the [Edit Mode] link under the section that you want to edit. 4. Specify the agent updates as shown in the following table: Enabled Select the check box to upgrade the KBOX Agent when machines check into KBOX the next time around.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

47

Update Broken Agents Select the check box to update those machines that are running checking in with the KBOX for new agent versions, but are unable to successfully report inventory information to KBOX. This setting overrides the Limit Update to settings. For such a broken agent check for a new version of the Agent software by running kupdater.exe manually. Limit Updates to Enter a label for automatic upgrades. The upgrades will only be distributed to machines assigned to those labels, except if they are identified as a “broken client” above. Click Remove to limit the listed machines. To add more machines, select the machine(s) from the Select machine to add drop-down list. Enter the value to verify machine by filter. Enter release notes about the agent.

Limit Update To Listed Machines Filter Notes

5. To save the new agent updates, click Save. You can see the version numbers of agent patches currently uploaded to KBOX under the Loaded KBOX Agent Updates area. Click Delete All Updates to delete all patches that are uploaded to the KBOX. To upload platform-specific Agent patches: 1. Select Settings | KBOX Agent. The Agent Provisioning page appears. 2. Click Agent Updates from KACE. The Agent Updates from KACE page appears. 3. Click the [Edit Mode] link under the Upload KBOX Agent Update Files area. 4. Scroll down and select the Load specific OS.bin file(s) check box. 5. Click the button beside the platform name to upload the patch file for that specific platform.

6. Click Browse and locate the patch file (.bin). 7. The Update Version ID text box displays the version number of the patch file you are uploading. 8. Click Save Windows Patch File to upload the patch file. You can update agents on all platforms using a client bundle. The client bundle is designed to update the KBOX Agent deployment files that are stored on the KBOX server via a single file. This bundle must only be applied to KBOX servers at version 3.2 or greater. This affects two areas of the KBOX: 1) KBOX Agent Update 2) Advanced Provisioning When you apply this bin file to your server, the older versions of the clients will be removed and replaced with the files contained in this bin file. The KBOX Agent Update settings will be DISABLED after applying the file. You need to view the settings and confirm the label and settings and ENABLE it again if you want the agents to deploy to your network. All the provisioning setups will also be DISABLED and will need to be re-enabled to deploy the new version of the agent to your network.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

48

To update agents using a client bundle: 1. Download the kbox_patch_agents_xxx.bin file and save it locally. After you register on the KACE web site, you can download the latest client bundle using the login credentials from the following link: http://www.kace.com/support/customer/downloads.php 2. Select Settings | KBOX Agent. The Agent Provisioning page appears. 3. Click Agent Updates from KACE. The Agent Updates from KACE page appears. 4. Click the [Edit Mode] link under the Upload KBOX Agent Update Files area. 5. Click Browse beside Bundled Agents File and locate the update file you have downloaded. 6. Click Load Bundle File. Once the file is uploaded and applied: Go to the Agent Updates from KACE page and verify if the correct labels have been selected. Now select the Enabled checkbox to enable this upgrade. Go to the Advanced Provisioning page and verify if the correct setups have been selected. Now select the Configuration Enabled check box to enable this upgrade. To resolve errors when uninstalling or upgrading the KBOX Client: If you are attempting to manually uninstall an older 1.5/2.0 KBOX client after a failed install or upgrade of the client, you may receive one or more of the following error messages: An exception occurred while uninstalling. This exception is ignored and the uninstallation process will continue. However, the application may not be fully uninstalled after the uninstallation is complete. The savedState dictionary contains inconsistent data and might be corrupted. Fatal error during installation. Troubleshoot the following services to resolve the uninstall errors. 1. KBOX Management Service 2. KBOX SMMP Management Service To troubleshoot the KBOX Management Service: 1. Delete the *.InstallState files in the c:\program files\kace\kbox folder. 2. Verify that the KBOX Management Service is listed in the services control panel. 3. If KBOX Management Service is not listed, run the following command to reconfigure it: sc create KBOXManagementService binPath= "c:\program files\KACE\KBOX\KBOXManagementService.exe" type= interact type= own start= auto DisplayName= "KBOX Management Service" 4. You can now uninstall the agent from the Add or Remove Programs again. If you still continue to receive, contact KACE Support at support@kace.com for assistance. To troubleshoot the KBOX SMMP Management Service 1. Delete the *.InstallState files in the c:\program files\kace\kbox folder.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

49

2. Verify that the KBOX SMMP Management Service is listed in the services control panel. 3. If KBOX SMMP Management Service is not listed, run the following command to reconfigure it: sc create KBOXManagementService binPath= "c:\program files\KACE\KBOX\KBOXSMMPManagementService.exe" type= interact type= own start= auto DisplayName= "KBOX SMMP Management Service" 4. You can now uninstall the agent from the Add or Remove Programs again. If you still continue to receive, contact KACE Support at support@kace.com for assistance.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

50

AMP Message Queue
AMP Message Queue page displays the list of pending communications with the KBOX Agents such as pending alerts, patches, scripts, or deleting crash dumps. To view AMP Message Queue: 1. Select KBOX Settings | Support or click KACE Support page appears. on the modules tool bar. The KBOX Settings:

2. Click Troubleshooting Tools. The KBOX Troubleshooting Tools page appears. 3. Click the message queue link in “See list of pending communications in the KBOX Agent message queue”, under the KBOX Agent Messaging area. The AMP Message Queue page appears. The pending communications are displayed in this queue only if there is a constant connection between the KBOX Agent and the KBOX. For Alerts, the pending communications are displayed in the AMP Message Queue even if there is no continuous connection between the KBOX Agent and the KBOX. These messages are displayed till the Keep Alive time interval has elapsed. These messages are then deleted from the queue and the alerts expire. The Agent Message Queue page contains the following fields:

Field Machine Name

Description Indicates the machine name that contains the computer inventory information. Click the machine name to view the Computers Inventory page. A successful AMP connection and icon indicates a

icon indicates a failed AMP connection.

Message Type [ID, Src ID] Expires Status

Indicates the message type. For example, Run Process or Built-in.

Message Payload Indicates the message payload. Indicates the date and time when the alert expired. Indicates the status of the AMP message. For example, Completed or Received. AMP is Agent Messaging Protocol.

Table 2-4: AMP Messages Queue page fields To view alerts: 1. Select KBOX Settings | Support or click Support page appears. on the modules tool bar The KBOX Settings: KACE

2. Click Troubleshooting Tools. The KBOX Troubleshooting Tools page appears. 3. Click the message queue link in “See list of pending communications in the KBOX Agent message queue”, under the KBOX Agent Messaging area. The AMP Message Queue page appears.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

51

4. Select View Alerts from the Choose action drop-down list. A list of Alerts is displayed under the Message field. The View Alerts option is available in the Choose action drop-down list only if AMP Message Queue has pending or displays alerts.

For creating alerts, see section “Creating Alert Messages,” on page 238. To delete a message queue: 1. Select KBOX Settings | Support or click KACE Support page appears. on the modules tool bar. The KBOX Settings:

2. Click Troubleshooting Tools. The KBOX Troubleshooting Tools page appears. 3. Click the message queue link in “See list of pending communications in the KBOX Agent message queue”, under the KBOX Agent Messaging area. The AMP Message Queue page appears. 4. Select the check box beside the message you want to delete. 5. Select Delete Selected Item(s) from the Choose action drop-down list. 6. Click OK to confirm deleting the message. This removes the message queue from the KBOX Agent.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

52

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

53

C H A P T E R 3 Inventory
The KBOX Inventory feature enables you to identify and manage the machines and software on your network and organize these machines using labels and filters.
“Overview of the Inventory feature,” on page 55 “Computers Inventory,” on page 58 “Software Inventory,” on page 66 “AppDeploySM Live,” on page 76 “Software Metering,” on page 74 “Processes,” on page 77,” “Startup,” on page 79,” “Service,” on page 81” “Monitoring Out-Of-Reach Computers (MIA),” on page 83 “Labels,” on page 84

54

Overview of the Inventory feature
Inventory is collected by the KBOX Agent and reported when computers check in with the KBOX. The data is then listed on one of the Inventory tabs: Computers, Software, or MIA. The inventory data is collected automatically according to the Agent Inventory Interval schedule specified in the system console, under Organizations | Organizations for a specific organization. If this Agent Inventory Interval is set to zero, the client inventory is performed as per the Agent Run Interval specified in the system console, under Organizations | Organizations for the specific organization.. Although it is presented under the Inventory tab, the IP Scan feature is discussed in Chapter 5,“IP Scan,” starting on page 96.

Module Toolbar

Sub tabs Use drop-down to filter view by label

Click to create notification filter

Click to create search filter

The last time the machine checked in

The computer’s name and labels to which the computer belongs

Click to run Machine Action

Figure 3-1: Inventory - Computers tab The Computer Search & Filter page displays the computer’s IP address and the user connected to it. Clicking Action #1 or Action #2 beside the IP address, invokes an Machine Action if specified. For more details on Machine Actions, Refer to the Chapter 1,“Configuring General Settings for the Server,” starting on page 16.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

55

From the Computers tab you can: Search by keyword or invoke an Advanced Search Create a Filter to apply labels to computers automatically Create Notifications based on computer attributes Add/delete new computers manually Filter the Computer Listing by label Apply or remove labels Show or hide labels To view details about a computer click its name.

Using Advanced Search for Computer Inventory
Although you can search computer inventory using keywords like Windows XP, or Acrobat, those types of searches might not give you the level of specificity you need. Advanced search, on the other hand, allows you to specify values for each field present in the inventory record and search the entire inventory listing for that value. This is useful, for example, if you needed to know which computers had a particular version of BIOS installed in order to upgrade only those affected computers. To specify advanced search criteria: 1. Click the Advanced Search tab. 2. Select an attribute from the drop-down list. For example, IP Address. 3. Select the condition from the drop-down list. For example, contains. 4. Enter the Attribute Value. For example, XXX.XX.* In the above example, machines from the specified IP range will be searched. Note: You can add more than one criteria. 5. Select the Conjunction Operator from the drop-down list to add more criteria. For example, AND. 6. Click Search. The search results are displayed.

Creating Search Filters for Computer Inventory
Filtering enables you to dynamically apply a label based on a search criteria. It is helpful to define filters by using inventory attributes. For example, you create a label called “San Francisco Office” and create a filter based on the IP range or subnet for machines located at the San Francisco office. So whenever a machine is checked in and meets the above IP range, it be labeled as San Francisco. This functionality is particularly useful if your network includes laptops that often travel to remote locations. The table below lists some examples of useful filters that could be applied to a machine based on its inventory attributes: Filter Examples Sample Label Name XP_Low_Disk Sample Condition Windows XP Machine with less than 1 GB of free hard disk at last connection.

Table 3-2: Filter Examples

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

56

Filter Examples XP_No_HF182374 Building 3 CN_sales Windows XP Machine without Hotfix 18237 installed at last connection. Machine connecting to the KBOX is detected in a specified IP range known to originate in building 3. Computers connecting where computer name contains the letters “sales”.

Table 3-2: Filter Examples To create a filter: 1. Select Inventory | Computers, then click the Create Filter tab. The Filter criteria fields appear. 2. Specify the search criteria. 3. Choose the label to associate with the filter. 4. To see whether the filter produces the desired results, click Test Filter. 5. Click Create Filter to create the filter. Now, whenever machines that meet the specified filter criteria check into the KBOX, they will automatically be assigned to the associated label. You can also add a new machine filter or change the order of machine filters from the Reporting | Filters tab. Refer to Chapter 12,“Filters,” starting on page 239for more details. This feature assumes that you have already created labels to associate with a filter. For information about creating labels, see “Labels,” on page 84. Deleting a filter does not delete the label.

Creating Computer Notifications
You can also use the Notification feature to search the inventory for computers that meet certain criteria, such as disk capacity or OS version, and then send an e-mail automatically to an administrator. For example, if you wanted to know when computers had a critically low amount of disk space left, you could specify the search criteria to look for a value of 5 MB or smaller in the Disk Free field, and then notify an administrator who can take appropriate action. To create a notification: 1. Select Inventory | Computers, and then click the Create Notification tab. 2. Specify the search criteria. 3. Specify a title for the search. 4. Enter the mail address of the recipient of the notification. 5. To see whether the filter produces the desired results, click Test Notification. 6. Click Create Notification to create the notification. Now, whenever machines that meet the specified notification criteria check into the KBOX, an mail will automatically be sent to the specified recipient. You can modify or delete a notification after it has been created on the Reporting | Email Alerts tab.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

57

Filtering Computers by Organizational Unit
If you want to filter computers based on an Organizational Unit found in LDAP or AD, you can create LDAP Filters to do this from the Reporting | LDAP Filters tab. For more information on how to create LDAP Filters, Refer to Chapter 13,“LDAP Filters,” starting on page 247.

Computers Inventory
From the Computers tab, you can select a computer in the inventory and view its details. The Computer Detail page provides details about a computer’s hardware, software, install, patch, Help Desk, and Oval vulnerability history, among other attributes. Each section on this page is described below. To expand the sections, click Expand All. Click a heading to expand or collapse it.

Summary
This section provides a brief description of the computer. It displays the following details: Name Model IP Address MAC RAM Total Processors OS Name Service Pack Uptime Agent Version User Name AMP Connection Displays the name of the machine. Displays the make of the machine. Displays the IP Address of the machine. Displays Media Access Control Address (MAC) of the machine. Displays the total memory of the machine. Displays the details of types of processors of the machine. Displays the operating system of the machine. Displays the service pack of the machine. Displays the elapsed time since the last machine shutdown. Displays the current version of the KBOX Agent installed on the machine. Displays the user name of the most recent user of the machine. A icon indicates a constant connection between the KBOX Agent and the icon indicates that the KBOX Agent and the KBOX are not

KBOX, while a connected. Last Inventory

Displays the time interval from the last inventory scan executed on the machine and date and time of this scan. Displays the details of all the hard disk drives installed on the machine.

Record Created Displays the date and time when this inventory record was created. Disk #

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

58

Click Force Inventory Update to synchronize this computer with the server. It requests the agent to send an inventory to the KBOX. The Alerts, Patching, and Run Now features work only if there is a constant connection between the KBOX Agent and the KBOX. For information on how to set up a persistent connection, Refer to Chapter 1,“Configuring AMP Settings for the Server,” starting on page 24.

Inventory Information
The inventory information section covers following areas: Hardware Printers Network Interfaces KBOX Agent User Operating System Notes

Hardware
The hardware section displays following details. These details vary according to the make of the computer: RAM Total Ram Used Manufacturer Model Domain Motherboard Primary Bus Motherboard Secondary Bus Processors CD/DVD Drives Sound Devices Apple Support Info SMC Version Serial Number Displays the total memory of the machine. Displays the amount of RAM currently used by the machine. This field is not displayed on an Apple Machine. Displays the name of manufacturer. This field is not displayed on an Apple machine. Displays the model details of the machine. Displays the domain name of the machine. This field is not displayed on an Apple machine.

Displays information about the machine’s motherboard.

Displays the details of types of processors on the machine. Displays the configuration of drives installed on the machine. Displays the details of the sound card installed on the machine. Displays link to the Apple Support website. This field is displayed only on an Apple machine. Displays the SMC version of the Macintosh® Intel machine. This field is displayed only on an Apple machine. Displays the serial number of the Macintosh® machine. This field is displayed only on an Apple machine.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

59

Boot ROM Version Video Controllers Dell Service Info

Displays the Boot ROM version of the Macintosh® machine. This field is displayed only on an Apple machine. Displays the details of video controllers installed on the machine. Displays link to the Dell website. You can view the support record for the computer, including the days left on the support agreement, and compare the original with the current system configurations. This field is displayed only on a Dell machine. Displays the monitor details of the machine. Displays link to the MPC Computers Support website. You can locate your exact system model and original components, as well as drivers, specifications, manuals and installation guides if available. This field is displayed only on an Gateway Machine.

Monitor MPC Service Info

BIOS Name BIOS Version BIOS Manufacturer BIOS Description BIOS Serial Number Disk # Displays the details of all the hard disk drives installed on the machine. Displays the BIOS details of the machine.

Printers

This section displays the list of configured printers for the computer.

This section displays the following details of the machine: 1. Type and version of NIC card installed 2. MAC address 3. IP address 4. DHCP status (Enable or Disabled)

Network Interfaces

KBOX Agent

This section displays the following details: Agent Version AMP Disconnected KACE ID Displays the version of the KBOX Agent installed on the machine. Displays the date and time when the AMP connection got disconnected. This field is only displayed if the AMP connection is disconnected. Displays the ID of the machine on which the KBOX Agent is installed. You can view the machine ID in the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\KACE Displays the id of the machine as reflected in the machine table. Displays the time when the inventory for the machine last got uploaded to the KBOX. Displays the time when the machine last got synched to the KBOX.

Database ID Last Inventory Last Sync

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

60

User
This section displays the details about the last user logged in.

Operating System
Name Service Pack Version Build Number Architecture Installed Date

This section displays the following details: Displays the name of the operating system installed on the machine. Displays the service pack of the machine. Displays the version number of the operating system installed on the machine. Displays the build number of the operating system installed on the machine. Displays the version number of operating system installed. Displays the architecture of the machine as 32-bit or 64-bit. Displays the date and time when this operating system was installed on the machine. Displays the date and time when the machine was last rebooted. Displays the elapsed time since the last machine shutdown. Displays the operating system installation path on the machine. Displays the current registry file size of the machine. Displays the maximum registry file size of the machine.

Last System Reboot Current Uptime System Directory Registry Size Registry Max Size

Notes

This section displays notes related to the machine. You can enter description in the Notes field. Click Save to save the description.

Software
The Software section has following areas: Installed Programs Custom Inventory Fields Uploaded Files Installed Patches via Inventory Running Processes Startup Programs Services

Installed Programs

This section displays the titles and versions of software programs installed on the computer. The programs listed here are the same as those listed on the computer’s Add/Remove Programs list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

61

Custom Inventory Fields Uploaded Files

This section lists the Custom Inventory fields that were created for the machine.

This section displays a list of the files that have been uploaded to the KBOX from the machine using the Upload a file Script Task. Refer to page 147 describing adding steps to task to a Offline KScript or Online KScripts in Chapter 8,“To add an Offline KScript or Online KScript:,” starting on page 145. Also Refer to Appendix B,“Adding Steps to Task Sections,” starting on page 331.

Installed Patches via Inventory

This section lists all of the Microsoft patches that have been installed on the computer via Computers | Inventory.

This section displays lists of all the processes currently running on the computer. This list is the same as that displayed on the computer’s Task Manager | Processes tab.

Running Processes

Startup Programs

This section displays a list of programs that are launched automatically when the computer starts. These programs are the same as those listed in the computer’s Start | All Programs | Startup menu.

Services

This section displays a list of services that are running on the machine. Click any of the services and the Service : Edit Service Detail page appears. The fields on this page represent the service detail information, which is automatically captured and communicated from the KBOX Agent.

Activities
The Activities section has the following areas: Labels Failed Managed Installs To Install List Help Tickets

Labels

This section displays the labels that are currently assigned to the computer. Labels are used to organize and categorize machines.

This section displays the list of Managed Installations that failed to install on the machine. To access details about the Managed Installations, click the Managed Software Installation detail page link.

Failed Managed Installs

To Install List Help Tickets

This section lists the Managed Installations that installed on the machine, the next time it connects.

This section displays the list of the Help Desk Tickets associated with the machine. The Tickets can be assigned to the machine owner or submitted by the machine owner. To view the details of Help Desk Ticket, click Ticket ID (for example, TICK:0032). Click the [Create New Ticket] link to create a new

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

62

ticket. For more information on how to create a ticket, Refer to Chapter 11,“Creating and Editing Help Desk Tickets,” starting on page 217.

Security
The Security section has the following areas: Patching Detect/Deploy Status Threat Level 5 List Oval Vulnerabilities

Click Patch Schedules to review patches that you want to detect and deploy on the machine. This section displays following details for the machine: Scheduled Task Status Deployment Status You can sort Deployment Status details by following categories: Failed Not Patched Patched All Patch Name Detect Status Detect Date Deploy Status Deploy Date Tries

Patching Detect/Deploy Status

Threat Level 5 List

This section displays the items that are marked with the threat level as 5. A threat that is harmful to any software, process, startup item, or services associated with the machine is considered as threat level 5.

Oval Vulnerabilities

This section displays the results of OVAL Vulnerability tests run on the machine. Only tests that fail on the machine are listed by the OVAL ID and marked as Vulnerable. Tests that pass are grouped together and marked as Safe.

Logs
The Logs section has the following areas: KBOX Agent Logs Portal Install Logs Scripting Logs

KBOX Agent Logs

This section displays the following logs: KBOX Management Service Logs - The primary role of KBOX Management Service is to execute the Offline KScripts. The KBOX Management Service logs display the steps performed by KBOX Management Service to execute the Offline KScripts. These steps include, downloading the

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

63

dependencies and validating the KBOTS file. Any error in the execution of Offline KScript is logged in the KBOX Management Service logs. KBOX Boot Strap Logs - The KBOX sends a boot strap request to get the inventory information for a machine that has checked in for the first time. The logs related to this request are displayed in the KBOX Boot Strap logs. KBOX Client Logs - The KBOX sends a request to the KBOX Client to get the inventory information periodically. A script is executed at the KBOX Client, after which it sends the inventory information to the KBOX. On successful execution of KBOXClient.exe, the inventory is uploaded to KBOX. The KBOX Client logs displays these actions. KBOX Scripting Updater - A request is initiated periodically from the KBOX Client to get the latest information related to the changes in Offline KScripts. The KBOX Scripting Updater logs displays this information.

Portal Install Logs Scripting Logs

This section provides details about the User Portal packages installed on the machine.

This section lists the Configuration Policy scripts that have run on this computer, along with the status of any scripts in progress.

Asset
The Logs section has the following areas: Asset Information Related Assets Asset History

This section displays the details of the Asset associated with the machine. Details such as the date and time when the Asset record was created, the date and time when it was last modified, type of the asset, name of the asset, and machine name are displayed. Click [Edit this asset] link to edit the asset information. For more information on editing asset information, Refer to Chapter 4,“Managing Assets,” starting on page 91.

Asset Information

Related Assets Asset History

This section displays the list of related assets that are not the parent of this asset.

This section displays the changes done to the Asset of the machine. It lists details of the all the changes along with the date and time when each change was done.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

64

Adding Computers to Inventory
The KBOX provides the convenience of automatically adding computers to inventory. This is especially useful when you maintain a large number of computers on your network. However, the KBOX also provides the flexibility to manually add computers to inventory. For example, you can track computers that currently do not have KBOX Agent support or computers that are not available on your LAN.

Adding Computers automatically
Computers are automatically added to the inventory by provisioning the KBOX agent on the computers on your network. The computers on which the KBOX agent is installed will check into the KBOX and upload all the available inventory data. For more information on Agent Provisioning, Refer to Chapter 2,“Agent Provisioning,” starting on page 28.

Adding Computers manually
You can maintain inventory data of all the machines on your network, but not connected to your LAN, in one central place. This can be done by adding these computers to the KBOX manually from the Inventory | Computer tab. To add a computer to inventory manually: 1. Select Inventory | Computers tab. 2. Select Add New Item from the Choose action drop-down list. The Computer: Edit Computer Detail page appears. 3. Enter the requested computer details. For example, the requested computer details can include, view the computer record of a machine that is already listed in the inventory. 4. If you prefer, you can import the machine.xml file for this computer. The KBOXClient.exe can take an optional command line parameter-inventory. To configure this, type: KBOX Agent/exe-inventory The KBOX Agent collects the inventory data and generates a file called machine.xml, which you can upload here. If you choose this option, the KBOX ignores all other field values on this screen. To delete a computer: 1. Select Inventory | Computers. 2. Select the check box beside the computer(s) you want to delete. 3. Select Delete Selected Item(s) from the Choose action drop-down list. 4. Click Yes to confirm deleting the computer, or click Cancel to cancel deletion. To apply a label to a computer: 1. Select Inventory | Computers. 2. Select the computer you want to apply a label to. 3. Select the appropriate label to apply from the Choose action drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

65

To remove a label from a computer: 1. Select Inventory | Computers. 2. Select the check box beside the computer(s) you want to remove the label from. 3. Select the appropriate label under Remove Label from the Choose action drop-down list.

Software Inventory
In addition to the computers on your network, the KBOX Inventory feature also keeps an inventory of the software titles installed on each of the computers listed in the inventory. From the Inventory | Software tab you can see at a glance all the software installed across your network. By default, the Software List alphabetically lists only the first 100 software titles detected. To view all software installed, click the Show All link. From the Software List page you can: Add or delete software Add or remove labels Categorize the Software Set Threat Level to Software To view the details of a software title, click the software name link.

Using Advanced Search for Software Inventory
The software inventory can be searched using keywords for softwares like Adobe Flash Player or ActivePerl. For more refined search result, using Advanced Search is recommended. This feature allows you to specify values for each field present in the software inventory record and search the entire inventory for that particular value. This is useful, for example, if you need a list of computers that have ActivePerl installed on a specific operating system. To specify advanced search criteria: 1. Click the Advanced Search tab. 2. Select an attribute from the drop-down list. For example, Display Name (Title). 3. Select the condition from the drop-down list. For example, contains. 4. Enter the Attribute Value. For example, ActivePerl. In the above example, machines having ActivePerl software will be searched. Note: You can add more than one criteria. 5. Select the Conjunction Operator from the drop-down list to add more criteria. For example, AND. 6. Select an attribute from the drop-down list. For example, Supported OS. 7. Select the condition from the drop-down list. For example, contains. 8. Enter the Attribute Value. For example, XP. In the above example, machines which have Windows XP OS and ActivePerl software installed will be searched.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

66

9. Click Search. The refined search results are displayed.

Creating Search Filters for Software Inventory
Filtering enables you to dynamically apply a label based on a search criteria. It is helpful to define filters by using inventory attributes. To create a filter: 1. Select Inventory | Software, then click the Create Filter tab. The Filter criteria fields appear. 2. Specify the search criteria. 3. Choose the label to associate with the filter. 4. To see whether the filter produces the desired results, click Test Filter. 5. Click Create Filter to create the filter. Now, whenever machines that meet the specified filter criteria check into the KBOX, they will automatically be assigned to the associated label. You can also add a new software filter or change the order of software filters from the Reporting | Filters tab. Refer to Chapter 12,“Filters,” starting on page 239 for more details. This feature assumes that you have already created labels to associate with a filter. For information about creating labels, see “Labels,” on page 84. Deleting a filter does not delete the label. Software filters are applied in following different ways: When a specific filter is created on Inventory | Software using Create Filter tab, it can be applied to all the softwares. If a specific filter is edited via Reporting | Filters, it will be reapplied to all softwares. All filters can be applied to a new software in Inventory. All filters will be reapplied to a new software in Inventory, in case it is updated with a new supported OS. All filters will be reapplied to a software, when it is updated on Inventory | Software.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

67

Adding Software to Inventory
As with computers, you can add software to inventory either automatically or manually. The KBOX provides the convenience of adding software titles to the inventory automatically, which is especially useful when it is difficult to determine and maintain all the titles installed on all the machines in your network. Thus, the KBOX also provides you with the flexibility to manually add software titles to the inventory. For example, you can add a title that is not yet been installed on your network so that you can create a managed installation from it and deploy it to the computers on your network at one time.

Adding Software Automatically
Software is added automatically to the inventory by provisioning the KBOX agent on the computers on your network. The computers on which the KBOX agent is installed will check in to the KBOX and upload all the available software inventory data. For more information on Agent Provisioning, Refer to Chapter 2,“Agent Provisioning,” starting on page 28.

Adding Software Manually
Although the KBOX creates inventory records for the software titles found on your network, there might be applications you want to add to inventory manually. To add software to inventory manually: 1. Select Inventory | Software. 2. Select Add New Item in the Choose Action drop-down list. The Software : Edit Software Details page appears. 3. Enter the general software details. Be sure to create the Display Version, Vendor, and Software Title information consistently across software inventory in order to assure proper downstream reporting. 4. Upload or specify links to available information files associated with the software. 5. In the Assign To Label field, select the labels to assign. 6. Enter any other details in the Notes field. Specify the Custom Inventory ID (rule), for example, C:\RegistryValueGreaterThan(SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx,szDatVersion,4.0.44). Before sending any software to a remote client, the KBOX verifies whether or not that file is present on the target machine. If it is detected, then it is not sent to the machine a second time. In some instances, installed programs do not register in add/remove programs or in standard areas of the registry. In such cases, the KBOX may not be able to detect the presence of the application without additional information from the administrator and, therefore, the KBOX may repeat the install each time the client connects. For more information on Custom Inventory ID (rule), Refer to “Custom Inventory ID (rule),” on page 69.

7. Select the supported operating systems in the Supported Operating Systems field. 8. In the Custom Inventory ID (rule) field, enter the Custom Inventory ID.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

68

9. Beside the Upload & Associate File, click Browse, and then click Open. 10. Under Metadata, specify the following information: Category Threat Level Hide from Software Lookup Service 11. Click Save. Select the desired category. Select the threat level. Select this check box if you want to hide this information from the Software Lookup Services.

The software detail page displays license information for the software. You can also view the license asset detail by clicking on the license link.

Custom Inventory ID (rule)
The KBOX inventory rules engine supports the following functions. Custom inventory rules are entered in the Custom Inventory ID (rule) File System Functions The FileVersion and ProductVersion functions retrieve the information from the file described in the fullPath argument.

Use of the term “string” in the function indicates that value to be specified for fullpath or valueToTest arguments is of type string and not of type like boolean or integer. Quotation marks need not be specified in the string value. DirectoryExists(string dirName) For example: DirectoryExists(C:\WINDOWS\) FileExists(string fullPath) For example: FileExists(C:\WINDOWS\notepad.exe) FileVersionEquals(string fullPath, string valueToTest) For example: FileVersionEquals(C:\Program Files\Internet Explorer\iexplore.exe, 6.0.2900.2180) FileVersionLessThan(string fullPath, string valueToTest) FileVersionGreaterThan(string fullPath, string valueToTest) ProductVersionEquals(string fullPath, string valueToTest) ProductVersionLessThan(string fullPath, string valueToTest) ProductVersionGreaterThan(string fullPath, string valueToTest)

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

69

Registry Functions RegistryKeyExists(string absPath) RegistryValueEquals(string absPathToKey, string valueName, string valueToTest) RegistryValueLessThan(string absPathToKey, string valueName, string valueToTest) RegistryValueGreaterThan(string absPathToKey, string valueName, string valueToTest) For example: RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector,IE,6.000) The syntax must adhere to the following rules: The syntax must have three values separated by commas. Commas are not allowed anywhere else in the string. Do not include single nor double quotes. Contain a key that exists under LocalMachine. Failure to follow these specifications will result in the test evaluating to FALSE, and the install would proceed. All comparisons happen as strings, testing other registry value types may not work. White space will be trimmed from the front and back of each variable. Therefore all of the following syntaxes are the same: RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector,IE,6.000) RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector ,IE,6.000) RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector,IE ,6.000 ) RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector, IE,6.000 ) The following syntaxes are not the same and would be INVALID: RegistryValueEquals(SOFTWARE\Mic rosoft\Internet Explorer\Vers ion Vector,IE,6.000) RegistryValueEquals(SOFTWARE\Microsoft\Internet Explorer\Version Vector,IE,6.000) These operators can be used in conjunction with "AND / OR". If the results of functions in the form described above evaluate to be true, then it is assumed that the software is installed on the target machine, and there is no reason to install this package again. And, a corresponding copy of the software is counted in the KBOX database. Functions of the form *VersionGreaterThan and *VersionLessThan will attempt to do valid comparisons of version information. Only numeric versions can be compared. For example 1.2.3B would not compare correctly. The following would all behave normally: 1.2.3 < 1.2.4 1.2.3 < 2.4 1.2.3 > .9.1.9 1 < 1.5 1.0.0.0.5 < 1.1

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

70

Functions of the form *Equals will be doing string comparisons, so the supplied value To Test values must match exactly. "1.0" does not equal "1.0.0.0" ".9" does not equal "0.90" Use custom inventory rules when: The software or item you want to inventory is not listed in add/remove programs. Different versions of the same software have the same entry in add remove/programs, either with incorrect or incomplete "Display Version" information. Example of a custom inventory rule to detect Windows XP Service Pack 2: Windows XP Service Pack 2 only appears in Add/Remove programs for machines that were originally on SP1 then upgraded to SP2, so the default KBOX Software inventory for this item will not reflect machines that are already on SP2 because they were originally imaged at the SP2 level. When using the KBOX to deploy Windows XP Service Pack 2, you should use the following custom inventory rule for the Software Inventory item: RegistryValueEquals(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVe rsion,CSDVersion,Service Pack 2) This custom inventory rule will prevent the KBOX from trying to deploy the SP2 install to any machines already at that level (i.e., SP1 machines which have been upgraded, as well as machines originally imaged with SP2).

Creating Software Asset
You can create a software asset using the Inventory | Software tab. To create a software asset: 1. Select Inventory | Software. 2. Select the appropriate software and then select Create Asset from the Choose Action drop-down list. The Assets page appears.

Custom Data Fields
You can create custom data fields in order to read information from a target machine and report it in the Computer Inventory certificate. This is useful for reading and reporting on information in the registry and elsewhere on the target machine. For example, DAT file version number from the registry, file created date, file publisher, or other data. To create a custom data field: 1. Select Inventory | Software. 2. Select Add New Item from the Choose action drop-down list. 3. Enter a Display Name for the field.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

71

4. In the Custom Inventory (ID) rule area, enter the appropriate syntax according to the information you want to return: To return a Registry Value, enter RegistryValueReturn(string absPathToKey, string valueName, string valueType), replacing valueType with either “TEXT”, “NUMBER”, or “DATE”. Note that NUMBER is specifically an integer value. Example: RegistryValueReturn(HKEY_LOCAL_MACHINE\SOFTWARE\McAfee.com\Virusscan Online,SourceDisk, TEXT) To return File Information, enter FileInfoReturn(string fullPath, string attributeToRetrieve, string valueType) Example: FileInfoReturn(C:\Program Files\Internet Explorer\iexplore.exe, Comments,TEXT) You can retrieve the following attributes from the FileInfoReport() function: Comments CompanyName FileBuildPart FileDescription FileMajorPart FileMinorPart FileName FilePrivatePart FileVersion InternalName IsDebug IsPatclhed IsPreRelease IsPrivateBuild IsSpecialBuild Language LegalCopyright LegalTrademarks OriginalFilename PrivateBuild ProductBuildPart ProductMajorPart ProductMinorPart ProductName ProductPrivatePart ProductVersion SpecialBuild CreatedDate ModifiedDate AccessedDate

Attaching a Digital Asset to a Software Title
Whether you add the software to inventory automatically or manually, after a particular software title is in inventory, you will need to associate the files required to install the software before distributing a package to users for installation. To associate multiple files, create a .zip file and associate the resulting archive file. To attach digital asset to a software title: 1. Select Inventory | Software. 2. Click the linked name of the software title. The Software: Edit Software Detail page appears. 3. Beside Upload & Associate File, click Browse. 4. Locate the file to upload, then click Open.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

72

5. Modify other details as necessary, then click Save. The Software-To-Computer Deployment Detail table at the bottom of the Software | Edit Software Detail page shows which computers have the software title installed. To delete a software: 1. Select Inventory | Software. 2. Select the check box beside the software(s) you want to delete. 3. Select Delete Selected Item(s) from the Choose action drop-down list. 4. Click Yes to confirm deleting the software. Else, click Cancel to cancel deleting the software. To apply a label to a software: 1. Select Inventory | Software. 2. Select the check box beside the software(s) you want to apply a label to. 3. Select the appropriate label to apply from the Choose action drop-down list. To remove a label from a software: 1. Select Inventory | Software. 2. Select the check box beside the software(s) you want to remove the label from. 3. Select the appropriate label under Remove Label from the Choose action drop-down list. To categorize a software: 1. Select Inventory | Software. 2. Select the check box beside the software(s) you want to categorize. 3. Select the appropriate category from the Choose action drop-down list. To set threat level to a software: 1. Select Inventory | Software. 2. Select the check box beside the software(s). 3. Select the appropriate threat level from the Choose action drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

73

Software Metering
The KBOX Metering feature allows you to keep track of software used across your enterprise. The Metering feature records and reports the details on the software used across your network. This can help you to manage license compliance and better negotiate license renewals and upgrades. You can record and view software usage for the last first, second, third, sixth, or twelfth month. Detail pages provide information on individual software processes, including the name of the computer that is using the software, the number of times the software was launched, the total minutes the software was used, and when the software was last used.

Adding a Software Meter
You can add a software meter to monitor the specified process name on the agent machine. To add a Software Meter: 1. Select Asset | Metering. The Software Metering page appears. 2. Select Add New Item in the Choose action drop-down list. The Software Metering: Edit Detail page appears. 3. Enter Software Meter details as follows: Enabled Process Name Associated Software Select this check box to enable software metering for this software. The specified process name will be monitored on the KBOX Agent machine. To track usage only on machines with a specific software version deployed, choose the related software inventory item. You can filter the list by entering filter options. Enter any notes that further describe or explain this software meter. Displays license information for the software. To view the license asset details, click on the license link.

Notes Licenses

4. Click Save to save your changes or click Cancel to return to the Software Metering Listing page. Your Software Meter now appears in the Software Metering Listing page. The results of the software metering can be seen at two places: On the Software Metering page On the Software Metering: Edit Detail page To view Software Metering results: 1. Select Asset | Metering. The Software Metering page appears. The software metering page displays useful information such as the Process Name, Enabled, Installed, Licensed, In Use, and so on. 2. Click the process name. The Software Metering: Edit Detail page appears. The Month-to-date usage Detail table displays information such as Computer Name, Times Launched, Minutes Used, and Last Used.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

74

Editing Software Meter Details
You can edit a software meter to monitor the specified process name on the agent machine. To edit Software Meter details: 1. Select Asset | Metering. The Software Metering page appears. 2. Click the process name. The Software Metering: Edit Detail page appears. 3. Edit Software Meter details as shown in the following table: Enabled Process Name Associated Software Notes Select this check box to enable software metering for a software process. The specified process name will be monitored on the KBOX Agent machine. Select the related software inventory item, to track the usage only on machines with a specific software version deployed. Enter any notes that further describe or explain this software meter.

4. Click Save to save your changes or click Cancel to return to the Software Metering page.

Deleting a Software Meter
You can delete a software meter. To delete a Software Meter: 1. Select Asset | Metering. The Software Metering page is appears. 2. Select the processes of which software meter or meters you want to delete. 3. Select Delete Selected Item(s) from the Choose action drop-down list. 4. Click Yes to confirm deleting the software meter(s). Else, click Cancel to cancel deleting the software meter(s).

Configuring the Software Metering Settings
You can configure the software metering settings. To configure Software Metering settings: 1. Select Asset | Metering. The Software Metering page appears. 2. Select the process name. 3. Select Configure Settings in the Choose action drop-down list. The Software Metering Settings page appears. 4. Edit configuration settings as shown in the following table: Enabled Allow Run While Disconnected Allow Run While Logged Off Select the check box for metering to run on the target machines. Select the check box for metering to run even if the machine cannot contact the KBOX to report results. The results will be stored on the machine and will be uploaded once the contact with the KBOX is established. Select the check box for metering to run even if a user is not logged in. If you clear this check box, the script will run only when a user is logged into the machine.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

75

5. Edit deployment settings as shown in the following table: Deploy to All Machines Limit Deploy To Supported Operating Systems Select the check box if you want to deploy to all the Machines. Click OK in the confirmation dialog box. You can limit deployment to one or more labels. Press CTRL and click to select more than one label. Select the operating system to which you want to limit deployment. Press CTRL and click to select more than one operating system. Note: Leave blank to deploy to all operating systems.

6. Click Save to save your changes or click Cancel to return to the Software Metering page.

AppDeploySM Live
AppDeploy.com contains information on installation, deployment, and systems management automation. By putting all the relevant information in one place, it eliminates the need for searching answers through vendor sites, discussion boards, and technical publications. It offers computer administrators an easy way to search for answers and solutions.

Enabling AppDeploy Live
Select the Enable AppDeploy Live! check box in the KBOX Settings: General page, to integrate community submitted information directly from AppDeploy Live. For more information on how to change the KBOX General Settings, Refer to Chapter 1,“Configuring General Settings for the Server,” starting on page 16.

Viewing AppDeploy Live content
You can view AppDeploy Live contents of your KBOX. From the Inventory tab, you can view AppDeploy Live information on software, processes, startup programs, and services. AppDeploy Live information can also be viewed from the Distribution | Managed Installations and Distribution | File Synchronization. You can visit www.AppDeploy.com for more information. To view AppDeploy Live information: 1. Select Inventory | Software. The Software page appears, which lists the software installed on client machines. 2. Select the software title in order to see the associated information from AppDeploy Live. The Software : Edit Software Detail page appears. 3. Scroll Down to view AppDeploy Live information. If you have not enabled AppDeploy Live, you cannot view AppDeploy Live information. Refer to “AppDeploySM Live,” on page 76.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

76

Processes
The KBOX Processes feature allows you to keep track of processes that are running on all agent machines across your enterprise. The Processes feature records and reports the processes details information. You can record and view software usage for the last 1, 2, 3, 6, or 12 months. Detail pages provide information on individual processes, including the name of the computer running those processes, system description, and the last user. Using Processes feature, you can: View Process details Delete selected processes Disallow selected processes Meter selected processes Apply labels Remove labels The processes are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To view process details: 1. Select Inventory | Processes. The Processes page appears. 2. Click on the process name to view details. The Process Details page appears. 3. Select labels to assign to process in the Assign To Label box. 4. Enter any notes that further describe this process in the Special Notes box. 5. Select the category of the process in the Category drop-down list. 6. Select the threat level of the process in the Threat Level drop-down list. 7. Click Save to save the processes details. You can read comments on the process submitted by other users by clicking [Read Comments] on the Process Details page. You can also ask for help from KACE about the processes by clicking [Ask For Help.] You need KACE user name and password to log in to the KACE database. You can also see computers with running the selected process. You can view a printer friendly version of this page and take print outs of the report. To delete a process: 1. To delete processes, do one of the following: From the Processes List view, select the check box beside the process, then select Delete Selected Item(s) from the Choose action drop-down list. From the Process detail page, click Delete. 2. Click OK to confirm deleting the selected process.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

77

To disallow processes: 1. Select Inventory | Processes. The Processes page appears. 2. Select the check box beside the process(es) to disallow. 3. Select Disallow Selected Item(s) in the Choose Action drop-down list. The Script : Edit Detail page appears. 4. Enter the script configuration details, and then click Run Now to run Disallowed Programs Policy. For more detailed information on scripting and Disallowed Programs Policy, Refer to Chapter 8,“Scripting,” starting on page 142.

To apply a label to a process: 1. Select Inventory | Processes. 2. Select the check box beside the process(es) you want to apply a label to. 3. Select the appropriate label to apply from the Choose action drop-down list. To remove a label from a process: 1. Select Inventory | Processes. 2. Select the check box beside the process(es) you want to remove the label from. 3. Select the appropriate label under Remove Label from the Choose action drop-down list. To categorize a process: 1. Select Inventory | Processes. 2. Select the check box beside the process(es) you want to categorize. 3. Select the appropriate category from the Choose action drop-down list. To set threat level to a process: 1. Select Inventory | Processes. 2. Select the check box beside the process(es). 3. Select the appropriate threat level from the Choose action drop-down list. To meter a process: 1. Select Inventory | Processes. 2. Select the check box beside the process(es). 3. Select Meter Selected Items(s) from the Choose action drop-down list. The process will be added to the list of processes to be monitored in the Metering tab. For more information on Software Metering, Refer to “Processes,” on page 77.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

78

Startup
The KBOX Startup feature allows you to keep track of startup programs on all agent machines across your enterprise. The Startup feature records and reports the startup program detail information. Detail pages provide information on startup programs, including the name of the computer running those startup programs, system description, and the last user. Using Startup feature, you can: View startup program details Delete selected startup programs Apply or remove labels The startup programs are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To view Startup detail information: 1. Select Inventory | Startup. The Startup Programs page appears. 2. Click on the startup program name to view details. The Startup Programs : Edit Startup Programs Detail page appears. 3. Select labels to assign to startup program in the Assign To Label box. 4. Enter any notes that further describe this startup program in the Notes box. 5. Select the category of the startup program in the Category drop-down list. 6. Select the threat level of the startup program in the Threat Level drop-down list. 7. Click Save to save the startup program details. You can read comments on the startup program submitted by other users by clicking [Read Comments]. You can also ask for help from KACE about the startup programs by clicking [Ask For Help.] You need KACE user name and password to log in to the KACE database. You can also see computers with running the selected startup program. You can view a printer friendly version of this page and take print outs of the report. To delete a startup program: 1. To delete startup programs, do one of the following: From the Startup Programs List view, select the check box beside the startup program, then select Delete Selected Item(s) from the Choose action drop-down list. From the Startup Program : Edit Startup Program Detail page, click Delete. 2. Click OK to confirm deleting the selected startup program. To apply a label to a startup program: 1. Select Inventory | Startup. 2. Select the check box beside the startup program(s) you want to apply a label to.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

79

3. Select the appropriate label to apply from the Choose action drop-down list. To remove a label from a startup program: 1. Select Inventory | Startup. 2. Select the check box beside the startup program(s) you want to remove the label from. 3. Select the appropriate label under Remove Label from the Choose action drop-down list. To categorize a startup program: 1. Select Inventory | Startup. 2. Select the check box beside the startup program(s) you want to categorize. 3. Select the appropriate category from the Choose action drop-down list. To set threat level to a startup program: 1. Select Inventory | Startup. 2. Select the check box beside the startup program(s). 3. Select the appropriate threat level from the Choose action drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

80

Service
The KBOX Service feature allows you to keep track of services running on all agent machines across your enterprise. The Service feature records and reports the services information in detail. Detail pages provide information on services, including the name of the computer running those services, system description, and the last user. Using Services feature, you can: View services details Delete selected services Apply or delete labels The services are categorized in: Audio / Video, Business, Desktop, Development, Driver, Games, Internet, Malware, Security, and System Tool. To view service detail information: 1. Select Inventory | Service. The Services page appears. 2. Click the service name to view details. The Service : Edit Service Detail page appears. 3. Select labels to assign to service in the Assign To Label box. 4. Enter any notes that further describe this service in the Notes box. 5. Select the category of the service in the Category drop-down list. 6. Select the threat level of the service in the Threat Level drop-down list. 7. Click Save to save the service details. You can read comments on the service submitted by other users by clicking [Read Comments]. You can also ask for help from KACE about the service by clicking [Ask For Help.] You need KACE username and password to log in to the KACE database. You can also see computers with running the selected startup program. You can view a printer friendly version of this page and take print outs of the report. To delete a service: 1. To delete services, do one of the following: From the Services List view, select the check box beside the service, then select Delete Selected Item(s) from the Choose action drop-down list. From the Process detail page, click Delete. 2. Click OK to confirm deleting the selected service. To apply a label to a service: 1. Select Inventory | Service. 2. Select the check box beside the service(s) you want to apply a label to. 3. Select the appropriate label to apply from the Choose action drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

81

To remove a label from a service: 1. Select Inventory | Service. 2. Select the check box beside the service(s) you want to remove the label from. 3. Select the appropriate label under Remove Label from the Choose action drop-down list. To categorize a service: 1. Select Inventory | Service. 2. Select the check box beside the service(s) you want to categorize. 3. Select the appropriate category from the Choose action drop-down list. To set threat level to a service: 1. Select Inventory | Service. 2. Select the check box beside the service(s). 3. Select the appropriate threat level from the Choose action drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

82

Monitoring Out-Of-Reach Computers (MIA)
The KBOX MIA tab, gives you a way to view the computers that have not checked in to the KBOX in some time. You can filter the MIA view by computers that have missed the last first, fifth, or tenth syncs, or which have not communicated with the KBOX in the last 1-90 days. The MIA tab also displays the IP and MAC Addresses of these computers. From the MIA tab you can remove the computers from the KBOX inventory, as well as assign them to labels to group them for management action.

Configuring the MIA Settings
You can configure the MIA Settings to enable the KBOX to automatically delete computers from the inventory after they have not checked in for a specified number of days. This eliminates the need to manually delete the computers from the Computers - MIA page. To configure the MIA settings: 1. Select Inventory | MIA. 2. Select Configure Settings from the Choose action drop-down list. The MIA Settings page appears. 3. Enter the following information: Automatically delete MIA computers Days Select the check box to enable automatic deleting of MIA computers. Enter the period in number of days. Computers that do not communicate with the KBOX for the number of days specified here will be automatically deleted.

4. Click Save. To delete a computer: 1. Select Inventory | MIA. 2. Select the check box beside the computer(s) you want to delete. 3. Select Delete Selected Item(s) from the Choose action drop-down list. 4. Click Yes to confirm deleting the computer. Else, click Cancel to cancel deletion. To apply a label to a computer: 1. Select Inventory | MIA. 2. Select the check box beside the computer(s) you want to apply a label to. 3. Select the appropriate label to apply from the Choose action drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

83

Labels
In many areas of the KBOX you will see a labels select list, which allows you to constrain the action to a specific label or group of labels. There are several ways to group machines with the KBOX. Once grouped by a label, software, scripts, reports, or software deployments can all be managed on a per label basis. The label functionality can be manually applied from the Inventory | Labels tab, or automatically, via LDAP or Active Directory, (Reporting | LDAP Filters tab), or even applied by machine attribute, as we saw earlier from the Computers | Create Filter functionality. On the Label Management page you can add or delete labels, search labels, and also see the total number of computers that belong to a particular label.

Creating Labels
Labels can be used to organize and categorize software, people, and machines. Labels are intended to be used in a flexible manner and how you use labels is completely customizable. For example, Labels can reflect corporate structures, organizations, processes, or geographical locations like "Engineering", "Staging", "Building A",and so on. Labels can be used to identify deployment groups and target machines for distribution packages. All items that support "labeling" can have none, one, or multiple labels. To create a label: 1. Select Inventory | Labels. 2. Select Add New Item from the Choose action drop-down list. The Labels : Edit Detail page appears. 3. Enter a name for the label in the Label Name field. 4. Enter any relevant notes about the label in the Notes field. 5. If necessary, enter a value for KACE_ALT_LOCATION. This allows you to define what should replace the string in the KACE_ALT_LOCATION in the Alternate Download Location value in Managed Installs and File Synchronizations. Alternate Download Locations allow the KBOX Agent to retrieve digital installation files from remote locations. Specifying a KACE_ALT_LOCATION here will allow you to use this label for specifying the alternate location globally. If you apply this label to any machine and Managed Installation, the KBOX will copy digital assets from the Alternate Download location specified in that label instead of downloading them directly from the KBOX. Note: You should not have a machine in two labels that both specify an alternate location value. 6. Specify the Username and Password for the KACE_ALT_LOCATION. 7. Click Save.

Viewing Computer Details by Label
After you’ve created a label, you can view details about the computers on your network that belong to that label. From the Label Detail view you can see: The IP addresses and machine names of the computers in the label The number of Managed Installations and File Synchronizations deployed to the label The number of network scans and scripts run on the machines in the label The number of alerts, portal packages, and users associated with the label The number of filters and replication shares associated with the label.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

84

To view label details: 1. Select Inventory | Labels. 2. Click the linked name of the label. The Labels: Edit Detail page appears. 3. Click the + sign beside the section headers to expand or collapse the view.

Deleting labels
You can delete labels using two ways: from the Label List view, or from the Label: Edit Detail page. To delete a label: 1. To delete labels, do one of the following: From the Labels List view, select the check box beside the label, then select Delete Selected Item(s) from the Choose action drop-down list. From the Labels: Edit detail page, click Delete. 2. Click OK to confirm deleting the selected label. You cannot delete a label if it is associated with an item. For Example, a label associated with a Script or a Managed Installation.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

85

C H A P T E R 4 Asset Management
The KBOX 1000 Series allows you to manage and track assets in your environment in a flexible and customizable way.
“Overview of Asset Management,” on page 87 “Managing Asset Types,” on page 87 “Managing Assets,” on page 91 “Licensing,” on page 93 “Importing Asset,” on page 95

86

Overview of Asset Management
The Asset Management feature enables you to identify asset types, objects, and relationships between asset types and objects. You track existing assets, licensing and cost information and generate reports to match your environments needs. While looking at asset management it is important to understand that two types of assets are managed under the KBOX: Organizational assets (like Department, Location or Cost Center) Physical assets (like Computers, Users, Phones or Projectors) Organizational assets are used as a way to collect similar sets of physical assets. Before you begin to use assets, you should establish the asset types that will make sense for you, both in terms of the organization elements you want to use as well as the physical asset types you are hoping to track. You can view the list of available assets from the Asset | Assets tab. With the Assets tab you can: Add or delete assets Configure Asset types Add or delete software licenses Import data

Managing Asset Types
There are several built-in Asset Types: Computer Cost Center Department Location License Software Vendor These built-in assets cannot be deleted. If you delete a custom asset type, then all the assets using that asset type will be deleted.

You can add an unlimited number of asset types. Asset types can have any number of attributes, for example, ‘Name’. The ‘Name’ attribute has to be unique and cannot be the same as the built-in asset name. Asset types can be organized into logical groups or hierarchies to allow for roll up reporting.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

87

Assets can point to other Assets and to Inventory records like Machine, User, and Software. Relationships can be either one - to - one or one - to - many. Asset fields have a default value that should be used when filling in a new asset. Changing the default value in the asset type does not change any existing records, but only affects newly created records.

Asset Association
You can create an assets field and associate it to another asset using the field type. Associations are defined in Asset Types, and are used in assets. Assets associations are of following types: User Parent Asset Computer Asset Cost Center Asset Department Asset License Asset Location Asset Software Asset Vendor

Computer Asset
When a machine checks into the KBOX, an Asset with the type as Computer is automatically created. The Computer Asset is mapped to a machine automatically using the following two fields: mapped inventory field mapped asset field The mapped inventory field enables you to select a field that is checked against the inventory to verify if the machine that has just checked in is already an asset. For example: if the machine inventory field = IP address Matching asset field = Name and a machine with an IP address shows up, the IP is checked against IP of existing assets (machines). If the same IP is not assigned to any other asset, then a new asset with Name = IP address is created. If the mapped inventory field is by IP and the matching asset field is different, perhaps an asset field called IP, then an asset is created with the Name as system name, and the IP as IP. The matching asset field has to be of type text.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

88

To add a new Asset Type: 1. Select Asset | Asset Types. The Asset Types page appears. 2. Select Add New Item from the Choose action drop-down list. The Asset Type Detail page appears. 3. Enter a name for the Asset Type in the Name field. You can not create a new asset type with the same name as a built-in asset type name.

4. You can add associations by adding an asset field. To add asset fields, click the Asset Fields table. 5. Enter following details depending on the selected Asset Type: Field Name Value

button in the

Enter a relevant name for the custom asset field, such as Asset Code, Purchase Date, or Building Address Line 1. This name appears on the data entry page for the asset. This field gets enabled when you Single Select or Multiple Select from the Field Type list. Enter the values for this custom asset. You must type at least one value in this field. Note: These values should be entered as comma-separated strings. Enter the default value for this field. If you choose Single Select or Multiple Select from the Field Type list, you must enter one of the values given in the Select Values field. Select the check box to make the custom asset field a mandatory field. If you select the check box, you need to enter a value for this custom asset field before saving the Asset Type Detail page.

Select Values

Default

Required

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

89

Field Type

Select the appropriate field type. Single Select (single value length 255K, list length 65k). Multiple Select (single value length 255K, list length 65k) Text field (length 255K) Attachment (This field allows you to attach a file to the asset.) Note: You can create multiple fields of attachment entered per Asset Type. Notes (length 65K) Date ('1000-01-01' to '9999-12-31') Label - This field type allows you to assign a label to this asset. Number (-9223372036854775808 to 9223372036854775807) Parent - This field type allows this asset to point to the same type of asset in a parent-child relationship. For example, you can allow Location Asset type to have a Parent connection. Thus, allowing 'New York' Location Asset type to point to a 'North America' Location Asset Type. This can then be used in the reporting system to show all Assets in North America. This report contains all the assets in New York and in North America. User - This field type allows you to associate an asset record with one of the User records from the Inventory system. Asset ASSET_TYPE - This field type is similar to the single select field type and the multiple select field type, but you cannot specify the values for this custom field type. The values are retrieved from the current list of Assets in the system.

Allow Multiple

This check box is enabled when you select Asset ASSET_TYPE from the Field Type list. Select this check box to allow this custom field to point to multiple records. For example, the License Asset type can point to many computers that are approved for a particular License. A single relationship might have a printer pointing to a single Department record, indicating that this printer is used by only one department.

When you rename a custom asset field, the values for that field are retained. However, when you remove the custom asset field, values for that custom field are removed from all assets. When you change the Field Type of a custom asset field, the system tries to retain the previous values, but you may also lose some data. If you click Delete for a Custom Asset Type, the Asset Type definition and the assets of this type are removed from the system. For example, if an Asset Type1 is a custom field for another Asset Type2, remove this association first before attempting to delete the Asset Type1. 6. Click Save next to the Allow Multiple column to save the entries in the Asset Fields table. 7. Click Save located at the end of the screen to save the Asset Type you added.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

90

Managing Assets
You can add a new asset, delete an existing asset, or view assets by using the Asset | Assets tab. You can not delete parent asset if that parent asset has child assets associated with it. Assets can be viewed by asset type or by the associations. You can view the related assets that are not part of any particular asset and can duplicate any existing asset. Changes done to the asset are recorded as part History. Asset History is displayed on the Asset Detail page. To add an asset: 1. Select Asset | Assets. The Assets page appears. 2. Select the asset type you want to add from the Choose action drop-down list. The Asset Detail page appears. 3. Enter the name of the selected asset type in the Name field, and then click Save. All the asset types have a standard field as Name. If you are adding asset of computer type, then you need to enter the following information: a. Select the machine from the Machine list, and then enter the filter criteria in the Filter box. Machine is a default field that comes with the asset type. b. Enter the date of asset creation in the Date Created box. c. Enter additional information on the asset in the notes box. d. Enter the asset id in the id box. Date created, notes, and id are the asset fields created for asset of computer type.

4. If you want to add another asset, then click Save and New. Otherwise, click Save to save the asset. To view assets: 1. Select Asset | Assets. The Assets page appears. 2. To view assets by asset types or association, select the asset type or association from the View by asset type drop-down list. A list of filtered assets appears. The Assets page also shows the associated assets.

3. Select the asset title to see detailed information of that asset. The Asset Detail page appears. 4. If you want to duplicate the details of this asset, click Duplicate, and then click Save. 5. After editing the asset information, click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

91

6. In the Related Assets table, you can view the related assets that are not parent of this asset. Click the asset name to view asset details of this related asset. For example, if computer A's Location is associated to computer X, then computer A will be listed as a related asset on computer X's page, but on computer A's page, you will not see computer X. This is because child assets are shown on the related assets list. If the asset you are viewing is associated to a software or machine, then click on the asset name to view the Inventory page.

7. In the History table, you can view changes done to the asset. To add a software asset: 1. Select Asset | Assets. The Assets page appears. 2. Select the Software asset type from the Choose action drop-down list. The Asset Detail page appears. 3. Enter the name of the selected asset type in the Name field. 4. Select the software you want to add, from the Software drop-down list and then enter the filter criteria in the Filter box. At any point of time, only the first 20 entries for a particular filter will be shown in the Software dropdown list. Using the software field, existing Software can be associated with the created Software Asset. 5. Select the software label you want to apply, from the Software Label drop-down list, and then enter the filter criteria in the Filter box. 6. If you want to add another asset, then click Save and New. Otherwise, click Save to save the asset.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

92

Licensing
You can create, edit, and delete licensed assets with the KBOX. You can assign licenses to software and computers, specify or view the number of licenses available, and keep track of the expiry date for each license. When you assign a license to a software, the license is linked with the software. You can view this license information in the software details page, the metering page, and the software library admin and user pages. You can also navigate to the license asset detail page by clicking on the license link in the software detail page, the metering page, and the software library admin and user pages. Before you create a licensed asset for any software, make sure that you have the software asset. You have to first create the software asset and then create a license asset for that particular software asset. For more information on how to create a software asset, Refer to “Creating Software Asset,” on page 71. To add new license: 1. Select Asset | Assets. The Assets page appears. 2. Select License from the Choose action drop-down list. The Asset Detail page appears. 3. Enter the following information: Name Seats Licensed Applies to Software Approved for Computer License Mode Product Key Unit Cost Expiration Date Vendor Filter Purchase Order # Purchase Date Notes License Text Custom Field #1 Custom Field #2 Custom Field #3 Custom Field #4 Custom Field #5 Custom Field #6 Enter the name for this license. Enter the number of licenses available. Select the software to which you want to assign this license. Select the computer to which you want to assign this license. Select the appropriate license mode. Enter the license key for the product. Enter the cost of each license. Enter the expiration date for this license. Select the vendor name for this license. Enter the filter criteria for the Vendor list. Enter the purchase order number for this license. Enter the date when you purchased this license. Enter notes about this license. Enter license text, such as the end-user license agreement. Enter information in the custom fields if necessary.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

93

4. Click Save to the license asset. To save and add another license asset, click Save and New.

Monitoring licenses of a Software family
This feature enables you to use a single software asset to monitor licenses of software belonging to the same family. You buy a software, say for example, ActivePerl with 100 seats licensed. This software has many versions, but they all belong to same software family, ActivePerl. Each version of the ActivePerl will have an individual record in Software | Inventory. To create a software asset: 1. Select Inventory | Software, then click the Create Filter tab. The Filter criteria fields appear. 2. Specify the search criteria as ActivePerl. 3. Create a label named “ActivePerl”. For more details, Refer to Chapter 3,“Labels,” starting on page 84. 4. Choose the ActivePerl label you have created to associate with this filter. 5. To test the filter produces for obtaining the desired results, click Test Filter. 6. Click Create Filter to create the filter. All software meeting this filter criteria are now labeled “ActivePerl”. 7. Create a software asset. For more details on creating a software asset, Refer to “Managing Assets,” on page 91 8. Assign the software label “ActivePerl” to this newly created software asset. Now for all new versions, enter a license record with appropriate details and relate it to above created software asset. Thus, you can monitor the number of licenses/software/installed counts for ActivePerl by selecting Assets | Assets or Reporting | Summary.

Generating Reports
You can run various reports to display information about the licenses assigned to software and computers. Description of these reports is provided below. Category Compliance Report Software Compliance Simple Description Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes.

Compliance Compliance

Software License Compliance Complete Lists software and computers that are impacted by each license record. Unapproved Software Installation Lists software found on computers that do not have approved licenses.

Table 4-1: License Reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

94

Importing Asset
The Asset Import feature allows you to import assets data from the CSV file into the desired asset type. To import assets data: 1. Select Asset | Asset Import. The Kace Asset Import Wizard - Upload File page appears. 2. In the Select file box, specify the CSV file path or click Browse to select the CSV file. 3. Select Is header name in the file check box if the CSV file contains a header. 4. Click Next. The Kace Asset Import Wizard - Asset Type Selection page appears. 5. Select the asset type from the Asset Type drop-down list, to which data needs to be imported from the CSV file. 6. Click Next. The Kace Asset Import Wizard - Mapping page appears. This page displays mapping of the CSV fields against fields of selected Asset Type. 7. Under Standard Fields, perform the following steps: a. Choose the required CSV field from the CSV Fields drop-down list to match the corresponding standard field for the Asset Type. b. Select the PK check box to choose this field as the primary key. Mapping of Standard fields is mandatory.

8. Under Asset Fields, perform the following steps: a. Choose the required CSV field from the CSV Fields drop-down list box to match the corresponding Asset field. b. Select the PK check box to choose this field as the primary key. You can select one or more fields as the composite primary key. If none of the Asset Type records, match with the value of the CSV field chosen as primary key, then record will be inserted. If only one Asset Type record, match with value of the CSV field is chosen as primary key then the record will be updated. If more than one Asset Type record, match with value of the CSV field chosen as primary key then the record will be flagged as duplicate. 9. Click Re-Upload File, if you want to upload the file again. Follow the procedure from step 2 above. 10. Click Preview. It will take you to the confirmation page. 11. Click Import Data. The Kace Asset Import Wizard - Result page appears. 12. To import more assets data, click More Import. Otherwise, click Done.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

95

C H A P T E R 5 IP Scan
IP scan is a technology offered with the KBOX that allows you to scan a range of IP addresses to detect the existence and attributes of various devices on a network.
“IP Scan Overview,” on page 97 “Viewing Scheduled Scans list,” on page 97 “Creating an IP Scan,” on page 98

96

IP Scan Overview
The KBOX can scan a range of IP addresses for SNMP enabled machines, allowing you to retrieve information about machines connected to your network. Although IP Scans have their own server-side scheduling, you can invoke a scan on-demand, or schedule an IP scan to run at a specific time. IP scan reports a variety of inventory data that lets you monitor the availability and service level of a target machine. As IP scan, scans ports in addition to IP addresses, you can collect data even without knowing the IP addresses of the target machines. It can scan any type of device (as long as the device has an IP address on the network) including computers, printers, network devices, servers, wireless access points, routers, and switches. You can create and view IP scans from the Inventory | IP Scan tab. From the Network Scan Settings page you can: Add New Item Delete Selected Item(s) View Scan Inventory Scan Selected Items Now Select View Scan Inventory from the Choose action drop-down list. The Network Scan Results page appears. From the Network Scan Results page you can: Exclude Unreachable Items or Include Unreachable Items View scan schedules Schedule new scan Delete selected items Apply label or delete label Create a remote connection to the machine (This can be done only if configured under Machine Action.)

Viewing Scheduled Scans list
By default, the IP Scan tab displays the results of configured Network Scans that have been run. You can modify this view to show the scans that are scheduled to occur in the future. To view scheduled scans: Select Inventory | IP Scan. The Network Scan Settings page opens, which displays the Network Scan Schedules.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

97

Creating an IP Scan
You can create a network scan that will look for DNS, Socket, and SNMP across a subnet or subnets. You also define a network scan to look for devices listening on a particular port (for example, Port 80). This allows you to view devices that are connected to your network even when the KBOX Agent is not installed on those devices. When defining a network scan, it’s important to balance scope of the scan (number of IP addresses you are scanning) with the depth of the probe (number of attributes you are scanning for) so that you do not overwhelm your network or the KBOX 1000 Series appliance itself. For example, if you needed to scan a large number of IP addresses frequently, you should keep the number of ports, TCP/IP connections, and so on, relatively small. As a general rule, KACE recommends scanning a particular subnet no more than once every few hours. The KBOX Agent listens to port 52230. To determine which machines on your network are running the KBOX Agent, define a network scan to report which machines are listening on that port. To create an IP scan: 1. Select Inventory | IP Scan. The Network Scan Settings page appears. 2. Select Add New Item in the Choose action drop-down list. The Network Scan Setting page appears. 3. Enter a name for the scan in the Network Friendly Scan Name field. 4. Enter the IP range to scan in the Network Scan IP Range field. 5. Specify the DNS lookup test details: DNS Lookup Enabled Select to check live addresses against the DNS server to see if they have a name associated with them. This can help you identify known nodes on your network. Enter the time out interval (in seconds).

Name Server for lookup Enter hostname or IP address. Lookup time out

6. Select the Ping Test Enabled check box. The Ping test must be enabled in order to run other tests. The Ping or Socket tests determine if the address is alive. If it is, then a SNMP or a Port Scan can be run against it. If the Ping and Socket tests are disabled, then the other tests will not be run. 7. Specify the Connection test details: Connection Test Enabled Select the check box to perform connection testing during Network scan. Connection Test Protocol Enter the protocol to use. Connection Test Port Connection Time Out 8. Specify SNMP test details: SNMP Enabled SNMP Public String Select the check box to enable SNMP scanning. Enter Public string. Enter the port to use for testing the connection. Enter the time out interval (in seconds).

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

98

9. Specify Port scan test details: Device Port Scan Enabled TCP Port List UDP Port List Port Scan Time Out 10. Specify scan schedule: Don’t Run on a Schedule Run Every n minutes/hours Run Every day/specific day at HH:MM AM/PM Run on the nth of every month/ specific month at HH:MM AM/PM Select to run the tests in combination with an event rather than on a specific date or at a specific time. Select to run the tests at the specified time. Select to run the tests on specified day at the specified time. Select to run the tests on the specified time on the 1st, 2nd, or any other date of every month or only the selected month. Select the check box to enable port scanning of device ports. Displays a comma-separated list of TCP ports to scan. Displays a comma-separated list of UDP ports to scan. Enter the time out interval (in seconds).

11. Click Save or Scan Now to run scan immediately. Deleting a Scan Configuration will also delete all associated scan inventory items. So if you wish to maintain the scan inventory but do not want to "rescan" then you can just set the schedule of the scan configuration to not run. To search Network Scan Results on the basis of status fields: 1. Click Inventory | IP Scan. The Network Scan Settings page appears. 2. Select View Scan Inventory from the Choose action drop-down list. The Network Scan Results page appears. 3. Click the Advanced Search tab. 4. Select an attribute from the drop-down list. For example, Ping Status. 5. Select the condition from the drop-down list. For example, =. 6. Specify the Attribute Value. For example, 1. In the above example, machines that show successful Ping Status will be searched. 7. Click Search. The search results will be displayed below.

Clicking the IP address of a network device display the values for Ping Status, Connection Status, and SNMP Status as "Succeeded" or "Failed". However, the underlying database fields actually contain a 0 for Failed and 1 for Succeeded. Therefore when using these fields as criteria for advanced search, filters, or notifications, you must use the numeric values.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

99

Scan Filters
The Network Scan Filter searches for all devices that are detected in the Network Scan, including DNS, Socket, and SNMP across a subnet or subnets. Filtering enables you to dynamically apply a label based on a search criteria. To filter the Network Scan Results: 1. Select Inventory | IP Scan. The Network Scan Result page appears. 2. Click the Create Filter tab. The Filter criteria fields appear. 3. Specify the search criteria. 4. Choose the label to associate with the filter. 5. To see whether the filter produces the desired results, click Test Filter. 6. Click Create Filter to create the filter. Now, whenever devices that meet the specified filter criteria are detected in the network scan, they will automatically be assigned to the associated label. You can modify or delete a filter after it has been created, from the Reporting | Scan Filters tab. This feature assumes that you have already created labels to associate with a filter. Deleting a filter does not delete the label.

You can specify the order in which scan filters will run by editing the Order value for scan filters. To edit the order value: 1. Select Reporting | Scan Filters. The Scan Filters page appears. 2. Select Order Items in the Choose action drop-down list. The Order Scan Filters page appears. 3. Click the icon beside an order value to modify it.

4. Enter the appropriate order value and click Save. Scan filters with lower Order values are run before Scan filters with higher Order values. When a new scan filter is created, it has an Order value of 100.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

100

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

101

C H A P T E R 6 Distribution
The KBOX Distribution feature provides various methods for deploying software, updates, and files to computers on your network.
“Distribution feature Overview,” on page 103 “Types of Distribution Packages,” on page 104 “Managed Installations,” on page 106 “Examples of Common Deployments on Windows,” on page 110 “Examples of Common Deployments on Linux,” on page 115 “Examples of Common Deployments on Solaris™,” on page 120 “Examples of Common Deployments on Macintosh®,” on page 124 “File Synchronizations,” on page 124 “Replication,” on page 127 “iPhone,” on page 131

102

Distribution feature Overview
KACE recommends that customers follow a predefined set of procedures before deploying any software on their network. The following illustration represents a high-level example of a generic distribution process. This process can be modified to meet the needs of your organization. However, to avoid distribution problems, it is important to test various deployment scenarios prior to deployment.

Inventory & Assess

Test

Target

Deploy

Report

Figure 6-1: Basic Deployment procedure One of the most important concepts in the deployment procedure is to test each deployment before rolling it out to a large number of users. The KBOX verifies that a package is designated for a particular system, machine, or operating system. However, it cannot assess the likelihood that a particular package behaves well with existing applications on the target machine. Therefore, we strongly suggest that you establish procedures for testing each piece of software before deploying it on your network. One of the ways to do this is to develop a test group of target machines and deploy the required software using the KBOX. This helps you to verify the compatibility of the software with the operating system and other applications within your test group. You can create a test label and perform a test distribution before you go live in your environment. You can create a test label from the Inventory | Labels tab. For more information about creating labels, see “Labels,” on page 84. This chapter focuses primarily on the Test, Target, Deploy portions of this flow diagram. For more details on creating an inventory of computers and software packages in use on your network, see Chapter 3,“Inventory,” starting on page 54.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

103

Types of Distribution Packages
There are three primary types of distribution packages that can be deployed on the computers in your network: Managed installations File synchronizations KBOX Agent Distribution packages (whether for managed installation, file synchronization or user portal packages) CANNOT be created until a digital file is associated with an Inventory Item. This rule applies even if you are: Sending a command, rather than an installation or a digital file, to target machines. Redirecting the KBOX Agent to retrieve the digital asset (for example, .exe, .msi) from an alternate download location. To create a distribution: 1. Install the package manually on a machine. 2. Take an inventory of that machine. For more information on how to take an inventory, see “Software Inventory,” on page 66. 3. Use the item listed in the Software Inventory list for the Managed Installation. If you need to create packages with different settings, such as parameters, labels, or deployment definitions, you can create multiple distribution packages for a single Inventory item. However, the Managed Installation (MI) cannot be verified against more than one inventory item because the MI checks for the existence of one and only one inventory item. Although the KBOX Agent tab is listed under the Distribution tab, “Deploying the KBOX Agent” is discussed as part of the installation and setup process in Chapter 1,“Getting Started,” starting on page 1. For information about updating an existing version of KBOX Agent, please see Chapter 2,“KBOX Agent Update,” starting on page 47.

Distributing Packages through the KBOX
Packages distributed through the KBOX are only deployed to target desktops if the Inventory Item is designated to run on the target operating system. For example, if the Inventory Item is defined for Windows XP Professional only, the Inventory Item does not deploy on Windows 2000. Also the package does not deploy if it is designated for a target label for which the target machine is not a member. For example, if the Deployment Package is set to deploy to a Label called ‘Office A’, it does not deploy to machines that are not in ‘Office A’. When the KBOX creates a software inventory item, it only records the operating systems on which the item was installed, in the Inventory detail record. A Managed Installation must be enabled by selecting a managed action and a deployment window. The KBOX may attempt to deploy a package repeatedly even though it is already there, if the display name of the Software Inventory Item does not exactly match the name that the software registers in Add/ Remove programs.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

104

To ensure that the Inventory Item display name exactly matches, it is recommended to first install the desired package on a target machine and then take an automatic inventory of that machine using the KBOX. The newly installed package appears in the inventory list. You can then associate a digital file and create one or more deployment packages.

Distributing Packages through an Alternate Location
The KBOX supports software distribution from alternate locations. The KBOX Agent can retrieve digital installation files from remote locations, as opposed to the KBOX, including a UNC address, a DFS source, or an HTTP location. The CIFS and SMB protocols, SAMBA servers, and file server appliances are supported by the KBOX. The alternate download feature is used to address many administrative issues, including remote sites with restricted bandwidth, which might result in difficulties accessing the KBOX. You can also use alternate download locations, if you don't want to store large packages on the KBOX. An alternate download location can be any path on the network. Ensure that the alternate location has files that are required for installing the respective application. In order to activate this capability, you must enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). You may use any tool to establish your checksum. For creating your MD5 hash, you can use the KBOX Admin Utilities tool, which is available on the KBOX Agent CD. There are other utilities that work equally well. To create the MD5 Checksum by using the client software. use: KBOXClient -hash=FILENAME This displays the MD5 hash for the supplied file. If no checksum is entered, then the digital asset on the file share must exactly match the digital asset associated with the Deployment Package on the KBOX 1000 appliance. Also, the target path must include the complete filename (for example, \\fileserver_one\software\adobe.exe). When the KBOX is fetching files, the priority for fetching files is as follows: 1. Alternate download location 2. Replication point 3. KBOX If a replication point is specified in the label, the replication share is always be used instead of an alternate download location. If there is no replication point, the KBOX Agent fails over to the KBOX.

Difference between Replication Share and Alternate Download Location
The difference between a replication share and an alternate download location is that: Replication share is a full replication of all digital assets and is managed automatically by the KBOX. Alternate download location can be any path on the network and you have to make sure that the alternate location has those files that might be needed for a particular application installs.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

105

Whenever a replication share is specified for a label, machines in that label go to that replication share to get files, as long as it is a member of only one label with a replication share. If a replication share is specified, that is always be used instead of any other alternate location. The agent always fails over to the KBOX in following scenarios: There is no replication share specified for any label it is a member of There are more than one possible replication shares identified For more information on replication share, Refer to “Replication,” on page 127.

Managed Installations
Managed Installations enable you to deploy software to the computers on your network that require an installation file to run. You can create a Managed Installation package from the Distribution | Managed Installation page. From the Managed Installations tab you can: Create or delete Managed Installations Execute or disable Managed Installations Specify a Managed Action Apply or remove a label Search Managed Installations by keyword

Installation Parameters
The KBOX allows packaged definitions to contain .MSI, .EXE, .ZIP and other file types for software deployment. A simple litmus test of the KBOX ability to install a package is "Can this file be installed by an administrator on a local machine either by running a single file or BAT file or VBScript?" If so, the package can be installed remotely by the KBOX. In order to simplify the distribution and installation process, the package definition can also contain parameters that are passed to the installer at run time on the local machine. Parameters can be used to support custom installation settings. For example, the parameter may instruct the KBOXClient to install a program with specific install options configured. For example, standard install, bypass auto-restart, and so on. You can identify which parameters are supported by your .MSI or other any installer by following the steps given below: Note: If these steps do not work, you may need to research the parameter options - if any - with the vendor of the software. 1. Open MS-DOS command prompt. 2. Locate the directory containing the target installer (e.g., c:\...\adobe.exe) 3. Type: filename /? (For example, adobe.exe /?) 4. If parameters are supported for the package, they often appear on-screen (For example, /quiet, / norestart) 5. Use the parameter definitions identified to update your package definition.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

106

Creating a Managed Installation for Windows Platform
When creating a Managed Installation, you can specify whether you want to interact with the users using a custom message before or after the installation. You can also indicate whether the package should be deployed when the user is logged in or not, and limit deployment to a specific label. The following section provides general steps for creating a managed installation. For specific details on creating a managed installation for an .MSI, .EXE, or .ZIP file, please Refer to the subsequent sections. To create a managed installation for Windows platform: 1. Click Distribution | Managed Installations. 2. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears. 3. Select the software from the Select software drop-down list. You can filter the list by entering any filter options. You can create a Managed Installation, only if it has an associated software.

4. Enter the following information: Also show software without an Associated File Select the check box to display any software without an associated executable uploaded. You can upload a file to the software record directly from this Managed Installation page. Upload & Associate New File: Click Browse and navigate to the location that contains the new executable of any software selected or to associate an executable to a software without an associated file. Select Default option or Configure Manually option. Default Run Parameters: Specify the installation behavior as follows: The maximum field length is 256 characters. If your path exceeds this limit, on the command line, point to a BAT file that contains the path and the command. If your Parameters file path includes spaces (for example, \\kace_share\demo files\share these files\setup.bat), enclose the complete path in quotes (for example, “\\kace_share\demo files\share these files\setup.bat”. Configure Manually Full Command Line: If desired, specify full command-line parameters. Please Refer to the MSI Command Line documentation for available runtime options. Un-Install using Full Command Line: Select the check box to uninstall software. Run Command Only: Select the check box to run the command line only. Delete Downloaded Files Select the check box to delete the package files after installation.

Installation Command

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

107

Use Alternate Download

Select the check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location: Enter the location where the KBOX Agent can retrieve digital installation files. Alternate Checksum: Enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User: Enter a user name that has the necessary privileges to access the alternate download location. Alternate Download Password: Enter the password for the user name. Note: If the target machine is part of a replication label, then the KBOX does not fetch software from the alternate download location. For more information on using an alternate location, Refer to “Distributing Packages through an Alternate Location,” on page 105. Here you specify an alternate download location only for a specific managed installation. You can also edit an existing label or create a new label that can be used for specifying the alternate location globally. But since that label cannot be specific to any managed installation, you cannot specify an alternate checksum for matching the checksum on the remote file share. For more information on how to create or edit labels, Refer to Chapter 3,“Labels,” starting on page 84.

Notes Managed Actions

Enter additional information in this field, if any. Managed Action allows you to select the most appropriate time for this package to be deployed. Available options are: Disabled Execute anytime (next available) Execute before logon (before machine boot) Execute after logon (before desktop loads) Execute while user logged on Execute while user is logged off

5. Specify the deployment details: Deploy to All Machines Limit Deployment To Selected Labels Select the check box if you want to deploy the software to all machines. Select a label to limit deployment only to machines belonging to the selected label. Press CTRL to select multiple labels. If you have selected a label that has a replication share or an alternate download location, then the KBOX copies digital assets from that replication share or alternate download location instead of downloading them directly from the KBOX. Note: The KBOX always uses a replication share in preference over an alternate location. You can limit deployment to one or more machines. Select the machines from the drop-down list to add to the list. You can filter the list by entering filter options.

Limit Deployment To Listed Machines

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

108

Deploy Order Max Attempts

Select the order in which software should be installed. The lower deploy order deploys first. Enter the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance tries to install the package. If you specify 0, the KBOX enforces the installation forever. Specify the time (using a 24 hr. clock) to deploy the package. The Deployment Window times affects any of the Managed Action options. Also, the run intervals defined in the System Console, under Organizations | Organizations for this specific organization, override and/or interact with the deployment window of a specific package.

Deployment Window (24H clock)

6. Set user interaction details: Allow Snooze Select the check box to allow snooze. When you select the check box, the following additional fields appear: Snooze Message: Enter a snooze message. Snooze Timeout: Enter the timeout, in minutes, for which the message is displayed. Snooze Timeout Action: Select a timeout action that take places at the end of the timeout period. For example, if the installation is being carried out when there currently no active users accessing their desktop. You can select Install now to install the software without any hindrance to the users or select Install later if the installer needs some user interaction. Custom Pre-Install Message Select the check box to display a message to users prior to installation. When you select the check box, the following additional fields appear: Pre-Install User Message: Enter a pre-install message. Pre-Install Message Timeout: Enter a timeout, in minutes, for which the message is displayed. Pre-Install Timeout Action: Select a timeout action from the dropdown list, this action takes place at the end of the timeout period. Options include Install later or Install now. For example, if the installation is being carried out when there currently no active users accessing their desktop. You can select Install now to install the software without any hindrance to the users or select Install later if the installer needs some user interaction. Custom Post-Install Message Select the check box to display a message to users after the installation is complete. When you select the check box, the following additional fields appear: Post-Install User Message: Enter a post install message. Post-Install Message Timeout: Enter a timeout, in minutes, for which the message is displayed. 7. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

109

Examples of Common Deployments on Windows
Three of the most common package deployments contain .msi, .exe, and .zip files. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to the KBOX prior to creating the Managed Installation package. We recommend that you install the software on a QA machine, wait till the KBOX Agent connects to the KBOX 1000 series appliance and creates an inventory item for the software, and then create the Managed Installation package.

Standard MSI Example
Using .MSI files is an easy, self-contained way to deploy software on Windows-based machines. If you have a .MSI that requires no special transformation or customization, the deployment is simple. MSI files require a /i switch when using other switches with an install. The KBOX parameter line does not require the file name or msiexec syntax. The only required inputs are the /* inputs: /qn /I (Correct) msiexec /I /qn (Incorrect)

If you are using parameters with .MSI files, it is important that all your target machines have the same version of Windows Installer available from Microsoft, as some switches may not be active on older versions. The most up to date version of Windows Installer can be distributed to clients via the KBOX. If you are using Windows Installer 3.0 or later, you can identify the supported parameters by going to start/run/ and then type msiexec. You should see a pop up which includes the supported parameters list. To create a managed installation for a .MSI file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail page appears. 3. Select the software from the Select software drop-down list. You can filter the list by entering any filter options. You can create a Managed Installation, only if it has an associated software.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

110

4. Set the following installation details: Also show software without an Associated File Select the check box to display any software without an associated executable uploaded. You can upload a file to the software record directly from this Managed Installation page. Upload & Associate New File: Click Browse and navigate to the location that contains the new executable of any software selected or to associate an executable to a software without an associated file. Select Default option or Configure Manually option. Default Run Parameters: Specify the installation behavior as follows: The maximum field length is 256 characters. If your path exceeds this limit, on the command line, point to a BAT file that contains the path and the command. If your Parameters file path includes spaces (for example, \\kace_share\demo files\share these files\setup.bat), enclose the complete path in quotes (for example, “\\kace_share\demo files\share these files\setup.bat”. Configure Manually Full Command Line: If desired, specify full commandline parameters. Please Refer to the MSI Command Line documentation for available runtime options. Un-Install using Full Command Line: Select the check box to uninstall software. Run Command Only: Select the check box to run the command line only. Delete Downloaded Files Select this check box to delete the package files after installation.

Installation Command

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

111

User Alternate Download

Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location - Enter the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum - Enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User - Enter a user name that has necessary privileges to access the Alternate Download Location. Alternate Download Password - Enter the password for the user name specified above. Note: If the target machine is part of a replication label, then the KBOX does not fetch software from the alternate download location. For more information on using an alternate location, Refer to “Distributing Packages through an Alternate Location,” on page 105 Here you specify an alternate download location only for a specific managed installation. You can also edit an existing label or create a new label that can be used for specifying the alternate location globally. But since that label cannot be specific to any managed installation, you cannot specify an alternate checksum for matching the checksum on the remote file share. For more information on how to create or edit labels, Refer to Chapter 3,“Labels,” starting on page 84.

Notes Managed Actions

Enter any additional information in this field, if any. Managed Actions allows you to select the most appropriate time for this package to be deployed. Available options are: Disabled Execute anytime (next available) Execute before logon (before machine boot) Execute after logon (before desktop loads) Execute while user logged on Execute while user logged off

5. Specify the deployment details: Deploy to All Machines Limit Deployment To Selected Labels Select the check box if you want to deploy the software to all the Machines. Select a label to limit deployment only to machines belonging to the selected label. Press CTRL and click labels to select multiple labels. If you have selected a label that has a replication share or an alternate download location, then the KBOX copies digital assets from that replication share or alternate download location instead of downloading them directly from the KBOX. Note: The KBOX always uses a replication share in preference to an alternate location.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

112

Limit Deployment To Listed Machines Deploy Order Max Attempts

You can limit deployment to one or more machines. Select the machines from the drop-down list to add to the list. You can filter the list by entering filter options. Select the order in which software should be installed. The lower deploy order deploys first. Enter the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance tries to install the package. If you specify 0, the KBOX enforces the installation forever. Enter the time (using a 24 hr. clock) to deploy the package. Deployment Window times affect any of the Managed Action options. Also, the run intervals defined in the System Console, under Organizations | Organizations for this specific organization, override and/or interact with the deployment window of a specific package.

Deployment Window(24H clock)

6. Set user interaction details: Allow Snooze Select this check box to allow snooze. When you select this check box, the following additional fields appear: Snooze Message: Enter a snooze message. Snooze Timeout: Specify a timeout, in minutes, for which the message is displayed. Snooze Timeout Action: Select a timeout action that takes place at the end of the timeout period. For example, you might select Install now because you are installing at a time when you know that the users are away from their desktops. You might select Install later because the installer needs some user interaction and it would not work if the users were not at their desktops. Custom Pre-Install Message Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear: Pre-Install User Message: Enter a pre-install message. Pre-Install Message Timeout: Enter a timeout in minutes for which the message is displayed. Pre-Install Timeout Action: Select a timeout action that take places at the end of the timeout period. For example, you might select Install now because you are installing at a time when you know that the users are away from their desktops. You might select Install later because the installer needs some user interaction and it would not work if the users were not at their desktops. Custom Post-Install Message Select the check box to display a message to users after the installation is complete. When you select the check box, the following additional fields appear: Post-Install User Message: Enter a post install message. Post-Install Message Timeout: Enter a timeout, in minutes, for which the message is displayed. 7. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

113

Standard EXE Example
The standard EXE example is identical to the MSI example above with one exception: /I is not required in the “run parameters” line when using a .exe. When using an EXE it is often helpful to identify switch parameters for a quiet or silent installation. To do this, specify /? in the run parameters field.

Standard ZIP Example
Deploying software using a .zip file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, setup.exe plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a .zip file, and upload them to the KBOX for deployment. The KBOX Agent automatically runs deployment packages with .MSI and .EXE extensions. However, the KBOX also provides a capability for administrators to Zip many files together and direct the KBOX to unpack the Zip and run a specific file within. If you intend to deploy a .ZIP file, you must place the name of the file within the .zip that you would like to run in the Command (Executable) field within the Deployment Package (for example, runthis.exe). To create a managed installation for a .zip file: 1. Browse to the location that contains the necessary installation files. 2. Select all files, and create a .zip file using WinZip or other utility. 3. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX appliance. 4. Associate the .zip file with the inventory item and upload it to the KBOX. 5. Select Distribution | Managed Installation. The Managed Installations page appears. 6. Select Add New Item in the Choose action drop-down list. The Managed Software Installation : Edit Detail page appears. 7. Select the software title with which the .zip file is associated from the Select software drop-down list. 8. In the Full Command Line field, please specify the complete command with arguments. For example, setup.exe /qn 9. Enter other package details as described in the Creating a Managed Installation procedures. 10. Click Save. When attempting to deploy a ZIP file created using WinZip maximum compression, the package may fail to uncompress and you may see an error in the application event viewer or kbxlog.txt with the message: Unsupported compression mode 9 The KBOX Agent uses a library called SharpZipLib to uncompress zip files.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

114

This library supports Zip files using both stored and deflate compression methods and also supports old (PKZIP 2.0) style encryption, tar with GNU long filename extensions, gzip, zlib and raw deflate, as well as BZip2. However, Zip64 and deflate64 are not yet supported. Compression mode 9 is deflate64, which in WinZip is called "maximum compression". To resolve the issue, recreate the zip file using WinZip "Normal Compression".

Examples of Common Deployments on Linux
The supported package deployments are .rpm, .zip, .bin, .tgz, and tar.gz files. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to the KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package.

Standard RPM Example
You can deploy software on Linux-based machines using .rpm files. To create a managed installation for a .rpm file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail page appears. 3. Select the software from the Select software drop-down list. You can filter the list by entering any filter options. 4. By default the KBOX Agent attempts to install the .rpm file via the following command. In general, this should be sufficient to install a new package or update an existing one to a new version: rpm -U packagename.rpm 5. If you have selected a zip/tgz/tar.gz file, then the content is unpacked and the root directory searched for all .rpm files. The installation command is run against each of these files. The KBOX finds all rpm files at the top level of an archive automatically, so you can install more than one package at a time. You can also create an archive containing a shell script and then specify that script name as the full command. The KBOX runs that command if it is found and logs an error if is not. If you want to change the default parameters, you have to specify the Full Command Line. You may specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files are extracted into a directory in "/tmp" and it becomes the current working directory of the command. On Red Hat Linux, you do not need to include any other files in your archive other than your script if that is all you wish to execute.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

115

If the PATH environment variable of your root account does not include the current working directory and you wish to execute a shell script or other executable that you have included inside an archive, specify the relative path to the executable in the Full Command Line field. The command is executed inside a directory alongside the files which have been extracted. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .rpm file and then put the command "./ installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments for an unattended, batch script. If you select the uninstall check box in the MI detail, the KBOX Agent runs the command //usr/sbin/rpm -e packagename.rpm on either your standalone rpm file or each rpm file it finds in the archive, removing the package(s) automatically. The uninstallation in this way is performed only if the archive or package is downloaded to the client. If you select the check box for "Run Command Only", you should specify a Full Command Line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored. 6. If your package requires additional options, you can enter the following installation details: Run Parameters You do not need to specify any parameters if you have a .rpm file. If no Run Parameters are filled in, -U is used by default. Setting a value here overrides the default “-U” option. For instance, if you set Run Parameters to: “–ivh --replacepkgs”, then the command that would run on the computer would be: rpm -ivh –replacepkgs package.rpm You do not need to specify a full command line if you have a .rpm file. The server executes the installation command by itself. The Linux client tries to install this via: rpm [-U | Run Parameters] "packagename.tgz” If you do not want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command is run against all of the .rpm files it can find. Select this check box to uninstall software. If the Full Command Line above is filled in, it is run. Otherwise, by default the agent attempts the command, which is generally expected to remove the package. Select this check box to run the command line only. This does not download the actual digital asset. Enter additional information in this field, if any. Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Linux platform.

Full Command Line

Un-Install using Full Command Line Run Command Only Notes Managed Action

7. Specify the deployment details: Deploy to All Machines Select the check box if you want to deploy to all the machines.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

116

Limit Deployment To Selected Labels

Select a label to limit deployment only to machines belonging to the selected label. Press CTRL to select multiple labels. If you have selected a label that has a replication share or an alternate download location, then the KBOX copies digital assets from that replication share or alternate download location instead of downloading them directly from the KBOX. Note: The KBOX always uses a replication share in preference over an alternate location. You can limit deployment to one or more machines. Select the machines from the drop-down list to add to the list. You can filter the list by entering filter options. The order in which software should be installed. The lower deploy order deploys first. Enter the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance tries to install the package. If you specify 0, the KBOX enforces the installation forever. Enter the time (using a 24 hr. clock) to deploy the package. Deployment Window times affect any of the Managed Action options. Also, the run intervals defined in the System Console, under Organizations | Organizations for this specific organization, override and/or interact with the deployment window of a specific package.

Limit Deployment To Listed Machines Deploy Order Max Attempts

Deployment Window(24H clock)

8. Set user interaction details: Allow Snooze Custom Pre-Install Message Delete Downloaded Files This option is not available for Linux platform. This option is not available for Linux platform. Select this check box to delete the package files after installation.

Custom Post-Install Message This option is not available for Linux platform.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

117

Use Alternate Download

Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location: Enter the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum: Enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User: Enter a user name that has the necessary privileges to access the Alternate Download Location. Alternate Download Password: Enter the password for the user name specified above. Note: If the target machine is part of a replication label, then the KBOX does not fetch software from the alternate download location. For more information on using an alternate location, Refer to “Distributing Packages through an Alternate Location,” on page 105. Here you specify an alternate download location only for a specific managed installation. You can also edit an existing label or create a new label that can be used for specifying the alternate location globally. But since that label cannot be specific to any managed installation, you cannot specify an alternate checksum for matching the checksum on the remote file share. For more information on how to create or edit labels, Refer to Chapter 3,“Labels,” starting on page 84.

9. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

118

Standard TAR.GZ Example
Deploying software using a tar.gz file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, packagename.rpm plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a tar.gz file, and upload them to the KBOX for deployment. To create a managed installation for a tar.gz file: 1. Use the following two commands to create tar.gz file: tar –cvf filename.tar packagename.rpm gzip filename.tar This creates filename.tar.gz 2. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance. 3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series. 4. Select Distribution | Managed Installation. The Managed Installations page appears. 5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears. 6. Select the software title with which the tar.gz file is associated from the Select software drop-down list. 7. This file is uncompressed and searched for all .rpm files. The installation command is run against each of them. 8. If no Run Parameters are filled in, -U is used by default. 9. You do not need to specify a full command line. The server executes the installation command by itself. The Linux client tries to install this via: rpm [-U | Run Parameters] "packagename.tgz” 10. Enter other package details as described in the Creating a Managed Installation procedures for .rpm file above. 11. Click Save. The KBOX Agent automatically runs deployment packages with .rpm extensions. However, KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

119

Examples of Common Deployments on Solaris™
The supported package deployments are .pkg, pkg.gz, .zip, .bin and tar.gz. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to the KBOX prior to creating the Managed Installation package. We recommend installing the software on a QA machine, waiting a sufficient amount of time for the KBOX Agent to connect to the KBOX 1000 series appliance and create an inventory item for the software, and then creating the Managed Installation package. To create a managed installation for a .pkg file: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail page appears. 3. Select the software from the Select software drop-down list. You can filter the list by entering any filter options. 4. By default the Kbox Agent attempts to install the .pkg file via the following command. Generally, this should be sufficient to install a new package or update an existing one to a new version: pkgadd -n -d "packagename.pkg" [Run Parameters] 5. If you have selected a zip/pkg.gz/tar.gz file, then the contents are unpacked and the root directory searched for all .pkg files. The installation command is run against each of them. The KBOX finds all pkg files at the top level of an archive automatically, so you can install more than one package at a time. You can also create an archive containing a shell script and then specify that script name as the full command. The KBOX runs that command if it is found and log an error if is not. If you want to change the default parameters, you have to specify the Full Command Line. You may specify wildcards in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files are extracted into a directory in "/tmp" and that becomes the current working directory of the command. You can put a zero-byte .pkg file in your archive if all you want to do is execute a shell command or some other executable.

Ensure that you specify the relative path to the executable in the Full Command Line field, if you wish to execute a shell script or other executable that you have included inside an archive. The command is executed inside a directory alongside the files which have been extracted. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you are using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Include appropriate arguments for an unattended, batch script.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

120

If you select the uninstall check box in the MI detail, the KBOX Agent runs the command: /usr/sbin/pkgrm -n packagename.pkg on either your standalone rpm file or each rpm file it finds in the archive, removing the package(s) automatically. An uninstallation in this way can be performed only if the archive or package is downloaded to the Agent. If you select the check box for "Run Command Only", you should specify a full command line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored. 6. If your package requires additional options, you can enter the following installation details: Run Parameters You do not need to specify any parameters if you have a .pkg file. If no Run Parameters are filled in, all are used by default to install all packages in the .pkg file. Setting a value here overrides the default option. You do not need to specify a full command line if you have a .pkg file. The server executes the installation command by itself. The Solaris client tries to install this via: pkgadd -n -d "packagename.pkg" [Run Parameters] If you do not want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command runs against all the .pkg files it can find. Select the check box to uninstall software. If the Full Command Line above is filled in, it is run. Or else by default the agent attempts the command, which is generally expected to remove the package. Select the check box to run the command line only. This does not download the actual digital asset. Enter additional information in this field, if any. Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Solaris platform.

Full Command Line

Un-Install using Full Command Line Run Command Only Notes Managed Action

7. Specify the deployment details: Deploy to All Machines Limit Deployment To Selected Labels Select the check box if you want to deploy to all the machines. Select a label to limit deployment only to machines belonging to the selected label. Press CTRL to select multiple labels. If you have selected a label that has a replication share or an alternate download location, then the KBOX copies digital assets from that replication share or alternate download location instead of downloading them directly from the KBOX. Note: The KBOX always uses a replication share in preference over an alternate location. You can limit deployment to one or more machines. Select the machines from the drop-down list to add to the list. You can filter the list by entering filter options. The order in which software should be installed. The lower deploy order deploys first.

Limit Deployment To Listed Machines Deploy Order

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

121

Max Attempts

Enter the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance tries to install the package. If you specify 0, the KBOX enforces the installation forever. Enter the time (using a 24 hr. clock) to deploy the package. Deployment Window times affect any of the Managed Action options. Also, the run intervals defined in the System Console, under Organizations | Organizations for this specific organization, override and/or interact with the deployment window of a specific package.

Deployment Window(24H clock)

8. Set user interaction details: Allow Snooze Custom Pre-Install Message Custom Post-Install Message Delete Downloaded Files Use Alternate Download This option is not available for Solaris platform. This option is not available for Solaris platform. This option is not available for Solaris platform. Select this check box to delete the package files after installation. Select the check box to specify details for alternate download. When you select the check box, the following fields appear: Alternate Download Location: Enter the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum: Enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User: Enter a user name that has necessary privileges to access the Alternate Download Location. Alternate Download Password: Enter the password for the user name specified above. Note: If the target machine is part of a replication label, then the KBOX does not fetch software from the alternate download location. For more information on using an alternate location, Refer to “Distributing Packages through an Alternate Location,” on page 105. Here you specify an alternate download location only for a specific managed installation. You can also edit an existing label or create a new label that can be used for specifying the alternate location globally. But since that label cannot be specific to any managed installation, you cannot specify an alternate checksum for matching the checksum on the remote file share. For more information on how to create or edit labels, Refer to Chapter 3,“Labels,” starting on page 84. 9. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

122

Standard TAR.GZ Example
Deploying software using a tar.gz file is a convenient way to package software when more than one file is required to deploy a particular software title (for example, packagename.pkg plus required configuration and data files). For example, if you have a CD-ROM containing a group of files required to install a particular application, you can package them together in a tar.gz file, and upload them to the KBOX for deployment. To create a managed installation for a tar.gz file: 1. Use the following two commands to create tar.gz file: tar –cvf filename.tar packagename.pkg gzip filename.tar This creates filename.tar.gz. 2. Create an inventory item for the target deployment. You can do this manually from the Inventory | Software tab, or by installing the package on a KBOX Agent machine that regularly connects to the KBOX 1000 Series appliance. 3. Associate the tar.gz file with the inventory item and upload it to the KBOX 1000 Series. 4. Select Distribution | Managed Installation. The Managed Installations page appears. 5. Select Add New Item in the Choose action drop-down list. The Managed Software Installation: Edit Detail page appears. 6. Select the software title with which the tar.gz file is associated from the Select software drop-down list. 7. This file is uncompressed and searched for .pkg files. The installation command is un against each of them. 8. If no Run Parameters are filled in, all are used by default to install all packages in the .pkg file. 9. You do not need to specify a full command line. The server executes the installation command by itself. The Solaris client tries to install this via: pkgadd -n -d "packagename.pkg" [Run Parameters] If extension is tar.gz: tar xzpf “packagename” If extension is .zip: unzip “packagename.zip” If extension is .gz: gunzip “packagename.gz” 10. Enter other package details as described in the Creating a Managed Installation procedures for .pkg file above. 11. Click Save. The KBOX Agent automatically runs deployment packages with .pkg extensions. However, the KBOX 1000 Series also provides a capability for administrators to Zip many files together and direct the KBOX 1000 Series to unpack the Zip and run a specific file within.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

123

Examples of Common Deployments on Macintosh®
For information on common deployments on Macintosh®, Refer to Appendix A,“Macintosh® Users,” starting on page 322.

File Synchronizations
File synchronizations enable you to distribute software files to the computers on your network. These can be any type of file, such as PDF, ZIP files, or EXE files, which are simply downloaded to the user’s machine, but not installed.

Creating a file synchronization
Using file synchronizations, you can push out any type of file to the computers on your network. You can choose to install the files from the KBOX 1000 Series, or you can specify an alternate location from where users download the file. The string KACE_ALT_Download in the Alternate Download Location field is replaced with the value assigned by the corresponding LABEL. You should not have a machine in more than one LABEL with an Alternate Download Location specified. To create a file synchronization: 1. Select Distribution | File Synchronization. The File Synchronizations page appears. 2. Select Add New Item in the Choose action drop-down list. The File Synchronization: Edit Detail page appears. 3. Select the software title to install in the Software Title to Install drop-down list. 4. Set or modify the following installation details: Notes Location (full directory path) Location User Location Password Enabled Create Location (if doesn’t exists) Replace existing files Do Not Uncompress Distribution Enter any information related to the software title selected. Enter the location on the users machine where you want to upload this file. If the Location specified above is a shared location, enter the User login name. If the Location specified above is a shared location, enter the login password. Select the check box to download the file the next time the KBOX Agent checks into the KBOX appliance. Create the installation location if not has not already been created. Select the check box to overwrite existing files of the same name on the target machines. Select the check box if you are distributing a compressed file and do not want the file uncompressed.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

124

Persistent

Select the check box if you want the KBOX to confirm every time that this package does not already exist on the target machine before attempting to deploy it. Select the check box if you want to create a desktop shortcut to the file location. Enter a display name for the shortcut. Select the check box to delete temporary installation files.

Create shortcut (to location) Shortcut name Delete Temp Files

5. Specify the deployment details: Limit Deployment to Enter a label for the package. The file is distributed to the users assigned to the label, such as operating system affected by the synchronization.

6. Set user interaction details: Pre-Install User Message Select this check box to display a message to users prior to installation. When you select this check box, additional fields appear: Pre-Install User Message: Enter a pre-install message. Pre-Install Message Timeout: Enter a timeout in minutes for which the message is displayed. Pre-Install Timeout Action: Select a timeout action that takes place at the end of the timeout period. For example, if the installation is being carried out when there currently no active users accessing their desktop. You can select Install now to install the software without any hindrance to the users or select Install later if the installer needs some user interaction. Post-Install User Message Select the check box to display a message to users after the installation completes. When you select this check box, message field and timeout options appear. Enter a message and a timeout value in minutes. Enter the time (using a 24 hr. clock) to deploy the package. Deployment Window times affect any of the Managed Action options. Also, the run intervals defined in the System Console, under Organizations | Organizations for this specific organization, override and/or interact with the deployment window of a specific package.

Deployment Window

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

125

Use Alternate Download

Select this check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location: Enter the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum: Enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User: Enter a user name that has necessary privileges to access the Alternate Download Location. Alternate Download Password: Enter the password for the user name specified above. Note: If the target machine is part of a replication label, then the KBOX does not fetch software from the alternate download location. For more information on using an alternate location, Refer to “Distributing Packages through an Alternate Location,” on page 105. Here you specify an alternate download location only for a specific managed installation. You can also edit an existing label or create a new label that can be used for specifying the alternate location globally. But since that label cannot be specific to any managed installation, you cannot specify an alternate checksum for matching the checksum on the remote file share. For more information on how to create or edit labels, Refer to “Labels,” on page 84.

7. Click Save. To distribute files previously deployed after the deployment window has closed, click the Resend Files button.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

126

Replication
Replication Share allows a KBOX Agent to replicate software installers, patches, client upgrades, and script dependencies to a shared folder. This allows the KBOX Agent machines to download software installers, patches, client upgrades, and script dependencies from the shared folder and not directly from the KBOX. A replication share is used where it is undesirable to have the KBOX Agent machines downloading installation files directly from the KBOX over WAN, due to bandwidth or other concerns. In creating a replication share, you need to identify one machine at each remote location which acts as a "Replication Machine". The server copies all the replication items such as software installers, patches, client upgrades, script dependencies to the replication machine at the specified destination path. From the Replication tab, users can: Add or delete replication shares Enable or disable replication shares Start or restart a halted replication task Halt a running replication task Perform a share inventory for the replication share The priority for copying replication items is as follows: 1. Script dependencies 2. Softwares 3. Client Upgrades 4. Patches

Creating a Replication Share
Replication shares can only be created on one of the machines listed in the KBOX Inventory | Computers tab. If you want to create a share on a machine not listed there, you need to create an inventory record for the machine before you continue to create a replication share. For more information, see Chapter 3,“Inventory,” starting on page 54. The Replication Machine needs to have write permissions of the destination path to write the software files. A Replication Share can only be created on machines having the KBOX Agent version 4.3 or higher. To create a replication share: 1. Select Distribution | Replication. The Replication Shares page appears. 2. Select Add New Item in the Choose Action drop-down list. The Replication Share: Edit Detail page appears. 3. Select the Replication Enabled check box. 4. Select the machine in the Replication Machine drop-down list. The replication share is created on this machine. The replication share can be created by two methods: Locally

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

127

Shared network drive 5. Specify the replication share destination details: Destination Path Enter the destination path to copy all the replication items from the KBOX. All the replication items are first listed in the replication queue and then copied one at a time to the destination path. Any new replication item is first listed in the replication queue and then copied after a default interval of 10 minutes. Enter the login name for the share. The login account should have write access of the destination path.

Destination Path User

Destination Path Password Enter the password for the share. 6. Select a label for the replication share. Select a label from the Label drop-down list .You need to verify that the selected label does not have ALT_KACE_LOCATION specified. The replication share gets a preference over the ALT_KACE_LOCATION while downloading files to the client machine. 7. Specify the replication share download details: Download Path Enter the download path for machines in the replication label to copy the replication items from this path instead of downloading them directly from the KBOX. For example, a UNC path, \\fileservername\directory\kbox\ The client machine needs read permission to copy the replication items from this shared folder. Enter the login name for accessing the download path. Enter the password for accessing the download path.

Download Path User Download Path Password 8. Specify the following: Limit Patch O/S Files

This field displays the patches for the platforms subscribed in patch subscription settings page. Refer to Chapter 9,“Subscription Settings,” starting on page 169 for more details. This field displays the OS languages subscribed in patch subscription settings page. Refer to Chapter 9,“Subscription Settings,” starting on page 169 for more details. Select this checkbox to replicate the App patches to the replication share. Select this checkbox to replicate softwares and patches to repl1 folder path which is used by 4.2 clients. For example, \\machinename\foldername\repl1\replicationitems folder Enter the value to specify the maximum bandwidth to be used for replication. If this field is left blank, the bandwidth used is equal to the maximum bandwidth available for replication.

Limit Patch Language Files

Replicate App Patches Maintain 4.2 Replication Share

Hi Bandwidth

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

128

Lo Bandwidth

Enter the value to specify the restricted bandwidth to be used for replication. If this field is left blank, the bandwidth used is equal to the maximum bandwidth available for replication. You can specify the Replication Schedule by specifying the colors displayed in Replication Share page for different days and time slots. The color scheme that you can specify are: White - Replication Off Light Blue - Replication ON with Low Bandwidth Blue - Replication ON with High Bandwidth

Replication Schedule

Copy Schedule From

Select any existing Replication Schedule from the drop-down list to replicate the items as per the selected schedule.

9. Enter comments in the Notes field as necessary. 10. Click Save. Maintain 4.2 Replication Share checkbox is displayed only when Enable Enhanced Content (EC) checkbox is not selected at KBOX Settings | Server Maintenance page. Refer to Chapter 16,“Patch Definitions,” starting on page 299 for more details.

Figure 6-2: Replication Schedule

Viewing Replication Share Details
After creating a replication share and clicking Save, the Replication Shares page opens. The Replication Shares page displays the list of Replication Shares. To view a replication share details: 1. Select Distribution | Replication. The Replication Shares page appears. 2. Click a replication share. The Replication Share: Edit Detail page appears. 3. At the bottom of the Replication Share: Edit Detail page, you can also view the following:

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

129

Replication Queue: Click Replication Queue to see a list of replication items that are going to be copied. Share Inventory: Click Show Share Inventory to see a list of replication items that have been copied. Delete Queue: Click Show Delete Queue to see a list of replication items that are marked for deletion.

Replication enhancements in the KBOX version 4.3
Following is the list of replication enhancements in the KBOX version 4.3: Bandwidth optimization - You can limit the bandwidth to be used for replication by specifying the minimum and maximum bandwidth value, while creating a replication share. Refer to “Creating a Replication Share,” on page 127 for more details. Destination Path - You can specify either the local machine path or any network path accessible from the replication machine while creating the replication share. Schedule Replication - You can create a schedule for replication to optimally use the bandwidth. This feature helps in conserving the bandwidth at peak hours by halting the replication if needed. Refer to “Creating a Replication Share,” on page 127 for more details. Obsolete file deletion - If any replication item is deleted from the KBOX Server, it is automatically marked for deletion in the delete queue. Any such obsolete file, if available on replication share, gets automatically deleted from the replication share in the replication task cycle. Limiting file patching - You can limit the patches to be replicated by selecting the appropriate platforms. Only patches of selected platforms get replicated. You can also limit the patches to be replicated by selecting the type of operating system language. Only the patches of selected operating system type get replicated. Upgrading client bin - The KBOX Server supports replication of upgrade .bin files. Replication queue - You can view the files getting replicated with their status in the Replication queue. To view the replication queue, click on Show Replication Queue link in Replication Share: Edit Detail page. Sneaker net share - You can create a new folder, and copy the contents of an existing replication folder to it. You can then specify this folder as the new replication folder in the KBOX. The KBOX checks if the new folder has all the replication items present and replicates only the new ones. This results in conserving the bandwidth by not copying the files twice. You can manually copy the contents of replication folder to a new folder. The replication folder created in a machine follows following hierarchy: \\machinename\foldername\repl2\replicationitems folder The machine name and folder name is user defined while repl2 is automatically created by the KBOX Server. The replication items folder includes the folder for patches, kbots, upgrade files, and softwares. Restarting file transfer - Replication process automatically restarts if it stops midway due to a network failure or due to a replication schedule. In this case, the replication process continues replicating the file from the point at which it stopped. The replication functionality of the KBOX Server version 4.3 also supports the KBOX Agent version 4.0 and higher.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

130

iPhone
The iPhone configuration profiles allow an Enterprise to set up e-mail and secure access with VPNs, certificates and wireless settings for user’s iPhones. The iPhones are then used to access the KBOX user portal to download their configuration profiles and for general KBOX user portal access. The self-service user portal allows users to access a flexible knowledge base, see hardware and software inventory information, install IT controlled software packages, and access support tickets. This guide assumes familiarity with Apple iPhone products for the enterprise including: iPhone and iPod Touch running iPhone software 2.0 or later iPhone Configuration Utility 1.0 - the Apple provided tool for initial creation of the configuration profiles to be provisioned on user’s iPhones General Information on the KBOX Appliances features and requirements are available at: http://www.kace.com/products/systems-management-appliance/computer-managementsoftware-alternative/index.php For additional documentation, click Help | Administrator Guide on the KBOX web console. From the iPhone tab, users can: Add or delete iPhone profiles Configure Collection Settings

Setting up Administrative Access to iPhone Profile Management
Setting up the administrative access to iPhone Profile management enables the ability to create and manage the iPhone profiles by admin users only. To set up administrative access to iPhone Profile Management: 1. Select Help Desk | Roles. The User Roles page appears. 2. Choose Add New Item from the Choose action drop-down list. The User Role: Edit Detail page appears. 3. Enter the Role information as follows: Record Created Role Name Description The date and time when the Role was first created. This is a read-only field. Enter a name for the Role. This is a mandatory field. Enter the Role description.

Record Last Modified The date and time when the Role was last modified. This is a read-only field.

4. Click the Distribution tab link under the Permissions ADMIN Console area, to expand it. You can also click the [Expand All] link to view the Distribution tab. 5. Select the Custom option, and choose the write permission for the iPhone tab from the drop-down list. 6. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

131

Creating Configuration Profiles
You can use the Apple provided iPhone Configuration Utility 1.0 tool for initial creation of the configuration profiles to be provisioned to your users' iPhones. For more information, Refer to http://www.apple.com/support/iphone/enterprise/

Adding an iPhone Profile
The iPhone Profile Management feature fulfills all of the profile management needs through the KBOX. To create a profile: 1. Select Distribution | iPhone. The iPhone Profiles page appears. 2. Choose Add New Item from the Choose Action drop-down list. The iPhone Profile : Edit Detail page appears. 3. Create a .mobileconfig file using the separate iPhone Configuration Utility 1.0 from Apple to enable the profile. 4. Click Browse to select the file you created to import in the Import a .mobileconfig file area. 5. Select the Enabled check box under the Access Control area to allow users to have access after you create the profile. Access is not activated and no files are accessible, till you select the Enabled check box. 6. Select a label from the Limit Access To User Labels list to limit the access control to specific users, if required. 7. Specify the following details under the Send Profile by Email area: To Message Enter the recipient’s email address, or choose select user to add from the drop-down list. You can filter the list by entering any filter options. Enter a description for this e-mail.

8. Click Save. The iPhone Profiles page appears. 9. The XML details for this profile appear under .mobileconfig attributes area, after you click Save and create this new profile.

To view or edit profile details:
You can view or edit details of an iPhone profile. 1. Select Distribution | iPhone. The iPhone Profiles page appears. 2. Double-click the listed profile. The iPhone Profile : Edit Detail page appears. 3. You can edit the iPhone configuration profile details (You can use cut and paste details into another edit profile page for creating additional profiles). 4. Click Save to save your changes. The Profile Edit Log history is displayed at the bottom of the Edit page. This page displays all the track changes made to the profile. 5. Click Download to save the .mobileconfig file associated with this profile locally. 6. Click Save to save the changes to this profile. The iPhone Profile page appears.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

132

Configuring Collection Settings
This page configures a script that collects iPhone information from desktop Macintosh® computers. It records information stored there during the normal backup sync of iPhone devices. When it runs it creates iPhone Asset records based on the information it finds. Multiple devices synced to a desktop show up as separate devices. To configure collection settings: 1. Select Distribution | iPhone. The iPhone Profiles page appears. 2. Choose Configure Collection Settings from the Choose Action drop-down list. The iPhone Asset Collection Settings & Schedule page appears. 3. Specify the following under Deployment area: Enabled Select this check box to run this script on the target machines. The script will only run when a user is logged into the machine. You also may wish to adjust the run interval to something appropriate to your network. Select the check box if you want to deploy to all the Machines. Click OK in the confirmation dialog box. Select a label to limit deployment of this script only to machines belonging to the selected label. Press COMMAND to select multiple labels. You can limit deployment of this script to only one or more machines. Select the machines from the drop-down list to add to the list. You can filter the list by entering filter options. Select an operating system on which the script is to be run. If you selected a label as well, the script only runs on machines with that label if they are also running the selected operating system. Note: This script only runs on Mac OS X 10.4 and Mac OS X 10.5. You should adjust your Supported Operating Systems list to match properly. 4. Specify the schedule, under Scheduling area: Don’t Run on a Schedule The script runs in combination with an event rather than on a specific date or at a specific time.

Deploy to All Machines Limit Deployment To Selected Labels Limit Deployment To Listed Machines Supported Operating Systems

Run Every nth minutes/hours The script runs on every hour or minutes as specified. Run Every day/specific day at HH:MM AM/PM Run on the nth of every month/specific month at HH:MM AM/PM The script runs on the specified time on the specified day. Select to run the script on the specified time on the 1st, 2nd, or any other date of every month or only the selected month.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

133

Custom Schedule

This option allows you to set an arbitrary schedule using standard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means: On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX doesn’t support the extended cron format.

5. Click Run Now to immediately push this script to target machines. 6. Click Save save the configuration collection settings.

iPhone Asset
The iPhone asset collection script runs on the Macintosh® machines and generates the iPhone asset. To view the iPhone asset information: 1. Select Asset | Asset. The Asset page appears. 2. Select iPhone Asset in the View by asset type drop-down list. The iPhone asset created by the iPhone asset collection script is displayed. 3. Click the iPhone Asset name. The Asset Detail page appears. 4. The following information is displayed: Name Device name Phone number Product version Product type Serial number Build version IMEI ICCID iTunes Version Last Backup Date Unique Identifier Computer Application ids This is a read-only field that displays the name of the asset. This is a read-only field that displays the device name as iPhone. This is a read-only field that displays the iPhone phone number. This is a read-only field that displays the product version of the iPhone. This is a read-only field that displays the product type as iPhone. This is a read-only field that displays the serial number of the iPhone. This is a read-only field that displays the build version of the iPhone. This is a read-only field that displays the International Mobile Equipment Id (IMEI). This is a read-only field that displays the Integrated Circuit Card ID (ICCID). This is a read-only field that displays the iTunes version. This is a read-only field that displays the date on which the last backup was taken. This is a read-only field that displays the unique identifier for the iPhone. This is a read-only field that displays the computer name on which the iPhone is synced. This is a read-only field that displays the applications running on the iPhone.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

134

Configuring iPhone
You can set up initial iPhone configuration interacting with Exchange Active sync or via IMAP for e-mails. The KBOX is positioned in the DMZ (demilitarized zone or Screened Subnet) in order to simplify the initial iPhone configuration for accessing to the KBOX user portal.

Figure 6-3: iPhone configuration The KBOX provides a Web (Safari) URL login page to download profiles as an alternative to e-mailing the configuration profiles to users. The page requires user authentication in order to present the appropriate list of profiles for download based on the user access list defined in “Setting up Administrative Access to iPhone Profile Management,” on page 131.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

135

Figure 6-4: iPhone accessing various profiles for download The user is prompted to confirm the download.

Figure 6-5: Load Profile confirmation

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

136

A message indicates if the download failed or completed successfully.

Figure 6-6: Download message

Customize the download page

To customize the download page with the name of the company or organization, the KBOX provides download logs displaying which iPhones have downloaded which configuration profiles. Mobile UI into the KBOX Select the visit user portal option to provide the authenticated user access to the KBOX user portal from the iPhone. A message appears indicating the status after the download process.

Figure 6-7: Browsing User Portal

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

137

Refer to Chapter 11,“Overview of the User Portal,” starting on page 194 for information on the User Portal.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

138

C H A P T E R 7 Wake-on-LAN
The KBOX Wake-on-LAN feature provides the ability to “wake up” computers equipped with network cards that are Wake-on-LAN compliant.
“Wake-on-LAN feature Overview,” on page 140 “Issuing a Wake-on-LAN request,” on page 140 “Troubleshooting Wake-on-LAN,” on page 141

139

Wake-on-LAN feature Overview
The KBOX Wake-on-LAN feature enables you to remotely power-on device on your network, even if those machines do not have the KBOX Agent installed. Wake-on-LAN can target a label, or specific MACaddressed machine. Wake-on-LAN is often used to power on machines prior to some IT activity, such as distributing a package from the KBOX to a subnet, to ensure that the distribution or update reaches as many target machines as possible. Because many of the updates are performed during off-hours to minimize the impact on your network, some of the machines targeted for updating might be turned off at the time you are performing the updates. In such cases, you could issue a Wake-on-LAN call to turn computers on prior to performing updates, running scripts, or distributing packages. This feature only supports machines that are equipped with a Wake-On-LAN-enabled network interface card (NIC) and BIOS.

Using the Wake-on-LAN feature on the KBOX will cause broadcast UDP traffic on your network on port 7. This traffic should be ignored by most computers on the network. The KBOX sends 16 packets per Wakeon-LAN request because it must guess the broadcast address that is required to get the "Magic Packet" to the target computer. This amount of traffic should not have a noticeable impact on the network.

Issuing a Wake-on-LAN request
You can wake multiple devices at once by specifying a label to which those devices belong, or you can wake computers or network devices individually. If you need to wake devices on a regular basis, for example to perform monthly maintenance, you could schedule a Wake-on-LAN to go out a specific time. If the device you want to wake is not inventoried by the KBOX but you still know the MAC (Hardware) address and its last-known IP address, you can manually enter the information to wake the device. To issue a Wake-on-LAN request: 1. Click Distribution | Wake-on-LAN. The Wake-on-LAN page appears. 2. To wake multiple devices, select a label from the Labels drop-down list. 3. To wake computers individually, select them from the Wake a Computer list. Press CTRL, and then click to select multiple computers. You can filter the list by entering any filter options. 4. To wake a network device, specify the device’s IP address in the Devices field. You can filter the list by entering any filter options. 5. Specify the MAC address of the device in the MAC Address field. 6. Specify the IP address of the device in the IP Address field. 7. Click Send Wake-on-LAN. After sending the Wake-on-LAN request, you will see the results at the top of the page indicating the number of machines that received the request and to which label, if any, those machines belong.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

140

To schedule a Wake-on-LAN request: 1. Click Distribution | Wake-on-LAN. 2. Click the Schedule a routine Wake-on-LAN event link. The Wake-on-LAN page appears. 3. Select Add New Item in the Choose action drop-down list. The Wake-on-LAN Settings page appears. 4. In the Labels to Wake-on-LAN box, select the labels to include in the request. Press CTRL, then click to select multiple labels. 5. In the Limit by Operating Systems box, select the operating systems to include in the request. 6. Select the appropriate radio button to schedule Wake-on-LAN scan, in the Scheduling area: Don’t Run on a Schedule Run Every day/specific day at HH:MM AM/PM Select to run the tests in combination with an event rather than on a specific date or at a specific time. Select to run the tests every day or only the selected day at the specified time.

Run on the nth of every month/spe- Select to run the tests on the 1st, 2nd, or any other date of every month or only the selected month. cific month at HH:MM AM/PM 7. Click Save. On clicking Save, you will see the Wake-on-LAN tab with the scheduled request listed. From this view you can edit or delete any scheduled requests.

Troubleshooting Wake-on-LAN
There can be some cases when a Wake-on-LAN request fails to wake devices. This can be caused due to the following inappropriate configuration of network devices that causes Wake-on-LAN to fail: The device does not have a WOL-capable network card or is not configured properly. The KBOX has incorrect information about the subnet to which the device is attached. UDP traffic is not routed between subnets or is being filtered by a network device. Broadcast traffic is not routed between subnets or is being filtered by a network device. Traffic on Port 7 is being filtered by a network device. For more assistance with troubleshooting Wake-on-LAN, see http://support.intel.com/support/network/sb/cs-008459.htm.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

141

C H A P T E R 8 Scripting
The optional Policy and Scripting Module provides a point-and-click interface for performing tasks that would typically require you to perform a manual process or advanced programming. This feature is available for computers that run on the Windows and UNIX operating systems.
“Scripting Module Overview,” on page 143 “Creating and Editing Scripts,” on page 145 “Using the Run Now function,” on page 154 “Searching Scripting Log Files,” on page 156 “Configuration Policies,” on page 157

142

Scripting Module Overview
If you have purchased the optional the KBOX Policy and Scripting Module, you now have a way to easily and automatically perform a variety of tasks. These tasks can be performed across your network through customized scripts that run as per your preferences. You can automate tasks like: Installing software Checking antivirus status Changing registry settings Configuring browser settings by creating a custom script Scheduling deployment to the endpoints on your network Each script consists of metadata, dependencies (wherever necessary), rules (Offline Kscripts and Online Kscripts), tasks (Offline Kscripts and Online Kscripts), deployment settings, and schedule settings. Dependencies are the supporting executable files that are necessary for a script to run. For example, .zip files. Rules are tasks performed in a specified order on the target machine. Tasks are the individual steps that are carried out by a script. In each script, you can have any number of tasks. Whether or not a task is executed is dependent upon the success or failure of the previous task. There are three types of scripts you can create: Offline KScripts: These scripts can execute even when the client machine is not connected to the KBOX server such as at the time of Machine Boot Up and User Login. They execute at scheduled time based on the client clock. They are built using a wizard, but execute only on Windows platforms. Online KScripts: These scripts can execute only when the client machine is connected to the KBOX server. They execute at scheduled time based on the server clock. They are built using a wizard, but execute only on Windows platforms. Online Shell Scripts: These scripts can execute only when the client machine is connected to the KBOX server. They execute at scheduled time based on the server clock. They are built using simple text-based scripts (bash, perl, batch, etc.) supported by the target operating system. Batch files are supported on Windows, along with all manner of shell script formats supported by the specific operating system of the targeted machines.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

143

Using Scripts that are installed with the KBOX
The KBOX installs the following scripts by default: Script Name Force Checkin Description Runs KBScriptRunner on client to force checkin. WARNING: Do not run this with more than 50 clients selected as it can overload the server with requests. Example script to defragment the c: drive on the computer DOS-DIR On some machines, a missing registry entry causes all the contents of the system32 directory to be reported as the Startup Programs. This script fixes the registry entry if it is missing. Disables the KBOX Remote Control functionality on Windows XP Professional by configuring Terminal Services properly. Enables the KBOX Remote Control functionality on Windows XP Professional by configuring Terminal Services properly. If the client is checking in and a problem occurs with the inventory and deployment, this script disables the debug switch. If the client is checking in and a problem occurs with the inventory and deployment, this script enables the client debug and send the debug back to the server. This only turns on debug for the inventory and deployment part of the client. It does not enable debugging of the scheduling service. Removable drives can be mounted only as read-only. This prevents people to abscond with corporate data, although they may transport data to their PC. Removable drives can be mounted read-write. This is an example script to illustrate use of message window. Your script must have properly paired create/destroy message window commands in order to work properly. Message Windows remain displayed until user dismisses the message, until the script finishes executing, or until the timeout is reached, whichever comes first. Deletes the registry keys that identify a machine. You should also delete the specific machine record from the inventory tab.

Defragment the C: drive DOS-DIR Inventory Startup Programs Fix KBOX Remote Control Disabler KBOX Remote Control Enabler KBOXClient debug logs Disable KBOXClient debug logs Enable

Make Removable Drives Read-Only Make Removable Drives Read-Write Message Window Script Example

Reset KUID

Shutdown a Windows sys- It specifies timeout in seconds while the message in quotes is displayed to tem the user. Omit this script to silently and immediately shutdown machines. USB Drives Disable USB Drives Enable Disable complete usage of USB Drives. Enable usage USB Drives may be used.

Table 8-1: Default scripts in the KBOX

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

144

Creating and Editing Scripts
There are three ways you can create scripts: By importing an existing script (in XML format) By making a copy of an existing script By creating a new script from scratch You can perform these actions from the Scripting | Scripts tab. The process of creating scripts is an iterative one. After creating a script, it is a good idea to deploy the script to a limited number of machines (you can create a test label to do this). This way you can verify whether the script is running correctly, before deploying it to all the machines on your network. It is a good practice to leave a script disabled until you have edited and tested the script and are ready to run the script.

Adding Scripts
Offline KScripts and Online KScripts are made up of one or more Tasks. Within each Task there are Verify and Remediation sections where you can further define the script behavior. If a section is left blank, it defaults to success. For example, if you leave the Verify section blank, it ends in On Success. To add an Offline KScript or Online KScript: 1. Select Scripting | Scripts. 2. Select Add New Item from the Choose action drop-down list. The Script: Edit Detail page appears. 3. In the Configuration area, enter the requested details: Script Type Name Description Use this field to select the Offline Kscript or Online Kscript types. Enter a meaningful name for the script to make it easier to distinguish from others listed on the Scripts tab. Enter a brief description of the actions the script performs. Although this field is optional like the Name field, it helps you to distinguish one script from another on the Scripts tab. Use this field to indicate whether the script is in development (Draft) or has been rolled out to your network (Production). Use the Template status if you are building a script that is used as the basis for future scripts. Select this check box to run the script on the target machines. Do not enable a script until you are finished editing and testing it and are ready to run it. Enable the script on a test label before you enable it on all machines. Enter notes, if any.

Status

Enabled

Notes

4. Specify the deployment options: Deploy to All Machines Limit Deployment To Selected Labels Select this check box if you want to deploy the script to all the machines. Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

145

Limit Deployment To Listed Machines Supported Operating Systems Scheduling

You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options. Select an operating system on which the script is to be run. If you selected a label as well, the script only runs on machines with that label if they are also running the selected operating system. In the Scheduling area, specify when and how often the script is run. Don’t Run on a Schedule The test runs in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in. The test runs on every hour or minutes as specified. The test runs on the specified time on the specified day. This option allows you to set an arbitrary schedule using standard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means: On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX doesn’t support the extended cron format. This option runs the Offline KScript once when new scripts are downloaded from the KBOX. To set the time interval for downloading scripts, go to Organizations | Organizations. This option runs the Offline KScript at machine boot time. Beware that this causes the machine to boot up slower than it might normally. This option runs the Offline KScript after the user has entered their Windows login credentials. Select this option if you want to allow the Offline KScript to run even if the target machine cannot contact the KBOX 1000 Series to report results. In such a case, results are stored on the machine and uploaded to the KBOX 1000 Series until the next contact.

Run Every nth minutes/hours Run Every day/specific day at HH:MM AM/PM Custom Schedule

Also Run Once at next Client Checkin (Only for Offline KScript)

Also Run at Machine Boot Up (Only for Offline KScript)

Also Run at User Login (Only for Offline KScript) Allow Run While Disconnected (Only for Offline KScript)

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

146

Allow Run While Logged Off (Only for Offline KScript)

Select this option if you want to allow the Offline KScript to run even if a user is not logged in. To run the script only when the user is logged into the machine, clear this option.

5. Click Run Now to immediately push the script to all machines. Use this option with caution. For more information about the Run Now button, Refer to “Using the Run Now function,” on page 154. 6. To browse for and upload files required by the script, click Add new dependency, click Browse, and then click Open to add the new dependency file. If a Replication Share has being specified and enabled at Distribution | Replication, Offline Kscripts: The dependencies are downloaded from the specified replication share. Online Kscripts: They do not support replication. The dependencies are downloaded from the KBOX Server. If the replication share is inaccessible, the dependencies get downloaded from the KBOX Server. The dependency file if unavailable at replication share gets downloaded from the KBOX server. Repeat this step to add additional new dependencies as necessary. 7. Click Add Task Section to add a new task. The process flow of a task in a script is shown below. IF Verify THEN Success ELSE IF Remediation THEN Remediation Success ELSE Remediation Failure Figure 8-2: Example of Task process flow An example to verify the presence of Adobe key in HKEY_CURRENT_USER is as follows: a. Click Add below Verify area and select Verify a registry key exists from Add a new step dropdown list. b. Enter the registry key in Key field in correct format as displayed below, HKEY_CURRENT_USER\Software\Adobe c. Click Save Changes to save the format. d. Click Add below On Success area and select Log message from Add a new step drop-down list. e. Enter a message in the Message field.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

147

f. Click Save. The message is displayed in the Scripting logs on the successful execution of the script. To view the scripting logs Refer to Chapter 3,“Scripting Logs,” starting on page 64. 8. Under Policy or Job Rules, set the following options for Task 1: Attempts Enter the number of times the script should attempt to run. If the script fails but remediation is successful, you may want to run the task again to confirm the remediation step. To do this, set the number of Attempts to 2 or more. If the Verify section fails, it is run the number of times mentioned in this field. Select Break if you want the script to stop running upon failure. Select Continue if you want the script to perform remediation steps upon failure.

On Failure

9. In the Verify section, click Add to add a step, and then select one or more steps to perform. Refer to Appendix B, “Adding Steps to a Task, ” starting on page 330. 10. In the On Success and Remediation sections, select one or more steps to perform. Refer to Appendix B, “Adding Steps to a Task, ” starting on page 330. 11. In the On Remediation Success and On Remediation Failure sections, select one or more steps to perform. Refer to Appendix B, “Adding Steps to a Task, ” starting on page 330. To remove a dependency, task, or step, click the trash can icon This icon appears when your mouse hovers over an item. beside the item.

Click beside Policy or Job Rules to view the token replacement variables that can be used anywhere in the KBOX script, and are replaced at runtime on the client with appropriate values. For more information, Refer to “Token Replacement Variables,” on page 153. To add an Online Shell Script: 1. Select Scripting | Scripts. 2. Select Add New Item from the Choose action drop-down list. The Script: Edit Detail page appears. 3. In the Configuration area, enter the requested details: Script Type Name Description Use this field to select the Online Shell Script type. Enter a meaningful name for the script to make it easier to distinguish from others listed on the Scripts tab. Enter a brief description of the actions the script performs. Although this field is optional like the Name field, it helps you to distinguish one script from another on the Scripts tab. Use this field to indicate whether the script is in development (Draft) or has been rolled out to your network (Production). Use the Template status if you are building a script that is to be used as the basis for future scripts.

Status

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

148

Enabled

Select this check box to run the script on the target machines. Do not enable a script until you are finished editing and testing it and are ready to run it. Enable the script on a test label before you enable it on all machines. Enter notes, if any.

Notes

4. Specify the deployment options: Deploy to All Machines Limit Deployment To Selected Labels Limit Deployment To Listed Machines Supported Operating Systems Scheduling Select this check box if you want to deploy the script to all the machines. Select a label to limit deployment only to machines grouped by that label. Press CTRL and click labels to select more than one label. You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options. Select an operating system on which the script runs. If you selected a label as well, the script runs on only the machines with that label if they are also running the selected operating system. In the Scheduling area, specify when and how often the script runs. Don’t Run on a Schedule The test runs in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in. The test runs on every hour or minutes as specified. The test runs on the specified time on the specified day. This option allows you to set an arbitrary schedule using standard cron format. For example, 1,2,3,5,20-25,30-35,59 23 31 12 * * means: On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX doesn’t support the extended cron format.

Run Every nth minutes/hours Run Every day/specific day at HH:MM AM/PM Custom Schedule

5. Click Run Now to immediately push the script to all machines. Use this option with caution. For more information about the Run Now button, Refer to “Using the Run Now function,” on page 154.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

149

6. To browse for and upload files required by the script, click Add new dependency, click Browse, and then click Open to add the new dependency file. If a Replication Share has being specified and enabled at Distribution | Replication, the dependencies are still downloaded from the KBOX server, since Replication is not supported by Online Shell Scripts. Repeat this step to add additional new dependencies as necessary. 7. Specify the following: Script Text Timeout (minutes) Upload File Delete Downloaded Files Enter the relevant script text. Enter the value in minutes, the maximum time, for which the server tries for execution of the script. Select this check box to upload dependency file, if any to the client machine. Specify the directory path and file name. Select this check box to delete the downloaded files from the client machine.

To remove a dependency, click the trash can icon appears when your mouse hovers over an item.

beside the item. This icon

Click beside Policy or Job Rules to view the token replacement variables that can be used anywhere in the KBOX script, and are replaced at runtime on the client with appropriate values. For more information, Refer to “Token Replacement Variables,” on page 153.

Editing Scripts
You can edit scripts on the Script: Edit Detail page, or in an XML editor (only for Offline KScripts and Online KScripts). To use the XML editor, click the View raw XML editor link below the Scheduling option. Offline KScripts and Online KScripts can be edited using the wizard in addition to these methods. To edit a script: 1. Select Scripting | Scripts. 2. Click the name of the script you want to edit. The Script: Edit Detail page appears. 3. Modify the script as desired. 4. Click Save. To delete a script from the Scripts page: 1. Select Scripting | Scripts. 2. Select the check box beside the script you want to delete. 3. Choose Delete Selected Item(s) from the Choose action drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

150

4. Click OK to confirm deletion. To delete a script from the Scripts Edit page: 1. Select Scripting | Scripts. 2. Click the name of the script you want to delete. The Script: Edit Detail page appears. 3. Click Delete. 4. Click OK to confirm deletion.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

151

Importing Scripts
If you prefer to create your script in an external XML editor, you can upload your finished script to the KBOX. Be sure that the imported script conforms to the following structure: The root element <kbots></kbots> includes the URL of the KACE DTD “kbots xmlns=”http://kace.com/Kbots.xsd”>...<kbots> One or more <kbot> elements. Exactly one <config> element within each <kbot> element. Exactly one <execute> element within each <config> element. One or more <compliance> elements within each <kbot> element. Following is an example of XML structure for a the KBOX script: <?xml version=”1.0” encoding=”utf-8” ?> <kbots xmlns=”http://kace.com/Kbots.xsd”> <kbot> <config name=”name=”” type=”policy” id=”0” version=”version=”” description=”description=””> <execute disconnected=”false” logged_off=”false”> </execute> </config> <compliance> </compliance> </kbot> </kbots>

In the above example of a simple XML script, the <config> element corresponds to the Configuration section on the Script: Edit Detail page. This is where you specify the name of the policy or job (optional), and the script type (policy or job). Within this element you can also indicate whether the script can run when the target machine is disconnected or logged off from the KBOX. You can specify whether the script is enabled and describe the specific tasks the script is to perform within the <compliance> element. Tip: If you are creating a script that can perform some of the same tasks as an existing script, you may want to consider following: Creating a copy of that existing script, Opening the copied script in XML editor view to better understand what is possible in the <compliance> element. For more information, Refer to “Duplicating Scripts,” on page 153.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

152

To import an existing script: 1. Select Scripting | Scripts. 2. From the Choose action drop-down list, select Import from XML. The Script: Edit Detail page appears. 3. Paste the existing script into the space provided, then click Save.

Duplicating Scripts
If you have already created a script that performs many of the tasks required of your new script, the simplest way to begin is to make a copy of the current script, then modify the steps as required, and then upload any new dependency files. To duplicate an existing script: 1. Select Scripting | Scripts. 2. Click the linked name of the script you want to copy to open it for editing. The Script: Edit Detail page appears. 3. Click the Duplicate button. The Scripts list page appears, which includes a new script named “Copy of xxx”, where “xxx” is the name of the copied script. 4. Click the linked name of the copied script to open it for editing. Continue as you would in “Adding Scripts,” on page 145.

Token Replacement Variables
The following token replacement variables can be used anywhere in the XML of a the KBOX script, and are replaced at runtime on the client with appropriate values: $(KACE_DEPENDENCY_DIR) - expands to $(KACE_INSTALL)\packages\kbots\xxx. This is the folder where any script dependencies for this script are downloaded to the client. $(KBOX_INSTALL_DIR) - agent installation directory, C:\Program Files\KACE\KBOX. $(KBOX_SYS_DIR) - agent machine's system directory, C:\Windows\System32. $(KACE_INSTALL) - same as KBOX_INSTALL_DIR. $(KBOX_EXECUTE_EVENT) - event causing KBOT to run, [BOOTUP|LOGON|null]. $(MAC_ADDRESS) - agent machine's primary MAC address. $(KACE_SERVER) - hostname of KBOX server (kbox). $(KACE_SERVER_PORT) - port to use when connecting to KACE_SERVER (80/443). $(KACE_SERVER_URLPREFIX) - http/https. $(KACE_COMPANY_NAME) - agent's copy of the setting from server's configuration page. $(KACE_SPLASH_TEXT) - agent's copy of the setting from server's configuration page. $(KACE_LISTEN_PORT) - agent's port that server can use for "run now". $(KACE_SERVER_URL) - combination of server, port, and url prefix (http://kbox:80). $(KBOX_IP_ADDRESS) - agent's local IP address (corresponds with network entry of MAC_ADDRESS). $(KBOX_MAC_ADDRESS) - same as MAC_ADDRESS. $(KBOX_MACHINE_ID) - for 2.1 agents, this is the server's assigned unique ID for this machine.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

153

Using the Run Now function
The Run Now function provides a way for you to run scripts on selected machines immediately without setting a schedule. You may want to use this function if you have machines on your network that you suspect are infected with a virus or other vulnerability, and can compromise your entire network, if not resolved right away. Run Now is also useful for testing and debugging scripts on a specific machine or set of machines during development. The Run Now function is available in three places: Run Now tab—Running Scripts from the Scripting | Run Now tab allows you to run one script at a time on the target machines. Script: Edit Detail Page—Running Scripts from the Script : Edit Detail page allows you to run one script at a time on the target machines. Scripts List Page—Running scripts from the Scripts List Page using the Run Now option from the Choose action drop-down list allows you to run more than one script at the same time on the target machines. CAUTION: Because a script is deployed immediately when you click Run Now, use this feature cautiously, and do not deploy unless you are certain that you want to run the script on the target machines. Refer to Chapter 3,“Labels,” starting on page 84 for more information.

Run Scripts using the Run Now tab
You can run scripts using the Scripting | Run Now tab. To run Scripts using the Run Now tab: 1. Select Scripting | Run Now. The Run Now page appears. 2. Select the Script you want to run in the Scripts list. You can use the Filters options to filter the Scripts list. 3. Select the machines on which Script needs to run from the Inventory Machines list. Selected machine name appears in the Machine Names field. You can use the Filters to filter the machine names list. You can add all the machines by clicking Add All. Atleast one machine name should be present in the list to run the script. 4. Click Run Now to run the selected Script. If a Replication Share has being specified and enabled at Distribution | Replication, on clicking Run Now, the dependencies are still be downloaded from the KBOX Server for all the scripts types.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

154

Run Now from the Script Detail page
To use the Run Now function from the Script Detail page: 1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a label that represents the machine or machines on which you want to use the Run Now function. Refer to Chapter 3,“Labels,” starting on page 84 for more information. 2. Select Scripting | Scripts. 3. Select the script you want to run. The Script: Edit Detail page appears. 4. Select the label or labels that represent the machine(s) on which you want to run the script. Press CTRL and click to select multiple labels. 5. Scroll to the bottom of the Scheduling section, then click Run Now. A confirmation dialog box appears, if you have made any changes. Click OK in the confirmation dialog box to save any unsaved changes before running or click Cancel to run without saving. The Run Now Status page is displayed after the script is run. To use the Run Now function from the Scripts Lists Page: 1. To minimize the risk of deploying to unintended target machines, KACE recommends that you create a label that represents the machine or machines on which you want to use the Run Now function. Refer to Chapter 3,“Labels,” starting on page 84 for more information. 2. Select Scripting | Scripts. 3. Select the script or scripts you want to run. 4. Select Run Now from the Choose action drop-down list.

Monitoring Run Now Status
When you click Run Now or select Run Now from the Choose action drop-down list, the Run Now Status tab appears where you can see a new line item for the script. The Pushed column indicates the number of machines on which the script is attempting to run. The Completed column indicates the number of machines that have finished running the script. The numbers in these columns increment accordingly as the script runs on all of the selected machines. The icons above the right-hand column provide further details of the script status. Icon Description The script completed successfully. The script is still being run, therefore its success or failure is unknown. An error occurred while running the script. Table 8-3: Run Now Status tab icons

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

155

If there were errors in pushing the scripts to the selected machines, you can search the scripting logs to determine the cause of the error. For more information about searching logs, Refer to “Searching Scripting Log Files,” on page 156. The Run Now function communicates over port 52230. One reason a script might fail to deploy is if firewall settings are blocking the KBOX Agent from listening on that port.

Run Now Detail Page
For more information on a Run Now item, click the linked start time on the Run Now Status page to display the item’s Run Now Detail page. The Run Now Detail page displays the results of a script that was run manually using the Run Now function, instead of running it on a schedule. The Run Now Statistics section displays the results of a script that was pushed, the push failures, push successes, completed machines, running machines, successes and failures in numbers and percentage. The Push Failures section lists those machines that the server could not contact, and therefore did not receive the policy. Once pushed, it may take some time for the machine to complete a policy. Machines that have received the policy, but have not reported their results yet are listed in the Scripts Running section. After the policy is run, it reports either success or failure. The results are sorted under the appropriate section. Each individual computer page also has the results of the Run Now events run on that machine. The Run Failures section lists those machines that failed to complete the script. The Run Successes section lists those machines that completed the script successfully.

Searching Scripting Log Files
The Search Logs page allows you to search the logs uploaded to the KBOX 1000 Series appliance by the machines on your network. To search scripting logs: 1. Select Scripting |Search Logs. 2. Enter the keywords using which you want to search for the scripts in the Search for field. You can use the following operators to change how the logs are searched: Operator + * “ Function A leading plus sign indicates the word must be present in the log. A leading minus sign indicates the word must not be present in the log. A trailing asterisk can be used to find logs that contain words that begin with the supplied characters. A phrase enclosed in double quotes matches only if the log contains the phrase exactly as typed.

Table 8-4: Available search operators 3. To search only in logs uploaded by a particular script, choose the script name.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

156

4. Select the log type to search in from the drop-down list. You can choose from the following options: Output Activity Status Debug 5. In the Historical field, select whether to search in only the most recent logs or in all logs from the drop-down list. 6. In the label field, select a label from the drop-down list to search logs uploaded by machines in a particular label group. 7. Click Search. The search results display the logs and the machines that have uploaded the logs. 8. You can apply a label to the machines that are displayed by selecting a label from the drop-down list, under search results.

Configuration Policies
The Configuration Policy page displays a list of wizards you can use to create policies that manage various aspects of the computers on your network. To access the list of available Configuration Policy wizards, click the Scripting button, then select the Configuration Policy tab. This section includes descriptions of the settings for each of the policies you can create. Available wizards include: Enforce Registry Settings Remote Desktop Control Troubleshooter Enforce Desktop Settings Desktop Shortcuts Wizard Event Log Reporter MSI Installer Wizard UltraVNC Wizard Un-Installer Wizard Windows Automatic Updates Settings

Enforce Registry Settings
This wizard allows you to create scripts that enforce registry settings. To enforce registry settings: 1. Use regedit.exe to locate and export the values from the registry that you are interested in. 2. Open the .reg file that contains the registry values you want with notepad.exe and copy the text. 3. Select Scripting |Configuration Policy. 4. Click Enforce Registry Settings. The Configuration Policy : Enforce Registry Settings page appears.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

157

5. Enter a policy name in the Policy Name field. 6. Paste the copied registry values into the Registry File field. 7. Click Save. The Script: Edit Detail page appears. 8. Enable and set a schedule for this policy to take effect. A new script is created that checks that the values in registry file match the values found on the target machines. Any values that are missing or incorrect are replaced. Refer to “Adding Scripts,” on page 145 for more information.

Remote Desktop Control Troubleshooter
This editor creates a troubleshooting script for the KBOX Remote Control functionality. The script that this page generates tests the following things: Terminal Services: To access a Windows XP Professional machine using Remote Desktop, Terminal Services must be running. This script verifies that this is the case. Firewall Configuration: If the Windows XP SP2 Firewall is running on the machine, several different configurations can affect results in Remote Desktop requests being blocked by the firewall. To troubleshoot remote behavior: 1. Select Scripting |Configuration Policy. 2. Click Remote Desktop Control Troubleshooter. The Configuration Policy : Remote Control Troubleshooter page appears. 3. Under Firewall Configuration, specify the required settings. 4. Click Save. The Script: Edit Detail page appears. 5. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more information.

Enforce Desktop Settings
This wizard allows you to build policies that affect the user's desktop wallpaper. The Wallpaper bitmap file is distributed to each machine affected by the policy. This file must be in the Bitmap (.bmp) format. To create a policy to enforce Desktop Settings: 1. Select Scripting | Configuration Policy. 2. Click Enforce Desktop Settings. 3. Select the Use wallpaper check box to enforce this setting. 4. Click Browse to select and upload the .bmp file to use for the wallpaper. 5. Select a position for the wallpaper image from the Position drop-down list. Select Stretch to stretch the image so that it covers the entire screen. Select Center to display the image in the center of the screen. Select Tile to repeat the image over the entire screen. 6. Click Save. The Script: Edit Detail page appears. 7. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more information.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

158

Desktop Shortcuts Wizard
This wizard allows you to quickly create scripts that add shortcuts to users' Desktop, Start Menu, or Quick Launch bar. You can create an Internet shortcut and can put a URL to the target with no parameters and working shortcut. To create scripts to add shortcuts: 1. Select Scripting |Configuration Policy. 2. Click Desktop Shortcuts Wizard. The Configuration Policy : Enforce Shortcuts page appears. 3. Enter a name for the desktop shortcut policy in the Policy Name field. 4. Click Add Shortcut. 5. Specify the shortcut details. Name Target Parameters WorkingDir Location Enter the text label that appears below or beside the shortcut. Enter the application or file that is launched when the shortcut is clicked, say for example, Program.exe. Enter the any command line parameters. For example: /S /IP=123.4 Enter the changes to the current working directory. For example: C:\Windows\Temp Select the location where the shortcut appears from the drop-down list. Options include Desktop, Quick Launch, and Start Menu.

6. Click Save Changes to save the new shortcut. 7. Click Add Shortcut to add more shortcuts. To edit or delete a shortcut, hover over a shortcut and click the Trash can icon that appears. 8. Click Save. The Script: Edit Detail page appears. 9. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more information.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

159

Event Log Reporter
This wizard creates a script that queries the Windows Event Log and uploads the results to the KBOX. To create an Event Log query: 1. Select Scripting | Configuration Policy. 2. Click Event Log Reporter. The Configuration Policy : Event Log Reporter page appears. 3. Specify query details: Output filename Log file Event Type Source Name Enter the name of the log file created by the script. Enter the type of log you want to query. Options include Application, System, and Security. Enter the type of event you want to query. Options include Information, Warning, and Error. Use this optional field to restrict the query to events from a specific source.

4. Click Save. The Script: Edit Detail page appears. 5. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more information. 6. You can view the Event log in the Computers : Detail page of the particular machine, by selecting Inventory | Computers. In Scripting Logs, under Currently Deployed Jobs & Policies, click the View logs link beside Event Log.

MSI Installer Wizard
This wizard helps you set the basic command line arguments for running MSI based installers. Refer to the MSI Command Line documentation for full details. To create the MSI Installer policy: 1. Select Scripting | Configuration Policy. 2. Click MSI Installer Wizard. The Configuration Policy : MSI Wizard page appears. 3. Enter the following information: Action Software MSI filename User Interaction Select a task from the drop-down list. Options include Install, Uninstall, Repair missing files, and Reinstall all files. Select the application you want to install, uninstall, or modify from the drop-down list. You can filter the list by entering any filter options. Specify the MSI filename if it is a zip. Select an option to specify how the installation should appear to end users. Options include: Default, Silent, Basic UI, Reduced UI, and Full UI. Refer to MSI Command Line documentation for a complete description of the available options. Enter the installation directory. Enter details of any additional installer switches. Additional Switches are inserted between the msiexe.exe and the /i foo.msi arguments.

Installation Directory Additional Switches

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

160

Additional Properties

Enter details of any additional properties. Additional Properties are inserted at the end of the command line. For example: msiexec.exe /s1 /switch2 /i patch123.msi TARGETDIR=C:\patcher PROP=A PROP2=B

Feature List Store Config per machine After install

Enter the features to install. Separate features with commas. Select this box to do per-machine installations only. Select the behavior after installation. Options include: Delete installer file and unzipped files Delete installer file, leave unzipped files Leave installer file, delete unzipped files Leave installer file and unzipped files

Restart Options

Select the restart behavior. Options include: No restart after installation Prompts user for restart Always restart after installation Default

Logging

Select the type(s) of installer messages to log. Press CTRL and click to select multiple message types. Options include: None All Messages Status Messages Non-fatal warnings All error messages Start up actions Action-specific records User requests Initial UI parameters Out-of-memory or fatal exit information Out-of-disk-space messages Terminal properties Append to existing file Flush each line to the log Refer to MSI Command Line documentation for a complete description of the available logging options.

Log File Name

Enter the name of the log file.

4. Click Save. The Script: Edit Detail page appears. 5. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more information.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

161

UltraVNC Wizard
The UltraVNC Wizard creates a script to distribute UltraVNC to Windows computers on your network. UltraVNC is a free software solution that allows you to display the screen of a computer (via Internet or network) on another computer. You can use your mouse and keyboard to control the other computer remotely. It means that you can work on a remote computer, as if you were sitting in front of it, right from your current location. This wizard creates a script to deploy UltraVNC to your computers. Refer to Ultra VNC website for documentation and downloads. To distribute UltraVNC to the computers on your network: 1. Select Scripting | Configuration Policy. 2. Click UltraVNC Wizard. The Configuration Policy : Ultra VNC Wizard page appears. 3. Specify UltraVNC installation and authentication options: Install Options Install Mirror Driver Check the Mirror Driver box if you want to install the optional UltraVNC Mirror Video Driver. The Mirror Video Driver is a driver that UltraVNC can receive immediate notifications if any screen changes occur. Using it on an UltraVNC server results in an excellent accuracy. The video driver also makes a direct link between the video driver framebuffer memory and UltraWinVNC server. Using the framebuffer directly eliminates the use of the CPU for intensive screen blitting, resulting in a big speed boost and very low CPU load. Refer to Ultra VNC documentation for complete details. Check the Mirror Driver box if you want to install the optional UltraVNC Mirror Video Driver. Provide a VNC password for authentication. If you want to use MS Logon authentication, use MSLogonACL.exe /e acl.txt to export the ACL from your VNC installation. Copy and paste the contents of the text file into the ACL field. It is advisable to look at the script that is generated by this wizard to make sure it is doing something you expect. You can view the raw script by clicking View raw XML Editor on the Script Detail page.

Install Viewer Authentication VNC Password Require MS Logon

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

162

4. Specify UltraVNC miscellaneous options: Disable Tray Icon Disable client options in tray icon menu Disable properties panel Forbid the user to close down WinVNC Select this box if you do not want to display the UltraVNC tray icon on the target computers. Select this check box if you do not want to display client options in the tray icon menu on the target computers and have not you did not check Disable Tray Icon, check this box if. Select this check box to disable the UltraVNC properties panel on the target computers. Select this check box if you do not want to allow computer users to shut down WinVNC.

5. Click Save. The Script: Edit Detail page appears. 6. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more information.

Un-Installer Wizard
This wizard allows you to quickly build a script to uninstall a software package. The resulting script can perform three actions: Execute an uninstall command, Kill a process, and Delete a directory. To create an uninstaller script: 1. Select Scripting | Configuration Policy. 2. Click Un-Installer Wizard. The Configuration Policy : Uninstaller page appears. 3. Enter the following information: Job Name Software Item Enter a name for the uninstaller script. Select the software item to uninstall from the drop-down list. The wizard attempts to fill in the correct uninstall command. Verify that the values are correct. Uninstall Command Directory When you select the software item, the wizard attempts to fill in the uninstall command directory, file, and parameters. Uninstall Command File Review the entries to make sure the values are correct. Uninstall Command Parameters Kill Process To have a process killed before executing the uninstall command, enter the full name of the process in the Kill Process field. For example: notepad.exe To have a directory deleted after executing the uninstall command, enter the full name of the directory in the Delete Directory field here. For example: C:\Program Files\An Example App\.

Delete Directory.

4. Click Save. The Script: Edit Detail page appears. 5. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more information.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

163

Windows Automatic Update Settings policy
The KBOX provides a way for you to control the behavior of the Windows Update feature. This feature allows you to specify how and when Windows updates are downloaded so that you can control the update process for the computers on your network. The configuration settings reside under the Scripting | Configuration Policy tab. More detailed information can be found at Microsoft's site: KB Article 328010. To modify Windows Automatic Update settings: 1. Select Scripting | Configuration Policy. 2. Click Windows Automatic Update Settings. The Windows Automatic Update Policy page appears. 3. Enter the following information: Automatic (recommended) Download updates for me, but let me choose when to install them. Select this option to enable automatic downloading of Windows Updates. Select this option to ensure that you always receive the latest downloads, but retain the flexibility to decide when to install them.

Notify me but don’t automati- Select this option to provide the additional flexibility in installation of cally download or install them. updates. Note: Beware, this may make your network more vulnerable to attack, if you neglect to retrieve and install the updates on a regular basis. Turn off Automatic Updates Remove Admin Policy. User allowed to configure. Select this option if you are using the KBOX patching feature to manage Microsoft patch updates. Select this option to provide users with the control over the updates downloaded. Note: Beware, this may make end-users, and as a result your network, more vulnerable to attack. Select the interval (in minutes) from the Reschedule Wait Time drop-down list to wait before rescheduling an update if the update fails. Select this checkbox to specify no reboot while a user is logged in.

Reschedule Wait Time

Do not reboot machine while user logged in

4. Enter the details for the SUS Server and SUS Server Statistics. 5. Click Save. The Script: Edit Detail page appears. 6. Enable and set a schedule for this policy to take effect. Refer to “Adding Scripts,” on page 145 for more information. To start the Automatic Windows Update on the client machine: You can start the Automatic Windows Update on the client machine using one of these methods: 1. Enabling automatic windows updates settings policy of the KBOX on the client machine. 2. Enabling local policy for automatic deployment of windows update on the client machine. 3. Modifying the registry key for automatic deployment of windows update on the client machine.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

164

4. Setting up the group policy on the domain for automatic deployment of windows update on the client machine. 5. Configuring the patching functionality for automatic deployment of windows update on the client machine. If you are using the patching functionality for automatic deployment of Windows updates on the client machine, you must disable the automatic deployment of Windows updates on the client machine by any other process to avoid the conflict between the different deployment processes.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

165

C H A P T E R 9 Patching
KBOX Systems Management Appliance patching uses PatchLink’s patented Patch Fingerprint Technology that supports the Windows and Macintosh® operating systems, and many third-party and vendor-supplied applications for both the operating systems. Patches are kept up-to-date with an automatic or on-demand patch feed.
“Overview of the Patch Management feature,” on page 167 “Subscription Settings,” on page 169 “Patch Listing,” on page 169 “Patching Reports,” on page 176

166

Overview of the Patch Management feature
The KBOX Patch Management provides a quick, accurate and secure patch management. It allows you to manage threats proactively by automating the collection, analysis and delivery of patches throughout your network. The patch management feature provides access to the latest security bulletin updates for Windows and Macintosh® platforms. Microsoft updates its list of security bulletins on a periodic basis and new patches are made available for download from the KBOX 1000 Series appliance. The KBOX 1000 Series automatically downloads patch software based on the configured patch settings. To view the patch management page, go to Security | Patching. The Patch Management page appears. The Installation Progress indicator displays: • • Percentage of patches installed out of the total patches scheduled for deployment. Percentage of patching tasks completed for the current patch run.

The Critical Patch Compliance indicator displays the number of critical patches installed from all the detected critical patches. The patch management feature works only on KBOX Agent version 4.0 or higher. For updating KBOX Agent version 3.3, Refer to section Chapter 2,“To update KBOX Agent automatically:,” starting on page 47.

The patch management feature requires a constant connection between the KBOX and the KBOX Agent. This is indicated by the icon on the Inventory list page. For information on how to set up the constant connection, Refer to Chapter 1,“Configuring AMP Settings for the Server,” starting on page 24. Individual agents receive patches from the KBOX or their replication share point. A replication share allows a KBOX Client to replicate software installers to a share for use by other KBOX Clients. This allows them to download software from the share instead of downloading it directly from the KBOX.

Patch Quality Assurance
Lumension Security provides additional value PatchLink Update customers through the content development and quality assurance process. This is done by verifying the patch metadata produced by the content development team, the install and uninstall processes. Also, you need to validate that the patch does not disrupt immediate stability of the targeted operating system and/or the application. The Lumension Security tests, verifies, and certifies patches before the patch deployment. To ensure successful delivery of content, it executes test cases by covering the following test components: 1. Application Testing - Various applications are tested whenever essential, to ensure that the requirements of the patch are satisfied. 2. Testing Strategy - A list of testing strategies is as follows: General Testing: Verifying that the patch-naming convention complies with the Lumension Security policy

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

167

Verifying that the content supports the replication process. Each patch created by the content team is validated with the GSS distribution and Update Server products. Assessment Testing: Verifying that an applicable non-patched system shows applicable and not patched Verifying that a patched system shows installed and not applicable Verifying false positives in the detection of digital fingerprint Verifying that the content is compliant with mandatory baselines Deployment Testing: Verifying that the package is successfully deployable Verifying that No Reboot functionality works correctly Verifying that the uninstall functionality works correctly Verifying the CRC checksum, and ensuring package integrity

Patching enhancements in 4.3
The patching enhancements in the KBOX 1000 4.3 version are as follows: The patch label feature - Enables creating separate patch labels for individual patches, operating systems, and operating system languages. Multiple operating system languages support - Download patches for different operating systems languages such as English, French, Italian, German, and Spanish. Ready-to-deploy downloaded Patches - Downloaded patches are by default, in ready-to-deploy state and no review is required for deployment. Run Detect and/or Deploy on specific patch labels - Limiting detect and/or deploy run to specific patches, operating systems, and operating systems languages by using patch labels. Enhanced content architecture to support patching on KBOX Agent 4.3 from 4.3 Server. Schedule patching on the agents that are not connected to the KBOX Server. Suspend a pending Detect and Deploy run - You can specify a time interval to suspend the tasks in queue. This value is specified in Suspend pending tasks after n minutes from scheduled start field in Patch Schedule : Edit Detail page.

Patching Workflow
The patching feature involves the following steps: 1. Enabling Enhanced Content Settings - Refer to Chapter 16,“To enable enhanced content:,” starting on page 299. 2. Subscribing to the OS and OS languages - Refer to “To configure patch download settings:,” on page 169. 3. Downloading patches for the subscribed OS and OS languages - Refer to Chapter 16,“To update the patch definitions:,” starting on page 299. 4. Displaying the downloaded patches - Refer to “Patch Listing,” on page 169. 5. Detect and/or Deploy run on the machines - Refer to “Detect and Deploy Patches,” on page 172. 6. Viewing the results of Detect and/or Deploy run.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

168

Subscription Settings
The KBOX automatically downloads all new patches available from Microsoft and Apple every day. However, you can modify the patch configuration settings to download only bulletins according to the operating system or operating system languages. To configure patch download settings: 1. Select Security | Patching. The Patch Management page appears. 2. Click Subscription Settings. The Patch Subscription Settings page appears. 3. Scroll down and click the [Edit Mode] link. 4. Under the Select Patches To Download area, select the appropriate Windows and Macintosh® operating systems . Press CTRL to select multiple operating systems. Apple Security updates are also downloaded for Macintosh®.

5. Under the Languages area, select the appropriate operating system languages from those available. You can choose the operating system language only for Windows Platform. The language support is displayed only when EC is enabled on the KBOX Settings | Server Maintenance page. 6. Select the Include Application Patches check box to also include application patches. 7. Click Save to save the patch subscription changes.

Patch Listing
The Patch Listing feature enables you to review the list of available patches, and assign them to labels for detection and deployment. To view the downloaded patches: 1. Select Security | Patching. The Patch Management page appears. 2. Click Patch Listing. The Patch Listing page appears. The downloaded patches appear on the Patch Listing page with the patch status as Active. The patches with an Active status can be deployed on the machines without reviewing them. The Internet Explorer stops responding for few seconds, when the Patch Listing page is opened, till the list of patches is updated.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

169

Using Advanced Search for Patching
Searching the patch listing using keywords such as Microsoft Excel or Acrobat does not always give you the level of specificity you need. However, advanced search allows you to specify values for each field present in the record and search the entire patch listing for that value. To specify advanced search criteria: 1. Select Security | Patching. The Patch Management page appears. 2. Click Patch Listing. The Patch Listing page appears. 3. Click the Advanced Search tab. 4. Specify your search criteria from the following: Year Severity Language OS Patch Label Select the appropriate year from the drop-down list. Select the severity from the drop-down list. Select the language from the drop-down list. Select the operating system from the drop-down list. Select the appropriate label from the drop-down list. Note: If you select the label, only patches assigned to that label are displayed. Select the appropriate status from the drop-down list. Select the patch type from the drop-down list. Enter keywords in the text box, if any. Select the check box to search for patches that have deployment errors. Select the check box to search for patches that were detected but not deployed.

Status Patch Type Description Deployment Errors Detected

5. Click Search. The patches are displayed as per the search criteria in the Patch Listing page.

Using Saved Search
You can also specify and save the search criteria using the saved search. You can use the created search criteria, created thus, to search for the same patches in the subsequent releases of KBOX. To create a saved search criteria: 1. Select Security | Patching. The Patch Management page appears. 2. Click Patch Listing. The Patch Listing page appears. 3. Click the Create Saved Search button. 4. Specify the search criteria from the following: Year Severity OS Language Select the appropriate year from the drop-down list. Select the severity from the drop-down list. Select the operating system from the drop-down list. Select the language from the drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

170

Patch Label

Select the appropriate patch label from the drop-down list. Note: If you select a patch label, only patches with the assigned patch label are displayed. Select the appropriate status from the drop-down list. Select the patch type from the drop-down list. Enter keywords in the text box, if any. Select the check box to search for patches that have deployment errors. Select the check box to search for patches that were detected. Specify the name of the search.

Status Path Type Description Deployment Errors Detected Saved Search Name

5. Click Test Search to display the search results. 6. Click Create Search to create the saved search. The saved search created thus, appears in the View by drop-down list under View by Saved Search field in the patch listing page.

Applying Patch Label
You can apply patch label to the patches either by using the Patch filter or by manually assigning a label to the patches. To apply a patch label using the patch filter: 1. Select Security | Patching. The Patch Management page appears. 2. Click Patch Listing. The Patch Listing page appears. 3. Click the Create Patch Filter button. 4. Specify the criteria from the following: Title Description Identifier Vendor Operating System Importance Release Date Patch Type Architecture Language Enter the title of the patch. This title is displayed in patch listing page. Enter the description of the patch. This description is displayed in the summary section of the Patch : Detail page. Enter the identifier of the patch. The Identifier is displayed under the ID column in the Patch Listing page. Enter the vendor of the patch. The vendor is displayed in the vendor field in the Patch : Detail page. Select the appropriate operating system from the drop-down list. Select the appropriate level of importance from the drop-down list Enter the release date of patch. This date is displayed in the Patch Listing page. Select the appropriate patch type from the drop-down list. Select the appropriate architecture from the drop-down list. Select the appropriate operating system language from the drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

171

Associate to Label

Select the label you wish to apply to the patches matching the filter criteria. Refer to Chapter 3,“Labels,” starting on page 84 for more details.

5. Click Test Patch Filter to display the search result based on the entered criteria. 6. Click Create Patch Filter. The patch label gets applied to the subsequent downloaded patches matching the patch filter criteria. You can view the label applied to the patch in the patch detail page. To apply patch label manually to the patches: 1. Select the patch you want to apply the label to. 2. Select the appropriate label to apply from the Choose action drop-down list. The applied label for the specific patch is displayed in the patch detail page.

Detect and Deploy Patches
The Detect and Deploy Patches feature allows you to create schedules for detecting and deploying patches. These schedules are used to define when patch detection and deployment will run on a set of machines. To create a schedule: 1. Select Security | Patching. The Patch Management page appears. 2. Click Detect and Deploy Patches. The Patch Schedules page appears. 3. Select Add New Item in the Choose action drop-down list. The Patch Schedule : Edit Detail page appears. 4. Enter the following details: Schedule Description Patch Action Enter the schedule name here. Select the appropriate patch action from the drop-down list. Detect: Detect patches on the target machines. Detect and Deploy: Detect and deploy patches. Deploy: Deploy patches on the target machines. Note: The results of detection and deployment are displayed under the Patching Detect/Deploy Status area on the Computer Detail page in Inventory | Computers. For more information on computer details, Refer to Chapter 3,“Computers Inventory,” starting on page 58. 5. Specify following under Machine Selection details, Run on All Machines Limit Run To Selected Labels Select the check box to run the schedule on all the machines. Click OK in the confirmation dialog box. You can limit the schedule to run on one or more labels. Press CTRL to select more than one label.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

172

Limit Run To Machines

You can limit the schedule to run on one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options. You can limit the schedule to run on machines with specific operating systems. Press the CTRL key to select more than one label. Use this option in conjunction with “Limit Run to Selected label” or “Limit Run to Machines” to filter the machine list further, based on the selected operating system.

Limit Run To Machines With Selected Operating Systems

6. Specify the following under Detect Patch Label Selection details: Detect All Patches Limit Detect To Selected Patch Labels Select the check box to detect all patches of the respective OS of the selected machines. This field is displayed only if the Detect All Patches check box is not selected above. Press CTRL to select more than one label. You can use this option to run the detect operation only for specific patches. Only those patches that are applied with the selected label are considered for detect operation. This helps to limit the number of patches for detect operation. This field is displayed only if the Detect All Patches check box is not selected above. The patch labels selected in Limit Detect to Selected Patch Labels are displayed in this field.

Detect Patch Labels

7. Specify the following under Deploy Patch Label Selection details: Deploy All Patches Limit Deploy To Selected Patch Labels Select the check box to deploy all patches. A pop-up window opens, click OK to proceed. You can limit the patch deployment to run on one or more machines. Press CTRL to select more than one machine. You can use this option to run the deploy operation only for specific patches. Only those patches that are applied with the selected label is applied are considered for deploy operation. This helps you to limit the number of patches for deploy operation. The patch labels selected in Limit Deploy to Selected Patch Labels are displayed in this field. Select the check box to limit the deployment of patches on the machines having labels (i.e. machine label) similar to the ones applied on the patches (i.e. patch label). This way only those patches, with a patch label similar to the machine label, get deployed on the machine.

Deploy Patch Labels Limit Patches To Matching Machine Labels

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

173

8. Specify the following under Deploy Reboot Options details: Reboot Options Select the appropriate reboot option from the drop-down list. Note: This option may not display patches in the Inventory list page and cause certain machines to become unstable. Therefore, rebooting the machine is necessary for patches that require a reboot. No Reboot The machine does not reboot. Prompt User The machine prompts the user to reboot. Specify the following details: Reboot Message: Enter a message prompting the user to reboot. Message Timeout: Enter the timeout, in minutes, for which the message is displayed. Timeout Action: Select an appropriate action from the drop-down list to execute after message timeout. You can either reboot the machine immediately by selecting the Reboot Now option or can delay the machine reboot by selecting the Reboot Later option. Reprompt Interval: This action is executed if you have select the Reboot Later option in Timeout Action. Enter the interval, in minutes, after which you are again prompted for reboot. Force Reboot The machine reboots immediately after the patches are deployed. Specify the following details: Reboot Message: Enter a message that tells the user the machine is going to reboot. Message Timeout: Enter the timeout, in minutes, for which the message is displayed. Note: These options allow users to save their work before the machine reboots. 9. Specify the following under Patch Schedule details: Don’t Run on a Schedule Run Every n hours Run Every day/specific day at HH:MM AM/PM Select this option to run the schedules with an event instead of a specific date or at a specific time. Select this option to run the schedules at the specified time. Select this option to run the schedules on specified day at the specified time.

Run on the nth of every month/ Select this option to run the tests on the specified time on the 1st, specific month at HH:MM AM/PM 2nd, or any other date of every month or only the selected month. Run custom Refer to “To create a custom patch schedule:,” on page 175 for more details.

Run on next connection if offline Select this option to run a Detect and/or Deploy operation on those client machines that are offline. Detect and/or Deploy run happens on those machines when they get connected to KBOX Server.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

174

Suspend pending tasks after n minutes from scheduled start

You can suspend the pending tasks that are in queue for a time interval as specified in this field. For example, you schedule a Detect and Deploy run and specify the time interval of 10 minutes from the scheduled start. If Detect run gets completed after 12 minutes, the Deploy run does not happen, as the time specified for deploy run to start has elapsed.

10. Click Save to save the schedule. To create a custom patch schedule: You can create a custom patch schedule by entering five values separated by space, while creating the unix crontab entries: Crontab has five field values. Starting from left, the first denotes the minute value (that is 0-59). Second denotes the hour value (that is 0-23). Third denotes the value for the day of the month (that is 1-31). Fourth denotes the value for the month (that is 1-12). Fifth denotes the value for the day of the week (that is 0-6). For example, 15 * * * * * refers to the patch schedule which runs at 15 minutes, every hour, every day, for all the months. To delete a schedule: 1. Select Security | Patching. The Patch Management page appears. 2. Click Detect and Deploy Patches. The Patch Schedules page appears. 3. Select the patch schedule that you want to delete. 4. Select Delete Selected Item(s) in the Choose action drop-down list. 5. Click Yes to confirm deleting the schedule. To run a scheduling action: 1. Select Security | Patching. The Patch Management page appears. 2. Click Detect and Deploy Patches. The Patch Schedules page appears. 3. Select the check box beside the schedule(s) you want to run. 4. In the Choose action drop-down list, select Run Selected Item(s) Now under Scheduling Action. 5. Click Yes to confirm the action. Patching for the Microsoft Windows Vista x 64 edition is supported only with KBOX Agents 4.3 and higher.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

175

Patching Reports
There are several ways you can access patching results. To see which patches were unsuccessful, for example, you could sort the Patch Listing page by Bulletins with Errors. For more details about patching status you can Refer to the Computer Detail page in Inventory | Computers. For more information on computer details, Refer to Chapter 3,“Computers Inventory,” starting on page 58. To view patching reports: 1. Select Security | Patching. The Patch Management page appears. 2. Click Reporting. The KBOX Reports page appears, with patching selected in the view by category drop-down list. This page provides quick links for viewing reports on: Critical Bulletin List For each Machine, which patches are installed For each Patch, which machines have it installed How many computers have each Patch installed Installation Status of each enabled Patch Machines not compliant by patch Machines that failed to patch by patch Needs Review Bulletin List Patches waiting to be deployed To generate a report output, click the desired format type (HTML, PDF, CSV, TXT, or XLS).

Creating a Replication Share for Patches
A Replication Share allows a KBOX Agent to replicate software installers to a share for use by other KBOX Agents. This allows KBOX Agent machines to download patch software from the share instead of directly from the KBOX. This is useful if you have machines in a remote office where downloading the software once for each machine would impact the network. For more information about creating Replication Shares, Refer to Chapter 6,“Replication,” starting on page 127.

Create New Windows Update Policy
The KBOX provides a way for you to control the behavior of the Windows Update feature. This feature allows you to specify how and when Windows updates are downloaded so that you can control the update process for the computers on your network. The configuration settings reside under the Scripting | Configuration Policy tab. For more information about this policy, Refer to Chapter 8,“Windows Automatic Update Settings policy,” starting on page 164.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

176

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

177

C H A P T E R 10 Security
The optional KBOX Security Enforcement and Audit Module allows you to run vulnerability tests on your network using Open Vulnerability and Assessment Language (OVAL). This feature is available only for computers that run on the Windows operating system.
“Security Module Overview,” on page 179 “OVAL Tests,” on page 180 “OVAL Settings,” on page 182 “Vulnerability Report,” on page 183 “Computer Report,” on page 184 “Creating Security Policies,” on page 184

178

Security Module Overview
If you purchased the optional KBOX 1000 Series Security Enforcement and Audit Module, you can ensure the health of your network. You can run vulnerability tests on the computers in your network, and using the results of these tests you can determine how to bring the computers back into compliance. You can customize security policies to enforce certain rules, schedule tests to run automatically, and run reports based on testing results thus obtained. The KBOX 1000 Series Security Enforcement and Audit Module uses Open Vulnerability and Assessment Language (OVAL), an internationally recognized standard to detect security vulnerabilities and configuration issues on computer systems. OVAL is compatible with the Common Vulnerabilities and Exposures (CVE) list, which provides common names used to describe known vulnerabilities and exposures. The ability to describe vulnerabilities and exposures in a common language makes it easier to share security data with other CVE-compatible databases and tools. Note that the OVAL tests available with your KBOX when it is first installed might be out of date. After installation, the KBOX will automatically check for nightly updates. To view OVAL information, select Reporting | Summary. The KBOX Summary Page appears. Click View Details. The details are displayed on the KBOX Summary Details page.

About OVAL and CVE
OVAL relies on definitions submitted by members of the security community on the Community Forum, by MITRE Corporation, or by the OVAL Board, to detect vulnerabilities on your network. OVAL uses the vulnerabilities on the CVE List (Common Vulnerabilities and Exposures List) as the basis for most of its definitions. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community. Any new information about a vulnerability that is uncovered as a result of discussions on the Community Forum is sent to the CVE Initiative for possible addition to the list. For more information about CVE visit http://cve.mitre.org. OVAL definitions pass through a series of phases before being released. Depending on where a definition is in this process, it is assigned the status of DRAFT, INTERIM, or ACCEPTED. Other possible values for status are Initial Submission and Deprecated. For more information about the stages of OVAL definitions, visit http://oval.mitre.org/about/stages.html. Status DRAFT INTERIM Description Definitions with this status have been assigned an OVAL ID number and are under discussion on the Community Forum and by the OVAL Board. Definitions with this status are under review by the OVAL Board and available for discussion on the Community Forum. Definitions are generally assigned this status for two weeks, unless further changes or discussion are required.

ACCEPTED Definitions with this status have passed the Interim stage and are posted on the OVAL Definition pages. All history of discussions surrounding Accepted definitions are linked from the OVAL definition. Table 10-1: OVAL status definition descriptions

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

179

OVAL Tests
The KBOX checks for nightly updates to the list of available OVAL definitions. Definitions are displayed on the OVAL Tests tab, along with their associated OVAL ID and CVE Number. Search for a specific OVAL test by operating system, vulnerability, or by OVAL ID or CVE Number. To view the list of OVAL definitions, select Security | OVAL. The OVAL Scan page appears. To view the details of a test, click the linked definition OVAL Tests on the OVAL Scan page to view the OVAL Tests page. Click on any Description link in the OVAL Tests list to view the OVAL details. The OVAL Tests : Definition page appears. When OVAL tests are enabled, all of the available OVAL tests are run on the target machines.

Definition Status

The steps used to test for the vulnerability Click the OVAL-ID or Ref-ID for more details about a vulnerability

The computers detected to have this vulnerability along with the IP Address and the operating system will be listed here Figure 10-2: OVAL Test Definition page OVAL Test details do not indicate the severity of the vulnerability. Use your own judgment when determining whether to test your network for the presence of a particular vulnerability.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

180

The table below contains an explanation of the fields found on the OVAL Tests Definition page: Field OVAL-ID Description Click the OVAL-ID to visit an external website with more details about the vulnerability. The status of the vulnerability follows the OVAL-ID. Possible values are DRAFT, INTERIM, or ACCEPTED. Indicates the nature of the vulnerability. Possible values are: compliance, deprecated, patch, and vulnerability. Click the Ref-ID to visit an external website for more details about the vulnerability. The common definition of the vulnerability as found on the CVE list. Specifies the testing steps used to determine whether or not the vulnerability exists.

Class Ref-ID Description Definition

Table 10-3: OVAL Test Definition page fields The table at the bottom of the page displays the list of computers in your network that contain this vulnerability. For convenience, a printer-friendly version of this data is available.

Running OVAL Tests
The KBOX runs OVAL tests that are automatically based on the schedule specified in OVAL Settings. Because OVAL Tests take up a considerable amount of memory and CPU, they will impact the performance of the target machines. OVAL Tests take between 5 and 20 minutes to run. Therefore, to minimize the disruption to your users, it is best to run OVAL Tests once a week, or once a month during off hours when your users are least likely to be inconvenienced. For example, you may want to schedule OVAL to run tests on the Saturday of every week. If you are running OVAL Tests periodically or if you want to obtain the OVAL test results for only a few selective machines, you can assign a label to those machines and use the Run Now Function to run OVAL Tests on those machines only. For more information about the Run Now Function, see “Using the Run Now function,” on page 154.

OVAL Updates
The KBOX checks www.kace.com for new OVAL definitions every night, but you should expect new definitions every month. If you have OVAL tests enabled, the KBOX will download new OVAL definitions to all client machines on the next scripting update interval whenever a new package becomes available, regardless of the OVAL schedule settings. The .zip file that contains the updates could be up to 2MB, so use caution when enabling OVAL Tests for the computers on your network, as the size of the package could impact the performance of users’ machines, particularly those on dialup connections. For this reason, a good rule to follow is to only enable OVAL Tests when you want to run them. For example, if you wanted to schedule OVAL Tests to run on January 1st, you could disable them on January 2nd, and not enable them again until close to the next time you want them to run. Any OVAL updates that are pulled down while the OVAL Tests are disabled will be stored on the KBOX and only pushed out to the target machines when enabled again.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

181

OVAL Settings
You can configure OVAL scan settings using this link. You should exercise caution when applying OVAL settings. To specify OVAL settings: 1. Select Security | OVAL. 2. Click OVAL Settings. The OVAL Settings & Schedule page appears. 3. Specify the Configuration settings: Enabled Allow Run While Disconnected Allow Run While Logged Off Run OVAL on the target machines. Only enabled OVAL Tests will run when you want to run them. Run OVAL on the target machines, but store test results on the target machine until they can be uploaded to the KBOX. Run OVAL even if a user is not logged in. With this turned off, the script will only run when a user is logged into the machine.

4. Edit deployment settings as shown in the following table:
Deploy to All Machines Limit Deployment To Selected Labels Limit Deployment To Listed Machines Select this check box if you want to deploy the OVAL settings to all the Machines. Click OK in the confirmation dialog box. You can limit the deployment OVAL settings to one or more labels. Press CTRL and click to select more than one label. Current Labels will display the current ones. You can limit deployment to one or more machines. From the drop-down list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options. Click Remove to remove the machine (s). Select the operating system to which you want to limit deployment. Press CTRL and click to select more than one operating system. Note: Leave this setting field as blank to deploy to all operating systems.

Supported Operating Systems

5. In the Scheduling area, specify the time and frequency for running OVAL: Don’t Run on a schedule Tests will run in combination with an event rather than on a specific date or at a specific time. Use this option in combination with one or more of the “Also” choices below. For example, use this option in conjunction with “Also Run at User Login” to run whenever the user logs in. Test will run on every hour and minutes as specified. Test will run on the specified time on the 1st, 2nd, or any other date of each month or the selected month.

Run Every n minutes/hours Run on the nth of every month/ specific month at...

Run Every day/specific day at ... Test will run on the specified time on the specified day.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

182

Custom Schedule

This option allows you to set an arbitrary schedule using standard cron format. For example, 1, 2, 3, 5, 20-25, 30-35, 59 23 31 12 * * means: On the last day of year, at 23:01, 23:02, 23:03, 23:05, 23:20, 23:21, 23:22, 23:23, 23:24, 23:25, 23:30, 23:31, 23:32, 23:33, 23:34, 23:35, 23:59. The KBOX doesn’t support the extended cron format. If this option is selected, the OVAL test will run once at next client checkin. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance. If this option is selected, test will run at machine boot up. It is recommended to avoid this option because it will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance. If this option is selected, test will run when the user logs in. It is recommended to avoid this option because this option will run tests when the user’s machine is in use. Selecting this option could impact the machine’s performance.

Also Run Once at next Client Checkin

Also Run at Machine Boot Up

Also Run at User Login

6. Click Run Now to run the script immediately. The Run Now button only runs tests on the machines selected in the Deployment area, specified in steps 3 and 4 above. For more information about Run Now, see “Using the Run Now function,” on page 154.

Vulnerability Report
The Vulnerability Report link displays a list of all of the OVAL Tests that have been run. At a glance, you can see which OVAL Tests failed and the number of computers that failed each OVAL test. From the test detail view, you can see all the computers that failed that OVAL Test and you can assign a label to those machines so that you can patch them at a later time. To apply a label to affected machines 1. Select Security | OVAL. 2. Click Vulnerability Report. The OVAL Report page appears. 3. Select the check box beside the test you want to apply a label to. 4. Select the appropriate label under Apply label to Affected Machines from the Choose action drop-down list. In addition, you can search tests by making the appropriate selection under View by and View by class options from the drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

183

Computer Report
The Computer Reports link offers a list of machines with OVAL results where you can see a summary of tests run on specific computers. The label under the Machine column in the OVAL Computer Report page is the KBOX inventory ID assigned by the Inventory module. For more information about any of the computers on the report, click the linked machine name to go to the computer’s Inventory Detail page.

Creating Security Policies
The KBOX 1000 Series Security Module includes several wizards that can help you create security policies to manage the computers on your network. To view the list of available security policies you can create, select Scripting | Security Policy. This section includes descriptions of the settings for each of the policies you can create. You can create policies using the policy wizard screens. After you click Save, the Scripting tab appears where you can specify when to run the script and which machines are targeted. If you want to modify a script that was created using one of these wizards, you can either re-edit it using the wizard or you can edit the script in the KBOX script editor. Opening the script in the regular KBOX script editor is also a useful way to determine exactly what actions the script performs. Available wizards include: Enforce Internet Explorer Settings Enforce XP SP2 Firewall Settings Enforce Disallowed Programs Settings Enforce McAfee AntiVirus Settings McAfee SuperDAT Updater Enforce Symantec AntiVirus Settings Quarantine Policy Lift Quarantine Action

Enforce Internet Explorer Settings
This policy allows you to control user’s Internet Explorer preferences. You can choose to control some preferences, while leaving others as user-defined. Policy settings enforced by you will overwrite the users’ corresponding Internet Explorer preferences. Because this script modifies user settings, you will need to schedule it to run when the user is logged in. To set the Internet Explorer settings policy: 1. Select Scripting | Security Policy. 2. Click Enforce Internet Explorer Settings. The Security Policy : Internet Explorer Policy appears. 3. In the User Home Page area under Internet Explorer Configurator, select the Enforce User Home Page policy check box, then specify the URL to use as the home page. The User Home Page policy forces the users' home pages to the specified page.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

184

4. In the Security area, select the Enforce Internet Zone settings policy check box, then choose the security level. The Security zone policies allow you to specify the security level for each zone. 5. Select the Enforce Local Intranet Zone settings policy check box, then choose the security level. 6. Set the following options: Include all local (intranet) sites not listed in other zones Include all sites that bypass the proxy server Include all network paths (UNCs) 7. Select the Enforce Trusted Zone settings policy check box, then choose the security level. 8. Select the Enforce Zone Map check box, then specify the IP addresses or ranges for the following zones: Restricted sites Locale Intranet sites Trusted sites The Zone Map allows you to assign specific domains and IP ranges to zones. Note: Domains not listed, default to the Internet Zone. 9. Select the Enforce Privacy settings policy check box, then set the Cookie policy. Privacy policies allows you to control the cookies that are accepted by Internet Explorer from the Internet Zone. 10. Select the Enforce pop-up settings policy check box, then set the following options: Pop-up filter level Websites to allow 11. Click Save. The Script: Edit Detail page appears. 12. Enable and set a schedule for this policy to take effect.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

185

Enforce XP SP2 Firewall Settings
This policy enables you to enforce firewall settings on target computers running Windows XP with Service Pack 2. You can enforce different policies based on whether the target computer is authenticated with a domain controller, or is accessing the network remotely, from home or through a wireless hotspot. If your target computer has authenticated with a domain controller, it uses the Domain Policy; otherwise, it uses the Standard Policy, so you might want to configure it to impose tighter restrictions. To set the XP SP2 Firewall settings policy: 1. Select Scripting | Security Policy. 2. Click Enforce XP SP2 Firewall settings. The Security Policy : XP Firewall Config page appears. There are two types of policies described under Windows XP SP2 Firewall Configurator area. Domain Policy: This firewall policy will be used when the desktop computer has authenticated with a domain controller. If you do not have a domain controller, use the Standard Policy configuration. Standard Policy: This firewall policy will be used when the desktop computer has not authenticated with a domain controller. For example, when a laptop user is at home or using a Wi-Fi hotspot. This configuration is more restrictive than the Domain Policy. 3. In either the Domain Policy or Standard Policy areas, indicate whether Firewall is Enabled, Disabled, or if No Policy is in effect. If the firewall is enabled, the policy settings will override any settings the user may have set. If the firewall is disabled, the user will not be able to enable the firewall. If the firewall is set to no policy, the user's configuration for the firewall will be used. The following fields are available only if you select the Enabled option for Firewall. 4. Select or clear the Enable logging check box, then specify a location and name for the log file. By default, the log is stored in: C:\Program Files\KACE\firewall.log. Enable Logging check box will enable the firewall to log information about the unsolicited incoming messages that it receives. The firewall will also record information about messages that it blocks as well as successful inbound and outbound messages. 5. Select or clear the check boxes for the following settings: Allow WMI traffic Enables inbound TCP traffic on ports 135 and 445 to traverse the firewall. These ports are necessary for using remote administration tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). Enables inbound TCP traffic on port 3389 to traverse the firewall. This port is required for the computer to receive Remote Desktop requests. Enables inbound TCP traffic on ports 139 and 445, and inbound UDP traffic on ports 137 and 138. These ports are required for the machine to act as a file or printer sharing server. Enables inbound TCP traffic on port 2869 and inbound UDP traffic on port 1900. These ports are required for the computer to receive messages from Plug-and-Play network devices, such as routers with builtin firewalls.

Allow Remote Desktop

Allow file and printer sharing

Allow Universal Plug-and-Play (UPnP)

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

186

6. To specify Inbound Port Exceptions, click Add Port Exception. Inbound Port Exceptions enables additional ports to be opened in the firewall. These may be required for the computer to run other network services. An Inbound port exception is automatically added for port 52230 for the KACE Client Listener, which is required to use the Run Now functionality. 7. Specify a Name, Port, Protocol, and Source for the exception. 8. Click Save. The Script: Edit Detail page appears. 9. Enable and set a schedule for this policy to take effect.

Enforce Disallowed Programs Settings
This policy allows you to quickly create a script that prevents certain programs from running on the target machines. After the resulting script is executed on a target machine, these policies take effect only after the next reboot of that machine. On Windows XP or 2000, you can add a shutdown command as the last step of the script to force a reboot, which will enable the policy to take effect immediately. The script created as a result of this wizard will overwrite any disallowed program settings on the target machines.

To set the Disallowed Programs settings policy: 1. Select Scripting | Security Policy. 2. Click Enforce Disallowed Programs Settings. The Security Policy : Enforce Disallowed Programs page appears. 3. Specify a name for the policy. 4. Select or clear the Disallow programs check box. When checked, all disallowed programs will be prevented from running. When unchecked, all programs will be allowed to run. 5. Add disallowed programs. To prevent Notepad from running, for example, enter notepad.exe. Note: You can add more than one program. 6. Click Save. The Script: Edit Detail page appears. 7. Enable and set a schedule for this policy to take effect.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

187

Enforce McAfee AntiVirus Settings
This policy allows you to configure selective McAfee VirusScan features to be installed on all computers. This policy works with McAfee VirusScan version 8.0i and verifies that the software is installed with the configuration you specify here. It also confirms that the On Access Scanner (McShield) is running. You will need to zip the McAfee VirusScan installation directory and upload it here. A Software Inventory item will be created automatically if it does not already exist. To set the McAfee AntiVirus settings policy: 1. Zip the McAfee VirusScan installation directory. 2. Select Scripting | Security Policy. 3. Click Enforce McAfee AntiVirus Setting. The Security Policy : McAfee Policy Enforcement page appears. 4. Click Browse to search for the McAfee zip file. 5. Use the User Interaction drop-down list to specify how the installation should appear to your users. For a description of the available options, Refer to the McAfee documentation. 6. Select the McAfee AntiVirus features to install. Press CTRL and click to select multiple features. To install the Alert Manager, use the McAfee tools to include the Alert Manager installation files in the deployment package. Please consult the McAfee documentation for specific information about the features available here. 7. Select or clear the following check boxes: Enable On Access Scanner Lockdown VirusScan Shortcuts Preserve earlier version settings Remove other anti-virus software 8. Specify the location on the target machine where the following files will be installed: McAfee installation Alert Manager SITELIST.XML Desktop Firewall EXTRA.DAT 9. Select the information you want to log. Press CTRL and click to select multiple log items. 10. Enter a filename for the log. 11. Enter any additional arguments. 12. Select the appropriate reboot option from the drop-down list. 13. Enter the behavior following installation. Select appropriate options for AutoUpdate and Scan from the drop-down lists. 14. Click Save. The Script: Edit Detail page appears. 15. Enable and set a schedule for this policy to take effect.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

188

McAfee SuperDAT Updater
This policy allows you to build a script for applying McAfee SuperDAT or XDAT updates. There are several steps involved in creating this script: Specifying the update files and reboot behavior on the target machines Selecting the software package(s) to push to target machines during update Verifying network scan status To create the McAfee update script: 1. Select Scripting | Security Policy. 2. Click McAfee SuperDAT Updater. The Security Policy: McAfee SuperDAT Configurator page appears. 3. Enter a file name and then click Browse to search for the SDAT or XDAT file. 4. Set update options: Install Silently Prompt for Reboot Reboot if Needed Force Update 5. Click Save. The Script: Edit Detail page appears. 6. Enable and set a schedule for this policy to take effect. This option causes the update to be installed without showing a UI on the target computers. Use this option to make the update prompt the user before rebooting. Use this option with the "Install Silently" option. This option causes the update to reboot the machine as needed. If this options is not used, a silent installation will not reboot the machine. Use this option to always update all file versions, even if the machine already appears to have the latest versions.

Enforce Symantec AntiVirus Settings
This policy allows you to configure which Symantec AntiVirus features are installed. It verifies that the software is installed with the configuration you specify here. This policy is intended to be run periodically to ensure that Symantec AntiVirus is installed, configured, and running properly, not only upon initial installation.

You will need to create a Software inventory item and upload the Symantec AntiVirus.msi file to be distributed.

To set the Symantec AntiVirus settings policy: 1. Select Scripting | Security Policy. 2. Click Enforce Symantec AntiVirus Settings. The Security Policy: Symantec AntiVirus page appears.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

189

3. Specify the Action to perform. Install Uninstall Repair missing files Reinstall all files 4. Select the software package to use for this script. 5. If the software package is zipped, enter the MSI file name. 6. Use the User Interaction drop-down list to specify how the installation should appear to your users. 7. Specify the install directory. 8. Specify any additional switches. 9. Specify any additional properties. 10. Specify behavior after installation. 11. Select the information you want to log. Press CTRL and click to select multiple items. 12. Enter a filename for the log. 13. Select a NETWORKTYPE from the Network Management drop-down list. 14. Specify the server name, if required. This field is mandatory if you select Managed from Network Management drop-down list. 15. Set the AutoProtect option. 16. Set the Disable SymProtect option. 17. Set the Live Update behavior. 18. Select the features you want to install. Press CTRL and click to select multiple items. Please consult the Symantec documentation for specific information about the options available here. You must include the SAVMain feature for this script to work properly, although this wizard does not enforce that.

19. Click Save. The Script: Edit Detail page appears. 20. Enable and set a schedule for this policy to take effect. You can/should look at the script that is generated by this wizard to make sure it is doing what you expect. You can view the raw script by clicking To edit the policy using this editor, click here on the Script detail page.

Quarantine Policy
Use this wizard to create a script that you can use to quarantine computers. The script that is created as a result of this wizard is merely a template. Use the script editor to modify the template script and add the appropriate verification steps to decide which computers to quarantine.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

190

When a computer is under quarantine, all communication from it is blocked except for communication to the KBOX Server, therefore use care when performing this action. If you were to deploy this accidentally to all machines on your network, you could take your network down very quickly. After a user’s machine is in quarantine, it cannot be reversed without intervention by the KBOX administrator. The user will not be able to recover from this without you taking some action. Quarantined computers only have access to the KBOX Server in order to receive a Run Now event to lift the quarantine. To set the Quarantine policy: 1. Select Scripting | Security Policy. 2. Click Quarantine Policy. The Security Policy: Quarantine page appears. 3. Specify a Policy Name. This field is optional. It could be helpful to assign a meaningful name that relates to the vulnerability so that you can lift the quarantine later once that vulnerability is resolved. 4. Leave the KBOX SERVER IP unchanged. 5. Specify the DNS Server IP address. 6. Modify the Message dialog text as required. This message is displayed to users prior to placing their computer in quarantine. 7. Modify the description text as required. 8. Click Save. The Script: Edit Detail page appears. 9. Enable and set a schedule for this policy to take effect. Modify the Verify steps to determine the conditions under which you want the quarantine to take effect. Although it will not be enabled automatically, it will be configured to deploy to everyone. For more information on how to modify the verify steps, Refer to Chapter 8,“Adding Scripts,” starting on page 145. For example, you can add a step under verify, to check whether the file KBOXClient.exe exists on the target machine. You can define a log message, create a message window or launch a file. The file kbq2.exe will be launched for quarantine.

Lift Quarantine Action
Assuming you have a machine that has been quarantined from the network using the KBOX Quarantine application, you can use this to turn off the quarantine. To set the Lift Quarantine Action policy: 1. Select Scripting | Security Policy. 2. Click Lift Quarantine Action. The Security Policy: Lift Quarantine Action page appears. 3. Select the label under Labeled Computers area for the quarantined machines or select the specific machine under Specific Computer(s) area to remove the quarantine. You can filter the machine list by entering any filter options. 4. Click Send Lift Quarantine Now.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

191

If there are a lot of computers in quarantine, it will take some time for all of them to receive and process the request.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

192

C H A P T E R 11 User Portal and Help Desk
The KBOX Help Desk provides an online area for you to upload software library, support documents, and other self-help tools. The optional KBOX Help Desk Module adds the ability to create, track, and manage Help Desk tickets.
“Overview of the User Portal,” on page 194 “Understanding the Software Library feature,” on page 195 “Using the Knowledge Base,” on page 197 “Managing Users,” on page 199 “Roles,” on page 203 “Overview of the Help Desk Module,” on page 206 “Helpdesk Queues,” on page 207 “Customizing Help Desk fields,” on page 210 “Help Desk E-mail Customization,” on page 213 “Ticket Rules,” on page 214 “Creating and Editing Help Desk Tickets,” on page 217 “Managing Help Desk Tickets,” on page 221 “Running Help Desk Reports,” on page 223

193

Overview of the User Portal
The User Portal enables the users to download software, run scripts, have software installed for them automatically, track computer info, and view a record of what they have downloaded. You can log onto the User Portal by visiting the root URL of the KBOX machine name (for example, http://kbox/). Although users can access the User Portal even if they do not have KBOX Agent installed on their machine, they will not be able to run installations or scripts. The User Portal is administered from the User Portal tab. If you have purchased the optional KBOX Help Desk Module, additional tabs or options are added to the ones described below. For more information about using the features added by the Help Desk Module, see “Overview of the Help Desk Module,” on page 206.

End User View of the User Portal
The tabs listed here are by default. These can be turned on or off depending on the role of the user viewing the user portal. For details on how to change roles Refer to “Creating and Editing Roles,” on page 204. The end-user view of the User Portal displays the following tabs: Welcome—Users enter login credentials from this screen. Software Library—Displays available software for download or automatic install. My Computer—Displays status information about the user’s computer. License Keys—Lists license information for installed software, as available. Help Desk—Users create or edit a Help Desk ticket using this tab. Knowledge Base—Provides access to Knowledge Base articles authored by the administrator. Download Log—Displays a log of software downloaded and installed on the user’s computer. Users can also filter the views for Software Library or Knowledge Base by using keywords to narrow their search.

Administrator View of the User Portal
As an administrator logged into the administrator UI, you can create and push packages, define Knowledge Base articles, and specify which users can connect to the User Portal. The User Portal tab displays the following tabs: Software Library—Packages can be scripts, software packages, documentation, or other media. Knowledge Base—Knowledge Base articles include software notices, instructional content, IT reference documentation, self-help information, and any other specific content intended for the end users. Users—This user information is used to authenticate users of the KBOX Help Desk. Users can be "tagged" with labels in order to define which packages they can access through the portal. Roles—Roles are used for setting permissions for each user on different tabs in the Administrator Console and the User Portal. The sections that follow will focus on the administrator view of the User Portal and describe the process to create packages and Knowledge Base articles. It also describes managing user access to the User Portal.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

194

Understanding the Software Library feature
Software Libraries are deployed to end users via the KBOX User Portal. This "self service" portal allows individuals to download and install software or documents on their own in a controlled environment. The software library you create from the Software Library tab are available for download on the Software Library tab of the User Portal. From the Software Library tab you can create or delete software library, sort software library by label or column header, and search for software library using keywords.

Creating a software library to deploy
The Software Library tab allows you to specify the components of the software library you want to make available to your end users; it does not allow you to upload software or author scripts. Any software or scripts that you want to include in a software library must already exist on the KBOX Software Inventory or Scripting tabs. Along with the software library, you can choose to post cost information, documentation, or other instructions for your users. Any notifications that you have configured will be mailed at the time of user download. You can also restrict access to a software library by specifying a label. To create a package: 1. Select User Portal | Software Library, or select Help Desk | Software Library if you have the optional Help Desk Module installed. 2. In the Choose action drop-down list, select Add New Item. The Software Library : Edit Detail screen appears. 3. Select or clear the Enabled check box. Select this box to make the software library visible to users on the Help Desk. 4. Specify the Package Type under the Software Choice section: Download Install Script Select this type to include documentation, files, or other software that does not automatically install. Select this type to select software that will install automatically on the user’s machine. The user must have the KBOX Agent installed to run installations. Select this type to select a script to include in the software library. The user must have the KBOX Agent installed to run scripts.

5. From the Package Type drop-down list, choose the software to install. You can filter the list by entering any filter options in the Filter box. 6. Specify the information to include with your package under the User Portal Page Details section: Installation Instructions Specify the installation instructions. Any defined instructions, legal policy, cost information, and so on, are posted along with the portal package for user visibility. Specify the product key that is specified in the Asset Detail page in Asset | Assets for Assets of License type.

Product Key

E-mail Product Key to User Select this option if you want to send download instructions at the time of user download.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

195

Request Mgr Notification

Select this option to require users to enter their manager’s mail address for notification prior to downloading or installing the software library.

7. If you select the Install package type, specify the command line to run the installation, including any necessary install switches or other parameters. Note that users must have the KBOX Agent installed on their machines in order to run the installations or scripts.

8. If you selected the Script package type, choose the script from the Script drop-down list. 9. Type any notes in the Additional Notes field. 10. Specify the following informations, as necessary. Corporate License Text Vendor License Text Unit Cost Documentation File Enter any text related to the Corporate License. Enter any text related to Vendor License. Enter the cost per Unit. Browse the desired documentation file. The Documentation File size is displayed after the file is selected.

11. If desired, select a label from the Limit Access To User Labels list to limit software library deployment to specific users. 12. Select the Also Restrict By Machine Label check box to restrict software library deployment by machine label. 13. Click Save. A major benefit of the Help Desk is that it provides your users with the resources they need to solve many of the most common support issues on their own, thus alleviating some of the burden on your support staff. Be sure to provide adequate information to your users so that you, and they, can experience the full benefit of this feature. To apply a label to a package: 1. Select User Portal | Software Library, or select Help Desk | Software Library if you have the optional Help Desk Module installed. 2. Select the check box beside the user(s) you want to apply a label to. 3. Select the appropriate label under Apply Label from the Choose action drop-down list. To remove a label from a package: 1. Select User Portal | Software Library, or select Help Desk | Software Library if you have the optional Help Desk Module installed. 2. Select the check box beside the user(s) you want to remove the label from. 3. Select the appropriate label under Remove Label from the Choose action drop-down list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

196

To delete a package: 1. Select User Portal | Software Library, or select Help Desk | Software Library if you have the optional Help Desk Module installed. 2. To delete a package, select the check box beside the package and choose Delete Selected Item(s) from the Choose action drop-down list. 3. Click OK to confirm deletion.

Using the Knowledge Base
The Knowledge Base allows you to provide documentation, FAQs, or other self-help information for your users. If you purchased the optional Help Desk Module, the Knowledge Base integrates with the Tickets feature to enable users to resolve their own issues. For more information, see “Creating and Editing Help Desk Tickets,” on page 217. Users can sort the articles by Article ID, Title, Category, Platform, or Importance. They can search article contents by using keywords.

Adding Knowledge Base Articles
Knowledge base articles are published to the KBOX Help Desk where users can search and sort articles to locate the information they require. If you have the optional Help Desk Module installed, you can also create a new Knowledge Base article from the comments in a Ticket by clicking the Create KB article button on the Ticket Detail page. For more information, see “Creating and Editing Help Desk Tickets,” on page 217. To add an article to the Knowledge Base: 1. Select User Portal | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Select Add New Item from the Choose action drop-down list. The Knowledge Base: Edit Article page appears. 3. Enter the following article information: Title A specific description of the issue covered in the article. Make the title as descriptive as possible and use common terms so that it will be easy for an end-user to locate information about a problem. A general description of the type of issue. (For example, “printing” or “network access”). The operating systems to which this article applies. The relative relevance of the article’s contents. (For example, “reference” or “low”; or “critical” or “high”.

Category Platform Importance

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

197

Use Markdown

Select or check this box. Markdown is a plain text formatting syntax, and a software tool, written in Perl, that converts the plain text formatting to HTML. Markdown is a text-to-HTML filter; it translates an easy-to-read/easy-to-write structured text format into HTML. Markdown's text format is most similar to that of plain text e-mail, and supports features such as headers, *emphasis*, code blocks, block quotes, and links. Examples of sample formatting if the Use Markdown check box is selected: *normal emphasis with asterisks* normal emphasis with asterisks **strong emphasis with asterisks** strong emphasis with asterisks This is some text *emphasized* with asterisks. This is some text emphasized with asterisks. For more information about markdown, see http://daringfireball.net/projects/markdown/

Limit Access Select the labels you want to limit access to. To User Labels Article Text Enter any text about the article. Note: You can include external links to web pages by using href for that link. For example, <a href="http://www.kace.com/">Visit KACE!</a> You can include images by using src. For example, <img src="http://www.kace.com/ img/nav/new/4_27_06/logo.gif">

4. Click Browse to add any attachment, if required. 5. Click Save. The KBOX assigns the article an Article ID and displays it on the Knowledge Base Articles List page. To see how the article appears to your users on the Help Desk, click on the article’s title, and then click the User URL on the Edit Article page.

Editing and Deleting Knowledge Base Articles
You can easily modify or remove existing Knowledge Base articles. There are two options for deleting articles: Using the Articles List page Using the Edit Article page To edit an existing Knowledge Base article: 1. Select User Portal | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Click the linked article title. The Knowledge Base: Edit Article page appears. 3. Click the [Edit] link to update the article details. 4. Modify article details, then click Save. To delete an article from the Articles List page: 1. Select User Portal | Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

198

2. To delete an article, select the check box beside the article and choose Delete Selected Item(s) from the Choose action drop-down list. 3. Click OK to confirm deletion. To delete an article from the Article Edit page: 1. Select User Portal| Knowledge Base tab, or select Help Desk | Knowledge Base if you have the optional Help Desk Module installed. 2. Click the linked article title. The Knowledge Base: Edit Article page appears. 3. Click the [Edit] link, then click Delete. 4. Click OK to confirm deletion.

Managing Users
When logged in as an administrator, you can add users to the User Portal or Help Desk either manually or automatically. Depending upon the permissions assigned to the users logged into the Help Desk, all or only a subset of the Help Desk features may be available. When adding users to the Help Desk, be sure to specify the correct user permission level.

Adding Users Manually
When adding users to the KBOX, you can tag them with a label, which determines which packages they can access to in the Help Desk. The details that you enter below are used to authenticate users. To add users manually: 1. Select User Portal | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. In the Choose action drop-down list, select Add New Item. The User : Edit User Detail page appears. 3. Enter the necessary user details. Do not specify legal characters in any field. User Name Full Name Email Enter the name the user will use to access Help Desk. This is a mandatory field. Enter the user’s full name. This is a mandatory field. Enter the user’s e-mail address. This is the address to which Help Desk messages, if enabled, will be sent. This is a mandatory field for Help Desk installations. Enter an active directory domain. This is an optional field. Enter the financial department code. This is an optional field. Enter the name of a site or building. This is an optional field. Enter the user’s work phone number. This is an optional field. Enter the user’s home phone number. This is an optional field. Enter the user’s mobile phone number. This is an optional field. Enter the user’s pager phone number. This is an optional field.

Domain Budget Code Location Work Phone Home Phone Mobile Phone Pager Phone

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

199

Custom 1 Custom 2 Custom 3 Custom 4 Password Blank or empty passwords are not valid for new users. The user will be created but the user cannot be activated without a valid password. This is a mandatory field. Select the labels to assign. This is a mandatory field. Enter the user’s role: Admin—This user role can log on and access all the features of the administrator UI and User Portal or Help Desk. This role is selected by default. The users can log on to the Help Desk, only if they have the optional Help Desk Module installed. ReadOnly Admin—This user role can log on, but cannot modify any settings in the administrator UI and User Portal or Help Desk. The users can log on to the Helpdesk, only if they have the optional Help Desk Module installed. User—This user role can log on only to the User Portal or Help Desk. The users can log on to the Helpdesk, only if they have the optional Help Desk Module installed. Login Not Allowed—This user cannot log on to the User Portal or Help Desk. Note: The roles listed above are system provided roles and are not editable. To create a new role, Refer to “Roles,” on page 203. Lock user out of User Portal Allowed to be assigned Help Desk Tickets Select this check box to lock the user out of the User Portal. Required for Help Desk installations. Select this check box to permit any user (Admin, ReadOnlyAdmin, or User) to be assigned as owner of Help Desk tickets. Enter information in the custom fields if necessary. This is an optional field.

Confirm Password Retype the user’s password. This is a mandatory field. Assign To Label Role

4. To assign users as owners of help desk tickets, go to Helpdesk Queues page. For more information on help desk queues, Refer to “Helpdesk Queues,” on page 207. 5. Click Save. The Users page appears. To apply a role to a user: 1. Select User Portal | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. Select the check box beside the user(s) you want to apply a role to. 3. Select the appropriate role to apply from the Choose action drop-down list. To apply a label to a user: 1. Select User Portal | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. Select the check box beside the user(s) you want to apply a label to.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

200

3. Select the appropriate label under Apply Label from the Choose action drop-down list. To remove a label from a user: 1. Select User Portal | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. Select the check box beside the user(s) you want to remove the label from. 3. Select the appropriate label under Remove Label from the Choose action drop-down list. To delete a user: 1. Select User Portal | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. To delete users, do one of the following: From the Users List view, select the check box beside the user, then select Delete Selected Item(s) from the Choose action drop-down list. From the User : Edit User Detail page, click Delete. 3. Click OK to confirm deleting the selected user. To change the password: 1. Select User Portal | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. Click the user name whose password you want to change. The User : Edit Detail page appears. 3. Modify the password as follows: Password Blank or empty passwords are not valid for new users. The user will be created but the user can not be activated without a valid password. This is a mandatory field. Retype the user’s password. This is a mandatory field.

Confirm Password

4. Click Save to save the changes.

Adding Users automatically
Rather than setting up users individually on the Users tab, you can configure the KBOX to access a directory service (such as LDAP) for user authentication. This allows users to log into the KBOX Administrator portal using their domain username and password, without requiring to add users individually from the Users tab. For more information on user authentication, Refer to “User Authentication,” on page 249.

Importing Users
You can import Users and Labels directly from your LDAP or Active Directory system into KBOX. To import users: 1. Select User Portal | Users, or select Help Desk | Users if you have the optional Help Desk Module installed. 2. In the Choose action drop-down list, select Import Users. The User : Import page appears.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

201

3. Specify the LDAP Server Details in the Choose attributes to import section: LDAP Server Enter IP or Host Name of the LDAP Server. Note: For connecting through SSL, use the IP or the Host Name, as ldaps://HOSTNAME If you have a nonstandard SSL certificate installed on your LDAP server such as an internally-signed or a chain certificate not from a major certificate provider such as Verisign, contact KACE Support for assistance before proceeding. LDAP Port Search Base DN Enter the LDAP Port number which could be either 389 / 636 (LDAPS). Enter the Search Base DN. For example: CN=Users,DC=hq,DC=corp,DC=kace,DC=com Search Filter Enter the Search Filter. For example: (samaccountname=admin) LDAP Login Enter the LDAP login. For example: LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=com LDAP Password 4. Specify the attributes to import: Attributes to retrieve Enter the attributes to retrieve. For example, samaccountname Note: You can leave this field blank to retrieve all attributes, but this may be slow and is not recommended. Label Attribute Enter a label attribute. For example, memberof. Label Attribute is the attribute on a customer item that returns a list of groups this user is a member of. The union of all the label attributes will form the list of Labels you can import. Label Prefix Enter the label prefix. For example, ldap_ Label Prefix is a string that is appended to the front of all the labels. Binary Attributes Enter the Binary Attributes. For example, objectsid. Binary Attributes indicates which attributes should be treated as binary for purposes of storage. Max # Rows Debug Output Enter the maximum rows. This will limit the result set that is returned in the next step Select the check box to view the debug output in the next step. Enter the password for the LDAP login.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

202

5. If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, Refer to “LDAP Browser Wizard,” on page 245. 6. Click Next. 7. Select the value from the drop-down list next to each LDAP attribute to map the values from your LDAP server into the User record on the KBOX. The fields in Red are mandatory. The LDAP Uid must be a unique identifier for the user record. 8. Select a label to add to the KBOX. Press CTRL and click to select more than one label. This list displays a list of all the Label Attribute values that were discovered in the search results. 9. Click Next. 10. Review the information displayed in the tables below. The Users to be Imported table displays list of users reported and the Labels to be Imported table displays the list of labels reported. The Existing Users table and the Existing Labels table display the list of Users and Labels that are currently on the KBOX. Only users with a LDAP UID, User Name, and E-mail value will be imported. Any records that do not have these values are listed in the Users with invalid data table. 11. Click Next to start the import. This user can log on to and access all features of the administrator UI and User Portal or Help Desk. He can log on to the Helpdesk, only if you have the optional Help Desk Module installed.

Roles
Roles are assigned to each user to limit access to different tabs in the Administrator Console and the User Portal. You can restrict the tabs displayed for a user is allowed when the administrator logs in to the Administrator Console and the user logs in to the User Portal. Following are the permissions that can be applied for each tab. Write: The user will have write access for the tab. The administrator or user will be able to edit the fields present on the screen. Read: The organization will have only read access for the tab. The administrator or user will be not be able to edit the fields present on the screen. He/she will be not be able to add / edit / delete any item present in the list. Hide: The tab will be hidden and the administrator or user will not be able to view that tab.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

203

Creating and Editing Roles
You can create new roles or edit the existing roles from the Roles page by going to Help desk | Roles tab. It is recommended that you first create the roles, since it is required to specify the role while creating users. To create a role: 1. Select Help desk | Roles. The User Roles page appears. 2. Select Add New Item from the Choose action drop-down list. The User Role : Edit Detail page appears. 3. Enter the Role information as follows: Record Created Role Name Description The date and time when the Role was first created. This is a Read-only field. Enter a name for the role. This is a mandatory field. Enter the description for the role.

Record Last Modified The date and time when the Role was last modified. This is a Read-only field.

4. Under Permissions ADMIN Console, click the individual tab link to expand it. Or click the [Expand All] link to expand all the tabs. 5. Under each tab, click the All Write option, All Read option or the All Hide option to assign the respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to individual sub tabs. 6. If you click Custom option, select the appropriate permission from the drop-down list next to each tab. 7. Under Permissions USER Console, click the UserUI link to expand it. 8. Under each tab, click the All Write option, All Read option, or the All Hide option to assign the respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to individual sub tabs. 9. If you click Custom option, select the appropriate permission from the drop-down list next to each tab. 10. Click Save. If you assign READ permission to General Settings and User Authentication under Settings, then all other settings; AMP Settings, Network Settings, Security Settings and Date & Time Settings will also have READ permission. If you assign HIDE permission to General Settings and User Authentication under Settings, then the Control Panel tab is hidden.

From KBOX 1000 Release 4.3 onwards, you can set and edit the permissions of users on Virtual Kontainers tab from the User Role: Edit detail page.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

204

To edit a role: 1. Select Help desk | Roles. The User Roles page appears. 2. Click the linked name of the role. The User Role : Edit Detail page appears. 3. Scroll down and click the [Edit Mode] link. 4. Edit the role details: Record Created Role Name Description The date and time when the Role was first created. This is a Read-only field. Enter a name for the role. This is a mandatory field. Enter the description for the role.

Record Last Modified The date and time when the Role was last modified. This is a Read-only field.

5. Under Permissions ADMIN Console, click the individual tab link to expand it. Or click the [Expand All] link to expand all the tabs. 6. Under each tab, click the All Write option, All Read option or the All Hide option to assign the respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to individual sub tabs. 7. If you click Custom option, select the appropriate permission from the drop-down list next to each tab. 8. Under Permissions USER Console, click the UserUI link to expand it. 9. Under each tab, click the All Write option, All Read option or the All Hide option to assign the respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to individual sub tabs. 10. If you click Custom option, select the appropriate permission from the drop-down list next to each tab. 11. Click Save. To delete a role: 1. To delete a role, do one of the following: From the User Roles page, select the check box beside the role, then select Delete Selected Item(s) from the Choose action drop-down list. From the User Role : Edit detail page, click Delete. 2. Click OK to confirm deleting the role. Else, click Cancel to cancel the deletion. To duplicate a role: 1. Select Help desk | Roles. The User Roles page appears. 2. Click the role you want to duplicate. The User Role : Edit Detail page appears. 3. Scroll down and click the [Edit Mode] link. 4. Click Duplicate to duplicate the role details. The page refreshes. 5. Enter the Role information as follows: Name Description Enter a name for the role. This is a mandatory field. Enter the description for the role.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

205

6. Click Save.

Overview of the Help Desk Module
The optional KBOX Help Desk Module provides a ticket submission, tracking, and management system that allows you to solve problems in real time. The KBOX Help Desk Module provides integrated access with KBOX capabilities for hardware and software inventory, software deployment, updates and patching, remote control, and alerting and reporting. Upon installation, you can customize the Help Desk settings according to the needs of your organization. The Help Desk Module adds the following tabs to the administrator view of the Help Desk: Tickets—Provides a list view of tickets submitted for users, and allows Help Desk users to assign, resolve, or escalate tickets based on user profile Configuration—Allows administrators to customize the Help Desk displayed to users If you do not have the optional Help Desk module installed, you will not see these tabs. The Help Desk Module provides permissions-based access to the features and functions needed by a particular user. The Tickets tab of the Help Desk provides a way for end-users to submit and track desk tickets. In addition to creating new tickets, users can search for Knowledge Base articles that might help them to resolve support issues on their own. From the Tickets tab users can: Create Help Desk tickets View tickets that they have submitted Search for tickets using keywords and advanced methods If the end-user also happens to be a support technician and you have given the permission to own Help Desk tickets as well as assigned label to the user (see “Managing Users,” on page 199), this user is known as a Help Desk user. Users who are also Help Desk users (i.e., they can be assigned Help Desk tickets), can perform these additional functions: Delete Help Desk tickets By default, view unassigned tickets and additions to tickets assigned to them, and view other tickets by using the View by owner drop-down list Change a ticket’s status, priority, or owner The Help Desk users do not need Administrator rights on the KBOX. They can manage all their Help Desk ticket activities via the user portal available at http://kbox. Note: The Help Desk users need Administrator rights if they have to deploy software or run reports. Administrators can create, modify, and manage Help Desk tickets from the Tickets tab in the Administrator UI. Administrators can also use the security, scripting, and distribution features to resolve Help Desk tickets, then use the Knowledge Base to create the documentation that references the resolution for users.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

206

From the Tickets tab, administrators can: Create or delete Help Desk tickets Sort the Ticket view by owner or submitter, summary, priority, or status Change a ticket’s status, priority, or owner

Helpdesk Queues
Helpdesk Queues allows to partition helpdesk for use by different groups. Each queue can be configured independently. They can have separate custom fields, e-mail addresses, ticket defaults, and so on. To add a new helpdesk queue: 1. Select Help Desk | Configuration. The Helpdesk Queues page appears. 2. Select Add New Item from the Choose action drop-down list. The New Queue page appears. 3. Enter the Queue information as follows: Name Email Address Enter a name for the queue. The name that is displayed in the From field when users receive e-mails from the Help Desk. Enter the e-mail address used to send e-mail to and from the Help Desk. Note: Specify an e-mail address that is not used by any other help desk queue, as each queue must have an unique e-mail address. Enter the alternate e-mail address to which users can submit Help Desk tickets.

Alt. Email Address

4. Click Save. The Help Desk Configuration page appears. From the Help Desk Configuration page, you can configure a variety of settings including the support mail address, defaults for ticket submission fields, and which events trigger mail alerts and to whom they are sent. This section describes how to configure basic Help Desk Settings only. To customize the default values for the options here, see “Customizing Help Desk fields,” on page 210. Field(s) Name Email Address Ticket Defaults Enter the name for the Help Desk. Enter the e-mail address used to send e-mail to and from the Help Desk. Determines the default ticket values for tickets. To customize these options, click Customize These Values. For more information see “Customizing Help Desk fields,” on page 210. These check boxes determine who gets e-mail when tickets are changed or escalated. Note that "Any Change" overlaps with the "Owner Change" and "Status Change" events, but it does not include ticket escalations. Description

Email on Events

Table 11-1: Help Desk Configuration fields 5. Scroll down and click the [Edit Mode] link.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

207

6. The Name field displays the name that is displayed in the From field when users receive e-mails from the Help Desk. This field retains the information you specified in the previous page. You can modify the name if required. 7. In the Email Address displays the e-mail address to which users can submit Help Desk tickets. This field retains the information you specified in the previous page. You can modify the e-mail address if required. 8. In the Alt. Email Address field, specify the alternate e-mail address to which users can submit Help Desk tickets. 9. Select the Allow all users as submitters check box to allow all users to submit tickets to this queue. You can limit the submitters to a queue by user label. Press CTRL and click labels from the Restrict Submitters By Label list, to select more than one label. 10. You can assign ticket owners by label. Press CTRL and click labels from the Ticket Owners By Label list, to select more than one label. The users in that label can be assigned as the owners of Help Desk tickets. 11. Select the Accept email from unknown users check box to accept e-mails from unknown users. 12. In the Ticket Defaults area, specify the following settings: Category Status Impact Priority Enter the default category for tickets. Options include Software, Hardware, Network, and Other. Enter the default status for tickets. Options include New, Opened, Closed, and Need More Info. Enter the default impact for tickets. Options include Many people can’t work, Many people inconvenienced, 1 person can’t work, and 1 person inconvenienced. Enter the default priority for tickets. Options include Low, Medium, and High.

13. In the E-mail on Events area, specify to whom, and under what circumstances, e-mails should be sent: Recipients: Owner - The Help Desk user assigned to the ticket Submitter - The user who submitted the ticket Ticket CC - The e-mail recipients listed in the CC area of the ticket Category CC - The e-mail recipients listed in the CC List area for the Ticket Category. Events: Any Change - Any change to any field on the ticket. Owner Change - A change to the owner field on the ticket. By default, e-mails are sent to the old and new owners of the ticket. Status Change - A change to the status field on the ticket. Comment - A comment on the ticket. Resolution Change - A change to the Resolution field on the ticket. Escalation - The ticket enters escalation based on the configured settings. For more information, see “Understanding the Escalation Process,” on page 221. Satisfaction Survey - Indicate whether you want to send an mail requesting that the submitter complete a satisfaction survey when the ticket is closed. For more information, see “About the Satisfaction Survey,” on page 222.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

208

New Ticket Via Email - Select this check box for an e-mail notification on a new ticket. 14. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

209

Customizing Help Desk fields
Where the basic Help Desk configuration page allowed you to set default values for the various drop-down lists in the Help Desk fields, the Customization page allows you to customize the values that appear in those drop-down lists, as well as add up to six custom fields. To access the Help Desk Customization page: 1. Select Help Desk | Configuration. The Helpdesk Queues page appears. 2. Click a queue name. The Help Desk Configuration page appears. 3. Click the [Customize These Values] link. The Help Desk Customization page appears. To customize Category Values: 1. In the Category Values area, click the appear for that value. 2. Edit the Category Values fields: Name CC List User Settable Enter the name for the value. Enter the e-mail address(es) to be copied when tickets of this category are submitted to the Help Desk. The User Settable value is either 'true' or 'false'. It indicates if a non-help desk admin is allowed to set the category value on a ticket and whether or not this category appears in the list of choices displayed to the end user. This setting allows you to present a simplified list of values to the user, and display more and create additional values that are only displayed to the administrator or Help Desk users. icon beside a category value to modify it. Editable fields

Default Owner Assign a default owner for tickets of this category.

3. Click the 4. Click the 5. Click the

icon beside a Category value to change its order in the drop-down list. icon to add an option to the Category drop-down list. icon to remove a Category value.

You cannot remove Category values that are in use. If you want to change the values, add a new value first, move those tickets with the old value to the new value. Once the value is not being used, you can safely delete the value. 6. Click Save to apply your changes. To customize Status values: 1. In the Status Values area, click the Editable fields appear for that value. icon beside a category value to modify it.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

210

2. Edit the Status Values field: Name State Enter the name for the value. Indicates whether the ticket is open, closed, or stalled. Open - The ticket is active Closed - The ticket has been resolved Stalled - The ticket is open past its due date, but is not in escalation. 3. Click the 4. Click the 5. Click the icon beside a Status value to change its order in the drop-down list. icon to add an option to the Status drop-down list. icon to remove a Status value.

You cannot remove Status values to which tickets are currently assigned. If you want to change the values, add a new value first, move those tickets with the old value to the new value. Once the value is not being used, you can safely delete the value. 6. Click Save to apply your changes. To customize Priority values: 1. In the Priority Values area, click the Name Color Escalation Time icon beside a category value to modify it.

Editable fields appear for that value. Edit the Priority Values fields: Enter a name for the custom field. The displayed color of this status on the ticket list pages. The interval after which an open ticket of this priority is escalated. Enter a time integer and a unit from the drop-down list.

2. Click the 3. Click the 4. Click the

icon beside a Priority value to change its order in the drop-down list. icon to add an option to the Priority drop-down list. icon to remove a Priority value.

You cannot remove Priority values to Tickets which are currently assigned. If you want to change the values, add a new value first, move those tickets with the old value to the new value. Once the value is not being used, you can safely delete the value. 5. Click Save to apply your changes.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

211

To customize Impact values: 1. In the Impact Values area, click the Editable fields appear for that value. 2. Modify the Name field as desired. 3. Click the 4. Click the 5. Click the icon beside an Impact value to change its order in the drop-down list. icon to add an option to the Impact drop-down list. icon to remove an Impact value. icon beside an Impact value to modify it.

You cannot remove Impact values to Tickets which are currently assigned. If you want to change the values, add a new value first, move those tickets with the old value to the new value. Once the value is not being used, you can safely delete the value. 6. Click Save to apply your changes. To add custom value fields: 1. In the Custom fields area, click the Edit item icon to modify the fields. 2. In the Name field, enter the names for the custom fields as you want them to be displayed on the Ticket Details page. The custom fields are added as text boxes that hold up to 255 characters. You can add up to six custom fields. 3. Enter the select values in the Select Values field. Select Values are used for custom fields with Field Type of Single Select or Multiple Select. These values should be entered as comma-separated strings. 4. Select the field type in the Field Type list. 5. Select the Only Editable By Owners check box to make this field editable by owners. 6. To remove a custom field, clear the name from the field value. When you remove the name of a field, values for that custom field will be removed from all tickets. When you rename a field, values for that custom field will be retained. 7. Click Save to apply your changes. 8. In the Ticket List View area, click the Edit item icon to modify the desired Ticket List View fields. 9. Select the name in the Name list. 10. Specify the width in the Width field and then click Save. 11. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

212

You can create fifteen custom fields.

To customize Ticket List view: 1. In the Ticket List View area, click the Name Width 2. Click the 3. Click the 4. Click the icon beside an attribute to modify it.

Editable fields appear for that value. Edit the fields: Select an attribute name from the drop-down list. Enter the column width. icon beside an attribute to change its order in the drop-down list. icon to add an attribute to the Ticket List View drop-down list. icon to remove an attribute.

5. Click Save to apply your changes.

Help Desk E-mail Customization
The help desk e-mail customization page contains e-mail templates that can be used by the Help Desk to generate e-mails. You can modify these templates if required. To customize help desk e-mails: 1. Select Help Desk | Configuration. The Helpdesk Queues page appears. 2. Click a queue name. The Help Desk Configuration page appears. 3. Click the [Customize Emails] link. The Help Desk Email Customization page appears. The following e-mail templates are available: Ticket Escalation Email Ticket Creation Acknowledgement Ticket Change Notification Satisfaction Survey Notification Response To Unknown Email Address Email Ticket Error You can edit these templates if required. The e-mail templates contain various symbols, which are replaced with the appropriate information when an e-mail is sent. For example, $ticket_number is replaced with the ticket number of the ticket for which the e-mail is sent.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

213

The following symbols are available in all templates: $userui_url $helpdesk_name $helpdesk_email The following symbols are available in templates for e-mail involving tickets: $ticket_escalation_minutes $ticket_priority $ticket_number $ticket_title $ticket_url $ticket_history $change_desc The following symbols are available in the "Response to Unknown Email Address" template: $subject $quoted_mail

Ticket Rules
Ticket Rules allow you to periodically run queries and take various actions on the resulting list of tickets. To create a ticket rule: 1. Select Help Desk | Configuration. The Helpdesk Queues page appears. 2. Click a queue name. The Help Desk Configuration page appears. 3. Click the [Customize] link. The Ticket Rules page appears. 4. Select Add Ticket Rule from the Choose action drop-down list. The Ticket Rule page appears. The queue name is displayed in parentheses. 5. Enter criteria to choose the tickets to be affected. 6. Under Define Ticket Rule, select an attribute from the drop-down list. For example, Priority. 7. Select a condition from the drop-down list. For example, = 8. Specify the attribute value. For example, Medium. In the above example, tickets with medium priority will be searched. Note: You can add more than one criteria. 9. Select the Conjunction Operator from the drop-down list to add more criteria. For example, AND. 10. Click Test. The search results will be displayed below. 11. Click Next.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

214

12. Choose the values to change. 13. Under Define Ticket Rule, select an attribute whose value you want to change, from the drop-down list. For example, Priority. 14. Specify the new attribute value. For example, High. The Priority of the tickets that were searched, will now be changed to high. 15. Click Done. The Ticket Rule : Edit Detail page appears. You can configure settings for running the SQL query periodically and take various actions on the resulting list of tickets. 16. Specify the following information: Record Created Record Last Modified Title Order Queue Notes Frequency Next Run Enabled Select Query The date and time when the Rule was first created. This is a Read-only field. The date and time when the Rule was last modified. This is a Read-only field. Enter a title for the rule. Enter a number. The rule will be executed according to the evaluation order specified. The name of the queue the ticket belongs to. This is a Read-only field. Enter notes, if any. Select the appropriate frequency from the drop-down list. The rule will be run according to the selected frequency. The date and time when the rule will be run next time. This is a Read-only field. Select the check box to enable the ticket rule. The ticket rule will run only if you enable it. This SQL is generated by the Ticket Rule wizard from the inputs that you specified during searching for Tickets in the Ticket Rule page. This is a SQL SELECT statement that will return a set of ticket IDs to operate on. This query will be run based on the Frequency selected above. You can click the View Ticket Search Results link to view the search results. Note: You must not manually edit the SQL statements generated by the Ticket Rule Wizard, without fully understanding the ramifications of doing so. You can easily write SQL that can degrade the performance of your KBOX.

Send query Select the text box send a table of results of the Select Query to the e-mail results to some- address(es) specified. All the columns returned by the Select Query will be included in the e-mail. one Enter the e-mail addresses in the Email text area. You can specify more than one e-mail address, by separating them with commas. Results are tickets, add a comment to each one Select the check box to add a comment to each ticket from the Select Query. This is useful because the Update Query specified later may update a Ticket without logging that information. Here you could add a message like 'Ticket Rule: Increase Priority to High triggered.' This would give you an indication of what tickets have been changed. Enter your comments in the Comment text area.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

215

Send an email for each result row

Select the check box to send an e-mail to e-mail address that will be returned by the Select Query. An e-mail will be sent to each e-mail address returned by the Select Statement in the E-mail Column. Variables will be replaced in the body of the e-mail. For example, strings like $title and $due_date will be replaced by the values in the columns names TITLE and DUE_DATE respectively. Any column returned by the select statement can be replaced in that way. The SQL generated by the Ticket Rule Wizard will supply OWNER_EMAIL and SUBMITTER_EMAIL as well as CC_LIST as possible values. Enter the subject in the Subject text field. Enter the e-mail column name in the E-mail Column text field. For example, OWNER_EMAIL. E-mail will be sent to each e-mail address returned by the Select Statement in this E-mail Column. Enter an e-mail message in the E-mail Body text area. Select the check box to run an update query using the results from the query in the Update Query field. Using this query you can run an additional sql UPDATE statement, replacing the string <TICKET_IDS> with a comma separated list of IDs extracted from the Select Query. Such that "update HD_TICKET set TITLE = 'changed' where HD_TICKET.ID in (<TICKET_IDS>)" would turn into "update HD_TICKET set TITLE = 'changed' where HD_TICKET.ID in (1,2,3)" This SQL is generated by the Ticket Rule wizard from the inputs that you specified while changing the attribute values in the Ticket Rule page. Note: The Run Log will show a count of the changed rows. This may differ from the selected rows, if the data was already set to the requested values. The update sql that is generated by the Ticket Rule wizard will not update the ticket row if an incorrect value is entered for fields like Priority or Submitter. Each time the rule runs, the run log will be updated with the last results of that execution. Any failures or errors will be displayed.

Run an update query, using the results from the one above

Run Log

17. Click Run Now to immediately run the ticket rule. 18. Click Save to save the ticket rule. To delete a ticket rule: 1. To delete ticket rules, do one of the following: From the Ticket rule List view, select the check box beside the ticket rule, then select Delete Selected Item(s) from the Choose action drop-down list. From the Ticket Rule : Edit Detail page, click Delete. 2. Click OK to confirm deleting the selected Ticket rule.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

216

Creating and Editing Help Desk Tickets
Depending on whether you are creating a ticket from mail, the Administrator UI, or from the Help Desk, you will have different options available to you. This section describes each of these methods. Regardless of the method used to submit a Help Desk ticket, all interested parties will receive a confirmation mail that includes a link to the submitted ticket. To create a new ticket from the Help Desk: 1. Log into the User Portal as user. Tickets page appears. 2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears. To create a new ticket from the Administrator UI: 1. Select Help Desk | Tickets. 2. Select Add New Item in the Choose action drop-down list. The New Ticket page appears. 3. Specify ticket details. Title Impact Category Status Priority Enter a title for the ticket. Enter the severity of the issue. Indicate the issue type. Indicate the status of the issue. Indicate the importance of the issue. Note: You cannot set the priority if you are creating the ticket through the user portal. Select an owner from the drop-down list. You can filter the list by entering any filter options. The machine affected by the issue. Defaults to submitter’s computer after Ticket is saved. You can filter the list by entering any filter options. Note: You can see help ticket submissions from the Computer’s inventory record. See Chapter 3,“Help Tickets,” starting on page 62. Select an asset from the drop-down list. You can filter the list by entering any filter options. Enter a due date if desired. Click the icon to select the Month, Day, and Year.

Owner Machine

Asset Due Date CC List

A comma-separated list of additional e-mail addresses for users who might be interested in changes to this ticket. You can filter the list by entering any filter options. Note: You can enter only 200 characters in the CC list field. To bypass this limitation you can create e-mail aliases for large distribution lists. Click the icon to select the submitter from the drop-down list. You can filter the

Submitter

list by entering any filter options. See Also Link(s) to related tickets. When editing this list, enter the Ticket IDs as comma-separated integers.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

217

Referrers Owners only KB article lookup Comment Attachment 4. Click Save.

If other tickets Refer to this ticket in the see also field, those ticket IDs will appear here after this ticket is saved. Select the check box to have the comment you are entering visible only to users who are authorized to own tickets. Select an KB article from the drop-down list. You can filter the list by entering any filter options. The contents of the selected KB article will be populated in the comment field. This field is editable. Browse the desired attachment file.

After you create the new ticket, you can open the ticket record and view a print-friendly version of the ticket, e-mail the ticket to someone, and click the Find Relevant Articles link to locate Knowledge Base articles related to the ticket. The submitter will get a confirmation e-mail with a link to the specific ticket, if you have selected the New Ticket Via Email check box in the Help Desk Configuration page.

Submitting Help Desk Tickets through E-mail
In addition to submitting tickets via the Web-based User and Administrator interfaces, users also can submit Help Desk tickets by sending mail to the Help Desk mail configured in the Help Desk settings. Tickets created from mails will receive the default values for Impact, Category, and Priority, as set on the Help Desk | Configuration tab. The body of the mail message will be added as a comment. The submitter is determined by the sender’s mail address. For more information, see “To add a new helpdesk queue:,” on page 207.

Setting Ticket Attributes via E-mail
You can set ticket attributes via e-mail. You can do this by including lines starting with the @ symbol at the beginning of a e-mail to the helpdesk. Only users with ticket ownership privileges can do this. If a non-owner were to try to do this, his or her @-lines would be considered text and included in the comment.

For example, replying to a ticket e-mail with the following text would close the bug, change the owner, and add a comment: @status=closed @owner=joe I fixed that problem. If it happens again, talk to Joe. The attributes you can control in this way are: category cc_list Enter the category. You can use a comma-separated list of e-mail addresses.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

218

due_date impact owner priority resolution status submitter

The date can be in any format. For example, 2/3/2004, next friday or February 3, 2004. To clear the due date use the values empty string ("") or "null". Enter the impact. Enter the owner's user name, full name, or e-mail address. You can clear the owner by using the empty string "" Enter the priority Enter the resolution. Enter the status. Enter the submitter's user name, full name, or e-mail address. If the specified name does not match an existing user and if the queue has "Accept email from unknown users" check box selected, a new user will be created. If you think that this might happen, you can include both a full name and an e-mail address. For example, Full name <email address> Enter the title.

title Custom fields

You can also set custom fields. The value must be a name having an underscore. For example, If the field name is eye color, the value should be eye_color. You can also make two custom fields which have the same name with an underscore. In this case, the assignment will go to the first of the two custom fields. You'll get an error if you try to put a bad value into a select or multiselect custom field. To select multiple values in a multiselect custom field, the values should be comma-separated. The lines at the beginning of an e-mail starting with "@" are special. You'll get errors if they're not assignments as described above. For example, @owner=NoSuchUser @status=NoSuchStatus Errors will be e-mailed back to you. The e-mail will use the "Email Ticket Error" template. For more information on e-mail templates, Refer to “Help Desk E-mail Customization,” on page 213.

Editing Help Desk Tickets
After you create a Help Desk ticket, you can edit the tickets from the Tickets list page, or from the Ticket Tick page. Regardless of where the change is made, any change made to a ticket is reflected in the history log at the bottom of the Ticket Detail window. To edit a ticket from the Tickets list page: 1. Select the check box beside the ticket(s) you want to edit. 2. From the Choose action drop-down list, select the desired option: • • • • Delete Selected Item(s) Set status to New, Opened, Closed, or Need More Info Set priority to High, Medium, or Low Reassign to another user.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

219

To edit a ticket from the Ticket Tick page: 1. Select Help Desk | Tickets. 2. Click the Ticket ID or linked Issue Summary. The Ticket Tick page appears. 3. Edit Ticket details as desired. You can edit the Ticket details like Title, Impact, Category, Status, Priority, Owner, Machine, Asset, Due Date, CC List, Submitter, See Also, Referrers, and Resolution. 4. To provide additional information about your change, click Add Comment, and then perform the following steps: a Select the Owners only check box to have the comment you are entering visible only to users who are authorized to own tickets. b Enter comment about the changes in the Comment field. c Browse the desired attachment file. 5. To provide additional information about the work, click Add Work, and then perform the following steps: a Select the work date. b Select the start date of the work. c Select the end date of the work. d Enter the adjustment hours in the Adjustment field. e Enter work related details in the Work Note field. 6. To copy an existing ticket, click Duplicate. 7. To create a Knowledge Base article from the comments in the ticket, click the Create KB article button. 8. Select the Owners only check box to have the comment visible only to users who are authorized to own tickets. 9. Click Save to apply your changes or click Save & List to apply your changes and go to the Tickets list page. When reassigning a ticket to a new owner using the Choose action drop-down list, the number in parentheses (), indicates the number of tickets currently assigned to that Help Desk user.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

220

Searching Help Desk tickets
From the Ticket List page, users can search tickets submitted by them, as well as view tickets by other owners. You can use Advanced Search options to locate tickets. Advanced search allows you to use operators such as contains, >, <, =, and Match RegEx. Match RegEx allows for wildcard and other search expressions standard to PERL users. “%” functions as the wildcard (similar to * in the DOS world). For additional information about RegEx searching, visit http:/ /www.regular-expressions.info/ and/or http://dev.mysql.com/doc/mysql/en/regexp.html. Normally, a backslash (\) is used as an escape character in any programming language. Therefore if a user wants to search for a character (for example, “.”) in any string, he is required to use two backslashes (i.e. \\.). One backslash is used as an escape character, whereas the other backslash is used for searching the character (“.”) in a string. However the way KBOX is coded this can be accomplished by a single quote only. A user need not put double backslashes (i.e \\.) to search the character (“.”) in the string. So for searching a regular expression in a string in KBOX, a single backslash is sufficient.

Managing Help Desk Tickets
After a ticket is submitted to the Help Desk, it is the responsibility of the ticket owner to resolve the ticket. The owner reviews the ticket, adjusts the impact if necessary, and assigns a priority. If the ticket issue is straightforward, the owner might resolve the issue quickly, enter a resolution in the ticket details, then close the ticket. In more complicated situations, however, a ticket may take more time to close, and be assigned to different owners over its lifetime. In some cases, the owner is unable to resolve the ticket by the due date and the ticket is then escalated to someone else to resolve. The process of escalation is determined by the settings configured in the Help Desk Configuration page. Depending on the Help Desk configuration, the submitter of a ticket might receive a satisfaction survey to gather feedback about the way the ticket was handled, after the ticket is closed. For more information about the satisfaction survey, see “About the Satisfaction Survey,” on page 222.

Understanding the Escalation Process
The escalation process allows you to send out automatic e-mails when a ticket remains in an Open state longer than a specified time. This gives you a way to monitor service level agreements, and allows you to notify a large group when a ticket hasn’t been handled properly. There are three variables that control the escalation process: Which tickets can/should be escalated The length of time a ticket can be open before an escalation e-mail is sent The recipient(s) of the escalation e-mails

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

221

Each ticket has a Priority, and each Priority has an Escalation Time associated with it. Tickets are escalated if they have been open longer than the time specified by their priority setting. Tickets also have a Status that can either be Open, Stalled, or Closed. Tickets with an Open status will trigger an escalation mail every n minutes, where n is the time specified by the Escalation Time assigned to the priority. For example, by default, the KBOX has a Priority value of High, with an Escalation Time of 30 minutes. This means that for each ticket that is marked as High Priority, an escalation mail will be sent every 30 minutes to notify people that the ticket is still Open. Tickets that are Stalled or Closed do not trigger escalation e-mails. Moving a ticket from Open to Stalled or Closed, and then back to Open will not change the creation time, so the escalation mails will continue to be processed based on the original time. For example, if you were to open a ticket, close it after 5 minutes, then reopen it after 35 minutes, an escalation e-mail would be sent saying that the ticket is older than 30 minutes. After that e-mail is sent, the next e-mail would go out after an additional 30 minutes had elapsed. You determine who receives the escalation e-mails in the Email on Events area of the Help Desk Configuration settings. You could choose to send the escalation e-mail to any of the following: The ticket owner The submitter The e-mail address(es) listed in the Ticket CC area The e-mail address(es) listed in the Category CC area. By specifying the recipient for escalation e-mails, you are routing open tickets to the right person or people who can help to resolve the issue.

About the Satisfaction Survey
After a ticket is Closed, if a user views the detail page for that ticket, he or she will be presented with the option to indicate their level of satisfaction with the way the ticket was handled. Users also can add comments to the ticket to further explain their assessment. In addition, you can configure the Help Desk to actively solicit feedback from users after a ticket is closed, by automatically sending them an e-mail with a link to the survey. Select the Closed ticket in the Tickets list, click Email this Ticket, and enter an e-mail address to which you want to send the survey. Score values assigned in the survey are stored in the ticket and are not editable by the Help Desk administrator, although you can run a variety of reports to display survey data. For more information about displaying survey data, please see, “Running Help Desk Reports,” on page 223.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

222

Running Help Desk Reports
The KBOX provides several default reports you can run on the Help Desk. You can view these reports by selecting the Reporting tab and then selecting HelpDesk from the View by category drop-down list. By default, the KBOX includes the Help Desk reports shown in the table below. For convenience, each of these reports is available in a variety of formats: HTML, PDF, CSV, and TXT. Help Desk Report Closed Satisfaction Survey last 31 days by Owner Closed Ticket Resolutions last 31 days by Owner Closed Ticket Resolutions last 7 days by Owner Closed Tickets last 31 days by Category Closed Tickets last 31 days by Owner Closed Tickets last 7 days by Owner Escalated/Open Tickets by Owner Open Tickets by Category Open Tickets by Owner Open Tickets last 7 days by Owner Stalled Tickets by Owner Stalled/Open Tickets by Category Stalled/Open Tickets by Impact Stalled/Open Tickets by Owner Stalled/Open Tickets by Priority Stalled/Open Tickets by Status Stalled/Open Tickets with Due Date by Owner Work Report Date Range - Long Notes Display Work Report last 31 days Table 11-2: Default Help Desk reports Description Lists by Owner all Closed Satisfaction Surveys in the last 31 days. Lists by Owner all Closed Ticket Resolutions in the last 31 days. Lists by Owner all Closed Ticket Resolutions in the last 7 days. Lists by Category all Help Desk tickets that have been closed in the last 31 days. Lists by Owner all Help Desk tickets that have been closed in the last 31 days. Lists by Owner all Help Desk tickets that have been closed in the last 7 days. Lists by Owner all escalated and open Help Desk tickets. Lists by Category all open Help Desk tickets. Lists by Owner all open Help Desk tickets. Lists by Owner all open Help Desk tickets opened in the last 7 days. Lists by Owner all tickets that are past their due date but not in escalation (stalled tickets). Lists by Category all stalled and open Help Desk tickets. Lists by Impact all stalled and open Help Desk tickets. Lists by Owner all stalled and open Help Desk tickets. Lists by Priority all stalled and open Help Desk tickets. Lists by Status all stalled and open Help Desk tickets. Lists by Owner and due date all stalled and open Help Desk tickets. Displays date, ticket #, technician and hours worked as a header above the Notes for a Work entry for 2006-04-01 through 2006-07-01. Reports all tickets for which work has been logged for the last 31 days.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

223

Help Desk Report Work Report last 31 days - Customize

Description Use this report if you want to build a customized report showing only select fields for all tickets for which work has been logged for the last 31 days. Displays date, ticket #, technician, and hours worked as a header above the Notes for each Work entry. Displays all people who logged work during the last 31 days first by person, and then by ticket and time.

Work Report last 31 days - Long Notes Display Work Report last 31 days by Person

Table 11-2: Default Help Desk reports To run Help Desk reports: 1. Select Reporting. The KBOX Reports page appears. 2. From the View by category drop-down list, select HelpDesk. 3. Click the format type for the report you want to view. If you need to create custom reports, see Chapter 12,“Creating and Editing Reports,” starting on page 230 for information on using the Report Wizard.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

224

C H A P T E R 12 Reporting
The KBOX provides a variety of alerts and reporting features that enable you to communicate easily with users and to get a detailed view of the activity on your network.
“The KBOX Reports Overview,” on page 226 “Creating and Editing Reports,” on page 230 “Alert Messages,” on page 238 “E-mail Alerts,” on page 239 “Filters,” on page 239 “Exporting Reports,” on page 241 “Importing Reports,” on page 241

225

The KBOX Reports Overview
The KBOX is shipped with many stock reports. The reporting engine utilizes XML-based report layouts to generate reports in HTML, PDF, CSV, XSL and TXT formats. By default, the KBOX provides reports in the following general categories: Compliance Hardware Help Desk KBOX Network Patching Security Software Template

Types of Reports
Within each of the general categories mentioned above, there are various reports you can run to display information about the computers on your network. Descriptions of each type of report you can run are provided below. Help desk reports are discussed in Chapter 11,“User Portal and Help Desk,” starting on page 193. Category Compliance Compliance Report Hotfix Compliance Software Compliance Simple Description Shows the list of computers that have the specified hotfix installed. Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes. Lists software and computers that are impacted by each license record. Lists software found on computers that do not have approved licenses. Shows which computers with less than 2 gigabytes of free space. Lists all computers and their video, ram and processor information sorted by label and name. This report is intended to generate a CSV listing for data export to other programs. Detail listing of all computers on the KBOX network with full field detail. Note: When this report is opened in XLS format, it gives an Apache Tomcat error.

Compliance Compliance Hardware Hardware Hardware Hardware

Software License Compliance Complete Unapproved Software Installation C drives less than 2G free Computer - Video/Ram/Proc by Label Computer Export Computer Inventory Detail

Table 12-1: Default reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

226

Category Hardware Hardware Hardware Hardware Hardware Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk

Report Computer Listing by Free Disk Space Computer Listing by Label Computer Listing by Memory Computer Listing by Operating System Computer Uptime Report Closed Satisfaction Survey last 31 days by Owner Closed Ticket Resolutions last 31 days by Owner Closed Ticket Resolutions last 7 days by Owner Closed Tickets last 31 days by Category Closed Tickets last 31 days by Owner Closed Tickets last 7 days by Owner Escalated/Open Tickets by Owner Open Tickets by Category Open Tickets by Owner Open Tickets last 7 days by Owner Stalled Tickets by Owner Stalled/Open Tickets by Category Stalled/Open Tickets by Impact Stalled/Open Tickets by Owner Stalled/Open Tickets by Priority Stalled/Open Tickets by Status

Description Lists computer disk drives in order of total free disk space. Lists all computers by all KBOX labels. Lists computer RAM in order of total memory size. Sorts all computers by Operating System type and sums OS Types. Reports the uptime of the computers. Lists by Owner all Closed Satisfaction Surveys in the last 31 days. Lists by Owner all Closed Ticket Resolutions in the last 31 days. Lists by Owner all Closed Ticket Resolutions in the last 7 days. Lists by Category all Help Desk tickets that have been closed in the last 31 days. Lists by Owner all Help Desk tickets that have been closed in the last 31 days. Lists by Owner all Help Desk tickets that have been closed in the last 7 days. Lists by Owner all escalated and open Help Desk tickets. Lists by Category all open Help Desk tickets. Lists by Owner all open Help Desk tickets. Lists by Owner all open Help Desk tickets opened in the last 7 days. Lists by Owner all tickets that are past their due date but not in escalation (stalled tickets). Lists by Category all stalled and open Help Desk tickets. Lists by Impact all stalled and open Help Desk tickets. Lists by Owner all stalled and open Help Desk tickets. Lists by Priority all stalled and open Help Desk tickets. Lists by Status all stalled and open Help Desk tickets.

Table 12-1: Default reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

227

Category Help Desk Help Desk

Report Stalled/Open Tickets with Due Date by Owner Work Report Date Range - Long Notes Display Work Report last 31 days Work Report last 31 days Customize Work Report last 31 days - Long Notes Display Work Report last 31 days by Person Boot/Login Policies KBOX Agent Roll Out Log KBOX Communication MI's enabled on all machines Scripts enabled on all machines Network Info - Domain Listing Network Info - IP Address Listing Network Scan Report Critical Bulletin List For each Machine, what patches are installed For each Patch, what machines have it installed How many computers have each Patch installed Installation Status of each enabled Patch

Description Lists by Owner and due date all stalled and open Help Desk tickets. Displays date, ticket #, technician and hours worked as a header above the Notes for a Work entry for 2006-04-01 through 2006-07-01. Reports all tickets for which work has been logged for the last 31 days. Use this report if you want to build a customized report showing only select fields for all tickets for which work has been logged for the last 31 days. Displays date, ticket #, technician, and hours worked as a header above the Notes for each Work entry. Displays all people who logged work during the last 31 days first by person, and then by ticket and time. Lists all the activities that could happen at machine boot time or after the user logs in. Reports when a computer record was first created. Lists by day the latest communication from computers on the network. Lists all the managed installations that are enabled on all machines. This report lists the scripts that are enabled on all machines. This report lists computers groups computers by domain/workgroup. Lists computers in order of IP Address (ascending). Displays the results of the nightly Network Scan. Lists all critical bulletins. Lists of all patches on each computer in the KBOX network. Lists the computers having each software patch in inventory. Software Inventory listing sorted by software title showing number of seats deployed. Lists the installation status of each enabled patch.

Help Desk Help Desk

Help Desk

Help Desk

KBOX KBOX KBOX KBOX KBOX Network Network Network Patching Patching Patching Patching Patching

Table 12-1: Default reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

228

Category Patching Patching Security Security Security Security Security

Report Needs Review Bulletin List Patches waiting to be deployed Number of machines with OVAL vulnerabilities OVAL Machine Report SANS Top 10 - Q2 2005 Threatening Items Top 10 OVAL Vulnerabilities

Description List of all the Bulletins that need review. Lists all patches waiting to be deployed. Lists, for each OVAL test, how many machines failed the test and are therefore vulnerable. Reports all the machines and how many OVAL tests that each of them failed. Reports all OVAL results from vulnerabilities reported by SANS. Displays all items of threat level 4 or 5 and the computers which have them. Displays a Pie graph of the top 10 OVAL vulnerabilities that have been reported by the OVAL scan. Generates a CSV listing for data export to other programs. Lists, by software item, where software has been installed but not used according to software metering. This only works when you have attached the metering to a particular software item which limits you to a particular version of software. Software Inventory listing grouped by vendor showing number of seats deployed. Lists all software titles organized by all KBOX labels. Listing of all software titles that are not currently installed on any computers. Listing of all software on each computer in the KBOX network. Pie graph showing the list and count of Operating Systems currently deployed on your network. This report lists the computers having each software title in inventory. This report lists computers having each Microsoft software title in inventory. Software Inventory sorted by software title showing number of seats deployed. Lists all computers, reporting if XP SP2 is installed or not. Change 'Windows XP Service Pack 2' to any other Software title you are interested in. Sorted by installation status.

Software Software

Software Export Software Installed But Not Used Last 6 Months

Software Software Software Software Software Software Software Software Template

Software Inventory By Vendor Software Listing By Label Software not on any computer Software on Computer Software OS Report - Graph Software Title & Version - Computer List Software Title - Computer List (MS Only) Software Title Deployed Count Computer Listing - XP SP2 installed?

Table 12-1: Default reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

229

Category Template

Report Computer Listing with Software Template Custom Inventory Template

Description Computer Listing sorted by LABEL with computers having software names like "Microsoft Office Professional%". Reports the values returned by a custom inventory rule that you can setup in the Software Item page. Change 'McAfeeDATFile' to be the name of the Software item with the Custom Inventory Rule in it. This is a template that lists the values returned from a 'Log File Information' action in a script. Replace 'AccessedDate: ' with the actual attribute that you returned. This template lists the values returned from a script using the 'Log Registry Value' action. Replace the value '!doc =' with the appropriate value name that you entered in the script. Reports all the machines in label(s) and indicates if they have a particular software product installed. Replace KBOX with the name of the software you are looking for and QA_LABEL and KBOX_LABEL with the labels of the machines you want included.

Template

Template

Log File Information Template

Template

Log Registry Value Template

Template

Machines By Label X with Software Y Installed

Table 12-1: Default reports

Running Reports
To run any of the KBOX reports, click the desired format type (HTML, PDF, CSV, XLS or TXT). For the HTML format, the report is displayed in a new window. If you select PDF, CSV, XLS or TXT formats, you can open the file or save it to your computer.

Creating and Editing Reports
If you have other reporting needs not covered by the reports previously mentioned, you can either create a new report from scratch, or you can modify one of the templates provided in the KBOX Template category. You can create a report in the following ways: Duplicate an existing report - Another way to create a report is to open an existing report and create a copy of it, which you can then modify to suit your needs. Create a new report using the Report Wizard. Create a new report from scratch. You can create a report using the Table or Chart presentation type. The table presentation type gives you a tabular report with optional row groupings and summaries and the Chart presentation type gives you a bar, line or pie chart.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

230

To create a new report using the table presentation type: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select Add New Report from the Choose action drop-down list. 3. Enter the report details as shown below: Report Title Report Category Description Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others. Enter the category for the report. If the category does not already exist, it is added to the drop-down list on the Reports list page. Describe the information that the report provides.

4. Click the appropriate topic name from the Available Topics list. For example, software. 5. Click the Table presentation type icon. 6. Click Next. 7. To choose table columns: a Click the Appropriate column name from the Available columns list. b Click clicking to add that column to the Display Columns list. You can change the column order by or . .

c To remove a column from the Display list, click the appropriate column and click 8. Click Next. 9. To define the criteria for displaying records in the report:

a Click the Appropriate field name from the Available Fields list. Columns that you chose in the previous step appear under display fields. You can also choose a field from among all fields available for that topic. For example, Threat Level. b Click Add. c Select the appropriate operator from the comparison drop-down list. For example, Greater Than. d Enter the appropriate value in the text field. For example, 3. This rule filters the data and display only software that has Threat Level greater than 3. e Click OK. The rule is added in the list of Current Rules. You can add more than one rule. f Click to remove a rule from the list of Current Rules.

g Select the Use Expanded logic check box to use expanded logic. Expanded logic enables you to define a syntactic structure for your rules to override operator precedence. h Click the Check Syntax button to check whether the rule syntax is valid. i Once you add more than one rule, you can click the Move Up or Move Down button to change the order of rules.

10. Click Next. 11. To choose columns to be displayed in the report: a Click the Appropriate column name from the Available columns list.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

231

b Click clicking

to add that column to the Display Columns list. You can change the column order by or . .

c To remove a column from the Display list, click the appropriate column and click 12. Click Next.

13. You can customize the report layout. You can drag to set column order, width and add spacers. You can drag and drop between columns as well as between columns and spacer. Click on the column and report headings for further menu of labels, grouping, summary and other options. The options available are as follows: Title Spacer Column Click on the title displayed before spacer to display the field name of spacer, Add as a group and Add as a column options. Click on spacer to display the field name of spacer and Add as a column options. Click on column to display the column name, change label, switch to group, remove column, summaries and move to right or left depending upon the column alignment options.

14. Click Save to save the report. The KBOX Reports page is displayed with the new report in the list. To run the new report, click the desired format (HTML, PDF, CSV, XLS or TXT). For the HTML format, the report is displayed in a new window. If you select PDF, CSV, XLS or TXT formats, you can open the file or save it to your computer. You can jump to steps 1-5 of the Reporting Wizard Step. Step 1 and Step 2 are mandatory and can not be left blank.

To create a new report using the chart presentation type: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select Add New Report from the Choose action drop-down list. 3. Enter the report details as shown below: Report Title Report Category Description Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others. Enter the category for the report. If the category does not already exist, it is added to the drop-down list on the Reports list page. Describe the information that the report provides.

4. Click the appropriate topic name from the Available Topics list. For example, software. 5. Click the Chart presentation type icon. 6. Click Next. 7. To choose table columns: a Click the Appropriate column name from the Available columns list. b Click clicking to add that column to the Display Columns list. You can change the column order by or . .

c To remove a column from the Display list, click the appropriate column and click

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

232

8. Click Next. 9. To define the criteria for displaying records in the report: a Click the Appropriate field name from the Available Fields list. Columns that you chose in the previous step appear under display fields. You can also choose a field from among all fields available for that topic. For example, Threat Level. b Click Add. c Select the appropriate operator from the comparison drop-down list. For example, Greater Than. d Enter the appropriate value in the text field. For example, 3. This rule filters the data and display only software that has Threat Level greater than 3. e Click OK. The rule is added in the list of Current Rules. You can add more than one rule. f Click to remove a rule from the list of Current Rules.

g Select the Use Expanded logic check box to use expanded logic. Expanded logic enables you to define a syntactic structure for your rules to override operator precedence. h Click the Check Syntax button to check whether the rule syntax is valid. i Once you add more than one rule, you can click the Move Up or Move Down button to change the order of rules.

10. Click Next. 11. Select the appropriate chart type from the following: Simple 3-D Bar: Displays categories along the X-axis, values along the Y-axis. 3-D Pie: Displays a slice for each category. The corresponding value determines the size of the slice. Line: Displays categories or dates along the X-axis, values along the Y-axis. 12. Select the appropriate category field from the Category Field drop-down list. 13. Select the summary from the Summary drop-down list, beside appropriate Value field name. If you have more than one Value field, you can change the value field order by clicking 14. Select the Show legend check box if you want to display a legend in the chart. 15. Specify the Chart width and Chart height in pixels, in the text fields. 16. Click Save to save the report. The KBOX Reports page is displayed with the new report in the list. You can jump to steps 1-5 of the Reporting Wizard Step. Step 1 and Step 2 are mandatory and can not be left blank. or .

To duplicate an existing report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Click the report title you wish to duplicate. The Report Wizard page appears. 3. Click Duplicate. 4. Modify the report details as necessary, then go to the last step - step report layout, and click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

233

To create a new SQL report from scratch: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select Add New SQL Report from the Choose action drop-down list. The KBOX Report : Edit Detail page appears. 3. Specify the following report details: Title Report Category Output File Name Description Output Types SQL Select Statement Break on Columns Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others. Enter the category for the report. If the category does not already exist, it is added to the drop-down list on the Reports list page. Enter the name for the file generate when this report is run. Describe the information that the report provides. Select the appropriate formats that should be available for this report. Enter the query statement that generates the report data. For reference, consult the MYSQL documentation. A comma-separated list of SQL column names. The report generates break headers and sub totals for these columns. This setting refers to the autogenerated layout. Select this check box if you have changed the columns that are being returned by the query so that the XML Report Layout is regenerated using the new columns. This option creates the Report XML layout based on the SQL you enter. Note: If you have just changed a sort order or a where clause, you need not recreate the layout.

XML Report Layout

4. Click Preview. Refer to “Previewing SQL report,” on page 235. 5. Click Save to add this SQL report to list of reports on the KBOX Reports page. The KBOX Reports page appears. For assistance with formatting the report XML, JRXML format is used. You can use iReports to design reports with JRXML. The documentation is available at http:// jasperforge.org/jaspersoft/opensource/business_intelligence/ireport/. Once you click the Save button, the report wizard is disabled for that report. To edit a report using SQL Editor: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Click the report you want to edit. The Report Wizard page appears. 3. Click the Edit SQL button. 4. Click OK to proceed. The KBOX Report : Edit Detail page appears. 5. Edit the following report details: Title Edit the display name for the report if required. Make this as descriptive as possible, so you can distinguish this report from others.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

234

Report Category Output File Name Description Output Types SQL Select Statement Break on Columns

Edit or enter the category for the report. If the category does not already exist, it is added to the drop-down list on the Reports list page. Edit or enter the name for the file generate when this report is run. Describe the information that the report provides. Select the appropriate formats that should be available for this report. Edit or enter the query statement that generates the report data. For reference, consult the MYSQL documentation. A comma-separated list of SQL column names. The report generates break headers and sub totals for these columns. This setting refers to the autogenerated layout. Select this check box if you have changed the columns that are being returned by the query so that the XML Report Layout is regenerated using the new columns. This option creates the Report XML layout based on the SQL you enter. You can edit, if necessary. Note: If you have just changed a sort order or a where clause, you need not recreate the layout.

XML Report Layout

6. Click Save. Editing the SQL of a report disables modifying it with the Report Wizard.

To duplicate an existing SQL report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Click the report title you wish to duplicate. The KBOX Report : Edit Detail page appears. 3. Click Duplicate. 4. Modify the report details as necessary, then click Save. Refer to Appendix B,“Adding Steps to a Task,” starting on page 330.

Previewing SQL report
The KBOX provides preview functionality, to view the report created using SQL Editor. You can also customize an existing report by changing its title, layout, SQL query, break columns, and then view the modified report using preview button. To preview the SQL report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select Add New SQL Report from the Choose action drop-down list. The KBOX Report : Edit Detail page appears. 3. Specify title, report category, output file name, description, SQL Select Statement, Break on Columns. 4. Click Preview. The SQL report is displayed in KBOX Report : Preview Page Layout. 5. To customize the column width, hover the mouse over the report column you want to adjust the width. Drag the mouse pointer to change the size of the column width.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

235

6. Click on Save button to update these settings.
To preview the existing SQL report: 1. Click on existing SQL report. The KBOX Report : Edit Detail page appears. 2. Click Preview to view the report. You can customize the report by changing its title, SQL query, or layout. 3. Click Preview to view the customized report.

Scheduling Reports
Reports can be scheduled from the Schedule Reports tab. From the Report Schedules List page you can open existing schedules, create new schedules, or delete them. You can also search schedules using keywords. To create a report schedule: 1. Select Reporting | Schedule Reports. The Report Schedules page appears. 2. Select Create a New Schedule from the Choose action drop-down list. The Schedule Reports : Edit Detail page appears. 3. Specify the following schedule details: Record Created Record Last Modified Schedule Title Description Report to Schedule Report Output Formats Displays the date and time when the schedule was first created. This field is read-only. Displays the date and time that the schedule was last modified. This field is read-only. Enter a display name for the schedule. Make this as descriptive as possible, so you can distinguish this schedule from others. Enter the information that the schedule would provide. Select the appropriate report you would like to schedule. You can filter the list by entering any filter options. Click the desired output report format (PDF, Excel, CSV, or TXT) that should be available for this scheduled report. Recipients Click the icon to enter the recipient’s e-mail address, or choose Select user to add from the drop-down list. This is a mandatory filed. Enter the subject of the schedule. The subject can help to quickly identify what the schedule is about. Enter the message text in the notification.

Email Notification

Subject Message Text

4. Specify scan schedule: Don’t Run on a Schedule Run Every n hours Run Every day/specific day at HH:MM AM/PM Select to run the schedules in combination with an event rather than on a specific date or at a specific time. Select to run the schedules at the specified time. Select to run the schedules on specified day at the specified time.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

236

Run on the nth of every month/ Select to run the tests on the specified time on the 1st, 2nd, or specific month at HH:MM AM/PM any other date of every month or only the selected month. 5. Click Save or Run Now to run the schedule reports immediately. To run a schedule: 1. Select Reporting | Schedule Reports. The Report Schedules page appears. 2. Select the check box beside the schedule(s) you want to run. 3. In the Choose action box, select Run Selected Schedules Now. To delete a schedule: 1. Select Reporting | Schedule Reports. The Report Schedules page appears. 2. Select the check box beside the schedule(s) you want to delete. 3. Select Delete Selected Item(s) from the Choose action drop-down list. 4. Click Yes to confirm deleting the schedule(s).

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

237

Alert Messages
Alert messages provide a way for you to interact with your users by displaying a message in a pop-up window. The Alerts List page displays the messages you have distributed to users. From the Alerts List page you can open existing alerts, create new alerts, or delete alerts. You can also search messages using keywords. The Alerts feature works only if there is a constant connection between the KBOX Agent and the KBOX. For information on how to set up the constant connection, Refer to “Configuring AMP Settings for the Server,” on page 24.

Creating Alert Messages
If you have information that you want to distribute to your network, you can review and modify previous messages you have deployed, or you can create a new message. To create an alert message: 1. Select Reporting | Alerts. 2. Select Add New Item from the Choose action drop-down list. The Alerts: Edit Detail page appears. 3. In the Message Content field, type the text of your message. 4. In the Keep Alive field, specify the length of time (in hours) for which the message is valid. The messages are broadcasted to users until either the user's desktop has received the message or the specified time interval has elapsed. To set the time interval for downloading scripts, go to Settings | KBOX Agent | KBOX Agent Settings. 5. In the Limit Broadcast To area, select the recipient label(s) to which this message is sent. Press CTRL and click to select multiple labels. 6. Select the Enable Scheduled Run check box to specify the alert schedule. Select the appropriate day and time from the drop-down lists. 7. Click Save. The pending alert messages are displayed in the AMP Message Queue if they are not pushed to the target machine. The alert messages remain in the queue till the Keep Alive time interval elapses or if the connection between the KBOX Agent and the KBOX is lost or interrupted. Once the time interval is elapsed, the messages are deleted from the queue and the alerts expires.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

238

E-mail Alerts
E-mail Alerts differ from Alerts (broadcast messages) in an e-mail alert you can send out messages to administrators based on more detailed criteria. The E-mail Alert feature relies on the Inventory | Computers engine to create a notification that are sent to administrators when computers meet the criteria you specify. The KBOX 1000 Series checks the computers listed in the inventory against the criteria in the E-mail Alert once in every hour until one or more computers meet the criteria, then a message is sent to the administrator(s) specified in the alert details.

Creating E-mail Alerts
Notifications are processed every 60 minutes. Should a notification query result in 1 or more machine records, then a notification e-mail is automatically sent to the specified recipient. To create an e-mail Alert: 1. Select Reporting | Email Alerts. The Email Alerts page appears. 2. Select Add New Computer Notification in the Choose action drop-down list. The Inventory | Computers tab appears with the Create Email Notification fields exposed. 3. Enter the search criteria. 4. In the Title field, enter a title for the alert. The Title appears in the Subject field. 5. In the Recipient field, enter the e-mail address(es) of the message recipient. The e-mail addresses must be fully qualified e-mail addresses. The recipient’s address can be a single e-mail address or a list of addresses separated by commas. 6. Click the Create Notification tab.

Filters
The KBOX 1000 Series allows you to create two specific type of filters. They are as follows: Machine Filter Software Filter You can view the list of available filters from the Reporting | Filters tab. With the Filters tab you can: Add A New Machine Filter Add A New Software Filter Delete a Filter Order Machine Filters Order Software Filters For Adding A New Machine Filter, Refer to Chapter 3,“Creating Search Filters for Computer Inventory,” starting on page 56.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

239

For Adding A New Software Filter, Refer to Chapter 3,“Creating Search Filters for Software Inventory,” starting on page 67. To edit a filter: 1. Select Reporting | Filters. The Filters page appears. 2. Click on a filter name (filter label name) to open Filters : Edit Detail page appears. 3. Filters : Edit Detail page shows the following, Filter Type Assigned Label Label Notes Filter SQL 4. Click Save. When you click on Duplicate to create a new filter with same Filter SQL text, you can only reassign it to a new label. Specifies whether the filter type is Machine Filter or Software Filter. From the drop-down list, choose the appropriate label you want to assign. Click on Details to edit label details. For more information on editing able details, Refer to Chapter 3,“Labels,” starting on page 84. Displays note relevant to the label, if entered in the Notes field. This field displays the filter query in the SQL format. You can click on Duplicate to create a new filter with same Filter SQL text.

To order machine filters: 1. Select Reporting | Filters. The Filters page appears. 2. Select Order Machine Filters from the Choose action drop-down list. The Order Machine Filters page appears. This page lists all the existing machine filters. 3. Click the icon beside a filter listed to modify it. By default, when a new machine filter is created, it has an order value of 100. 4. You can specify the order in which this filter runs by editing the Order value for this filter. Filters with descending Order values executes first. 5. Click Save. To order software filters: 1. Select Reporting | Filters. The Filters page appears. 2. Select Order Software Filters from the Choose action drop-down list. The Order Software Filters page appears. This page lists all the existing software filters. 3. Click the icon beside a filter listed to modify it. By default, when a new software filter is created, it has an order value of 100. 4. You can specify the order in which this filter runs by editing the Order value for this filter. Filters with descending Order values executes first. 5. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

240

Exporting Reports
You can export the existing reports of individual organizations in the .jrxml format, which can be viewed through iReport. You can customize the exported report by changing the layout, font size or background color in iReport and import this customized report in the KBOX. To export a report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select the check box beside the report(s) that you want to export. 3. Select Export Selected Report(s) from the Choose action drop-down list. The File Download popup window opens. 4. Select Save File to save the reports.zip file to the desktop of your machine. The reports.zip file contains the exported report in the .jrxml format, which can be viewed in iReport. You can download iReport from http://jasperforge.org/jaspersoft/opensource/ business_intelligence/ireport/. To view the exported .jrxml file in iReport: 1. Create a connection between iReport and mysql database of the KBOX. 2. Open the .jrxml file in iReport and execute the report with active connection. You can view the exported report and change its layout using iReport.

Importing Reports
You can import an existing report exported or a new report created in the .jrxml format, using the iReport wizard. To import the report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select Import Reports from the Choose action drop-down list. The KBOX Reports : Import Reports page appears. 3. Click Browse and locate the .jrxml file that you want to import and then click Open. 4. Click Upload Reports to upload the .jrxml file in KBOX. 5. View the import results to verify the successful import of the report. This report is displayed in the KBOX Reports page. The Reporting module of the KBOX currently does not support the subreport feature of JasperReports.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

241

C H A P T E R 13 LDAP
The KBOX LDAP feature lets you to browse and search the data located on the LDAP Server.
“LDAP Browser,” on page 243 “LDAP Easy Search,” on page 244 “LDAP Browser Wizard,” on page 245 “LDAP Filters,” on page 247 “User Authentication,” on page 249

242

LDAP Browser
The LDAP Browser allows you to browse and search the data located on the LDAP Server. For example, Active Directory Server. You must have the Bind DN and the Password to log on to the LDAP Server. To use the LDAP Browser: 1. Select Reporting | LDAP Browser. 2. Specify the LDAP Server Details LDAP Server Enter the IP or the Host Name of the LDAP Server. Note: For connecting through SSL, use the IP or the Host Name, as ldaps://HOSTNAME If you have a nonstandard SSL certificate installed on your LDAP server such as internally-signed or a chain certificate not from a major certificate provider such as Verisign, you need to contact KACE Support for assistance before proceeding. LDAP Port LDAP Login Enter the LDAP Port number, which could be either 389/636 (LDAPS). Enter the Bind DN For example: CN=Administrator,CN=Users,DC=kace,DC=com LDAP Password 3. Click test. 4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory. If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons: The IP or Host Name provided is incorrect. The LDAP server is not up. The login credentials provided are incorrect. 5. Click a Base DN or click Next. A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter. 6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is displayed. Specify the following information. Attribute Name Relational Operator Attribute Value Enter the Attribute Name. For example, samaccountname. Select the relational operator from the drop-down list. For example, =. Enter the attribute value. For example, admin. Enter the password for the LDAP login.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

243

7. To add more than one attribute: Conjunction Operator Select the conjunction operator from the drop - down list. For example, AND. Note: This field is available for the previous attribute only when you add a new attribute. Add Search Scope Click Add. You can add multiple attributes. Click One level to search at the same level or click Sub-tree level to search at the sub-tree level.

8. Click OK. The query appears in the Search Filter text area. For example, (samaccountname=admin). 9. Click Browse to display all the immediate child nodes for the given base DN and search filter. Click Search to display all the direct and indirect child nodes for the given base DN and search filter. The search results are displayed in the left panel. 10. Click a child node to view its attributes. The attributes are displayed in the right panel.

LDAP Easy Search
You can use LDAP Easy Search to quickly search the data located on the LDAP Server. To use the LDAP Easy Search: 1. Select Reporting | LDAP Browser. 2. Specify the LDAP Server Details LDAP Server Enter the IP or the Host Name of the LDAP Server. Note: For connecting through SSL, use the IP or the Host Name, as ldaps://HOSTNAME If you have a nonstandard SSL certificate installed on your LDAP server you need to contact KACE Support for assistance before proceeding. A nonstandard certificate can be an internally-signed or a chain certificate that is not from a major certificate provider such as Verisign. LDAP Port LDAP Login Enter the LDAP Port number, which could be either 389/636 (LDAPS). Enter the Bind DN For example: CN=Administrator,CN=Users,DC=kace,DC=com LDAP Password 3. Click test. Enter the password for the LDAP login.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

244

4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory. If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons: The IP or Host Name provided is incorrect. The LDAP server is not up. The login credentials provided are incorrect. 5. Click a Base DN or click Next. A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter. 6. Click the Go to LDAP Easy Search link. The LDAP EasySearch page appears. 7. Enter any key word for search and click GO. For more specific search you can click the Indexed field option or Non-Indexed field option. You can also specify Other attributes, separated by comma.

LDAP Browser Wizard
The LDAP Browser Wizard enables you to fill in the information for Search Base DN and Search Filter. Using the LDAP Browser Wizard you can browse and search the data located on the LDAP Server. For example, Active Directory Server. You must have the Bind DN and the Password to log on to the LDAP Server. To use the LDAP Browser Wizard: 1. Click LDAP Browser. 2. Specify the LDAP Server Details LDAP Server Enter IP or Host Name of the LDAP Server. Note: For connecting through SSL, use the IP or the Host Name, as ldaps://HOSTNAME If you have a nonstandard SSL certificate installed on your LDAP server you need to contact KACE Support for assistance before proceeding. A nonstandard certificate can be an internally-signed or a chain certificate that is not from a major certificate provider such as Verisign. LDAP Port LDAP Login Enter the LDAP Port number which could be either 389 / 636 (LDAPS). Enter the Bind DN For example: CN=Administrator,CN=Users,DC=kace,DC=com LDAP Password 3. Click test. Enter the password for the LDAP login.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

245

4. On a successful connection to the LDAP server, a list of possible base DNs (Distinguished Names) available on that directory is displayed. These base DNs can be used as a start point to browse and search the directory. If the connection was not established, the Operation Failed message appears, which could be due to one of the following reasons: The IP or Host Name provided is incorrect. The LDAP Server is not up. The login credentials provided are incorrect. 5. Click Next or one of the base DNs to advance to the next step. A new window displays the Search Base DN and the Search Filter. The Search Base DN is populated on the basis of the Base DN that you selected in the previous screen. You can modify the Search Base DN and the Search Filter. 6. You can also use the Filter Builder to create complex filters. Click Filter Builder. The Query Builder is displayed. Specify the following information. Attribute Name Relational Operator Attribute Value 7. To add more than one attribute: Conjunction Operator Select the Conjunction Operator from the drop - down list. For example, AND. Note: This field is available for the previous attribute only when you add a new attribute. Add Search Scope Click Add. You can add multiple attributes. Click One level to search at the same level or click Sub-tree level to search at the sub tree level. Enter the Attribute Name. For example, samaccountname. Select the Relational Operator from the drop - down list. For example, =. Enter the Attribute Value. For example, admin.

8. Click OK. The query appears in the Search Filter text area. For example, (samaccountname=admin). 9. Click Browse to display all the immediate child nodes for the given base DN and search filter or click Search to display all the direct and indirect child nodes for the given base DN and Search Filter. The search results are displayed in the left panel. 10. Click a child node to view its attributes. The attributes are displayed in the right panel. 11. Click Next to confirm the LDAP configuration. 12. Click Next to use the displayed settings.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

246

LDAP Filters
LDAP Filters allow the automatic labeling of machine records based on LDAP or Active Directory interaction. The search filter will be applied to the external server and should any entries be returned then automatic labeling results. If the external server requires credentials for administrative login (aka non-anonymous login), supply these credentials. If no LDAP user name is given, then an anonymous bind will be attempted. Each LDAP filter may connect to a different LDAP/AD server. You may bind to an LDAP query based on the following KBOX variables: Computer Name Computer Description Computer MAC IP Address User name User Domain Domain User To create an LDAP Filter: 1. Select Reporting |LDAP Filters. 2. Select Add New Item from the Choose action drop-down list. The LDAP Filter: Edit Detail page appears. 3. Enter the following information: Enabled Filter Type Associated Label Name Associated Label Notes Server Host Name Select the check box to enable. Select the LDAP filter type. Select the label to associate with this filter. If any notes are entered in the label definition, these notes are automatically populated in this field. Specify the IP or the Host Name of the LDAP Server. Note: For connecting through SSL, use the IP or the Host Name, as ldaps://HOSTNAME If you have a nonstandard SSL certificate installed on your LDAP server you need to contact KACE Support for assistance before proceeding. A nonstandard certificate can be an internally-signed or a chain certificate that is not from a major certificate provider such as Verisign. Enter the LDAP Port number which could be either 389 / 636 (LDAPS). Enter the Search Base DN. For example: CN=Users,DC=kace,DC=com

LDAP Port Number Search Base DN

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

247

Search Filter

Enter the Search Filter. For example: (&(sAMAccountName=admin)(memberOf=CN=financial,DC=kace,DC= com))

LDAP Login

Enter the LDAP login. For example: LDAP Login: CN=Administrator, CN=Users,DC=kace=com

LDAP Password

Enter the password for the LDAP login.

If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, Refer to Chapter 11,“Importing Users,” starting on page 201. 4. Click Save. Each time a machine checks into the KBOX, this query will run against the LDAP server. The admin value in the 'Search Filter' will be replaced with the name of the user that is logged onto this machine. If a result is returned, then the machine gets the label specified in the Associated Label field. NOTE: To test your Filter, click the Test button and review the results.

You can also create an LDAP Filter using the LDAP Browser. To create an LDAP Filter using the LDAP Browser: 1. Select Reporting |LDAP Filters. 2. Select Add New Item Using LDAP Browser from the Choose action drop-down list. The LDAP Filter: Edit Detail page appears. 3. Enter the following information: Enabled Filter Type Associated Label Name Associated Label Notes Select the check box to enable. Select the filter type. Select the label to associate with this filter. This field is mandatory. If any notes are entered in the label definition, these notes are automatically populated in this field.

4. Click Next to configure the LDAP settings. The LDAP Browser Wizard is displayed. For more information on how to use the LDAP Browser Wizard, Refer to “LDAP Browser Wizard,” on page 245.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

248

User Authentication
Instead of setting up users individually on the Users tab, you can configure the KBOX 1000 Series for local authentication, or External LDAP Server Authentication. The KBOX can then access a directory service (such as LDAP) for user authentication. This allows users to log into the KBOX 1000 Series Administrator portal using their domain user name and password, without having to add users individually from the Users tab. To configure the KBOX for user authentication: 1. Select Settings | Control Panel. The KBOX Settings: Control Panel page appears. 2. Click User Authentication. The KBOX Settings: Authentication page appears. 3. Click the [Edit Mode] link. 4. Specify the Authentication method you want to use: KBOX (local Authentication) Select this option to enable local authentication. If local authentication is enabled, the password is authenticated against the existing entries in the local database at Help Desk | Users. By default the Local authentication is set to enabled. Select this option to enable external user authentication. External authentication can be used against an LDAP server or Active Directory server. If External LDAP Server Authentication is enabled, the password is authenticated against the External LDAP Server. Contact KACE customer support if you need assistance with this process.

External LDAP Server Authentication

If the External LDAP Server Authentication is enabled, provide credentials for administrative login. The LDAP user configured should at least have READ access to the "search base" area. If you do not specify an LDAP user name, then an anonymous bind is attempted. 5. Click Edit Mode to edit External LDAP Server Authentication fields. Click the appropriate icons next to the server name to perform described actions: Icon Description Schedules a user import for this server Modifies the server definition Removes the server Changes the order of the server in the list of servers 6. You can have more than one LDAP Server/Directory configured. Click Add New Server to add a new LDAP Server.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

249

All servers must have a valid IP address or Host Names entered in the Server Host Name field, or the KBOX will wait to timeout on an invalid IP address, resulting into login delays when using LDAP Authentication. 7. Complete the external server definition by specifying the following information. Server Friendly Name Server Host Name (or IP) Enter a name for the server. Enter IP or Host Name of the LDAP Server. Note: For connecting through SSL, use the IP or the Host Name, as ldaps://HOSTNAME If you have a nonstandard SSL certificate installed on your LDAP server you need to contact KACE Support for assistance before proceeding. A nonstandard certificate can be an internally-signed or a chain certificate that is not from a major certificate provider such as Verisign. Enter the LDAP Port number which could be either 389 / 636 (LDAPS). Enter the Search Base DN. For example: CN=Users,DC=hq,DC=corp,DC=kace,DC=com Search Filter Enter the Search Filter. For example: (samaccountname=admin) LDAP Login Enter the LDAP login. For example: LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=com LDAP Password (if required) Enter the password for the LDAP login. Role Required. Enter the user’s role: Admin Role: This user can log on to and access all features of the administrator UI and User Portal or Help Desk. Admin role is the default role. ReadOnly Admin Role: This user can log on, but cannot modify any settings in the administrator UI and User Portal or Help Desk. User Role: This user can log on only to the User Portal or Help Desk. Login Not Allowed—This user cannot log on to the User Portal or Help Desk. Note: The roles listed above are system provided roles and are not editable. To create a new role, Refer to Chapter 11,“Roles,” starting on page 203.

LDAP Port Number Search Base DN

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

250

The user can log on to Help Desk only if, optional Help Desk Module is installed.

8. Click Apply to save your changes. 9. To test LDAP settings, enter a password in the Test User password, then click Test LDAP Settings. If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, Refer to “LDAP Browser Wizard,” on page 245. To schedule a User Import: 1. Click Edit Mode to edit External LDAP Server Authentication fields. 2. Click icon next to the server name in the list of servers to schedule a user import.

The User Import : Schedule - Choose attributes to import: Step 1 of 3 page appears. 3. The LDAP Server Details are displayed, LDAP Server LDAP Port Search Base DN Search Filter LDAP Login LDAP Password This is a Read-only field that displays the IP or Host Name of the LDAP Server. Displays the LDAP Port number which could be either 389 (LDAP)/636 (LDAPS). This is a Read-only field. This is a read only field that displays the Search Base DN. This is a read only field that displays the Search Filter. This is a read only field that displays the LDAP login. The LDAP login password. This is a Read-only field.

4. Specify the attributes to import. Attributes to retrieve Specify the attributes to retrieve. For example: samaccountname, objectguid, mail, memberof, displayname, sn, cn, userPrincipalName, name, description Note: You can leave this field blank to retrieve all attributes, but this may make the import process slow and is not recommended. Label Attribute Enter a label attribute. For example, memberof. Label Attribute is the attribute on a customer item that returns a list of groups this user is a member of. The union of all the label attributes will form the list of Labels you can import. Label Prefix Enter the label prefix. For example, ldap_ Label Prefix is a string that is appended to the front of all the labels.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

251

Binary Attributes

Enter the Binary Attributes. For example, objectsid. Binary Attributes indicates which attributes should be treated as binary for purposes of storage.

Max # Rows Debug Output

Enter the maximum rows. This will limit the result set that is returned in the next step Select the check box to view the debug output in the next step.

If you are unable to fill in the information for Search Base DN and Search Filter, you can use the LDAP Browser Wizard. For more information on how to use the LDAP Browser Wizard, Refer to “LDAP Browser Wizard,” on page 245. 5. In Email Notification section, Click add from the drop-down list. to enter the recipient’s e-mail address, or choose Select user to

6. In Scheduling section, specify the scan schedule: Don’t Run on a Schedule Run Every day/specific day at HH:MM AM/PM Run on the nth of every month/specific month at HH:MM AM/PM 7. Click Next. The User Import : Schedule - Define mapping between User attributes and LDAP attributes: Step 2 of 3 page opens. 8. Select the value from the drop-down list next to each LDAP attribute to map the values from your LDAP server into the User record on the KBOX. The fields in Red are mandatory. The LDAP Uid must be a unique identifier for the user record. 9. Select a label to add to the KBOX. Press CTRL and click to select more than one label. This list displays a list of all the Label Attribute values that were discovered in the search results. 10. Click Next. 11. Review the information displayed in the tables below. The Users to be Imported table displays list of users reported and the Labels to be Imported table displays the list of labels reported. The Existing Users table and the Existing Labels table display the list of Users and Labels that are currently on the KBOX. Only users with a LDAP UID, User Name, and E-mail value will be imported. Any records that do not have these values are listed in the Users with invalid data table. 12. Click Next to start the import. The User Import : Schedule - Import data into the KBOX: Step 3 of 3 page opens. 13. Click Import Now to save the schedule information and load the user information into the KBOX. After importing, you will be taken to the User list page, where you can edit the imported user records. Select this to not have the user import run on a schedule Select to run the schedules on specified day at the specified time. Select to run the tests on the specified time on the 1st, 2nd, or any other date of every month or only the selected month.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

252

14. Click Save to save schedule information. After saving, you will be taken to the KBOX Settings: Authentication page. The imported user can log on to and access all features of the administrator UI and User Portal or Help Desk depending on the role assigned. Optional Help Desk Module needs to be installed for logging on to the Help Desk.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

253

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

254

C H A P T E R 14 KBOX Settings - System Admin
The KBOX is an easy-to-deploy Systems Management Appliance. It comes with features that deliver all you expect from a distribution management system and more. This chapter guides you to install and set up the KBOX appliance to work in your environment.
“Configuring General Settings for the Server,” on page 256 “Configuring Network Settings for the Server,” on page 258 “Managing System Console Users,” on page 260 “Configuring Security Settings for the Server,” on page 262 “Configuring AMP Settings,” on page 266 “Configuring Date & Time Settings of the KBOX Server,” on page 268 “Troubleshooting Tools,” on page 268 “Single Sign-On,” on page 269 “The KBOX Summary,” on page 273

255

Configuring General Settings for the Server
This section covers the general server configuration settings you should modify before you use the KBOX. To configure General Settings for the Server: 1. Select KBOX Settings | Control Panel. 2. Click General Settings. The KBOX General Settings page appears. Click [Edit Mode] to edit the field values. 3. Specify the following settings: Company-Institution Name User Email Suffix System Administrator Email Login Organization Drop-down Enter the name of your company. This name appears in every pop-up window or alerts displayed to your users. For example, KACE. Enter the domain to which your users send e-mail. For example, kace.com. Enter the e-mail address of the KBOX administrator. This address receives system-related alerts, including any critical messages. Select the check box to enable the Login Organization Drop-down. By enabling the Login Organization dropdown, the empty Organization: field on the Welcome login page will be replaced by a drop-down of the configured organizations. Note: The organization field or drop-down only appears if more than one organization is configured. Select the check box to enable Organization Fast Switching. By enabling Organization Fast Switching, the static Organization: field at the top right corner of every page is replaced with a drop-down of organizations to which the user has access. Only those organizations that have the same user name and password appear in the drop-down. Crash reports Select the check box to send a report to KACE in the event of a KBOX crash. This option is recommended, since it provides additional information to the Kace Technical Support team in case you need assistance. Select the check box to enable your KBOX to share data with the AppDeploy Live! web site.

Organization Fast Switching

Send to Kace

Enable AppDeploy Live!

4. Specify the following Agent-Server Task settings: Current KBOX Load Average This value depicts the load on the KBOX server at any given point of time. For the KBOX UI to remain responsive, the value in this field must be between 0.0 and 10.0 . This value indicates the date and time when the KBOX Task Throughput was last updated.

Last Task Throughput Update

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

256

KBOX Task Throughput

At any given point of time, the KBOX has multiple tasks scheduled such as Inventory, Scripting, Patching updates and execution of scripts. The value in this field governs how the scheduled tasks are balanced by the KBOX. Larger the value, more are the tasks attempted by the KBOX, and more is the load on system resources. Note: The value of the KBOX Task Throughput can be increased only in following scenario: Current KBOX Load Average is not higher than 10.0 Last Task Throughput Update time exceeds 15 minutes

Agent "Download Throttle"

This settings decides the maximum number of the KBOX Agents that can downloading packages at one point in time. The packages are not deployed on machines after the Package Download Throttle has been reached. For example, if the value is set to 100 and 100 agents are connected and receiving a deployment, the 101st agent is deferred till one of these 100 agents has finished communicating with the KBOX.

5. Specify the following User Portal settings if required to customize the User Portal page: Portal Title Portal Text iPhone Portal Title iPhone Portal Text Enter a title for the user portal page. Enter a description of the user portal page. Enter a title for the user portal page when accessed through iPhone. Enter a description of the user portal page when accessed through iPhone.

6. Click Set Options, to save your changes. 7. Specify the following Logo Override setting to use your custom report logo. Click [Edit Mode] to edit the field value. Custom Report Logo (.jpg) Displayed at the top of reports generated by the KBOX 1000 Series for each of the organization associated with it. The report image dimensions are 120x32 pixels, this is specified in the autogenerated XML layout. You can adjust the xml report if you need a different layout size.

8. Click Upload Logo.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

257

List of Open Ports required for the KBOX Server
Please ensure that following ports are not blocked by your firewall. These ports are required to access the KBOX server. Port Number 21 25 80 443 3306 8080 8443 52230 Use To access backup files through FTP If the KBOX SMTP Server is to be used HTTP SSL To access the KBOX database Connects directly to Tomcat Connects directly to Tomcat For the KBOX Agent(s) to connect to the KBOX SERVER via AMP

Configuring Network Settings for the Server
The key KBOX network settings are mostly configured when you log into the KBOX for the first time using the konfig/konfig credentials, but an administrator can verify or change the settings at any time on the KBOX. Any changes made to the Network settings on this page will force the KBOX to reboot after saving. Total reboot downtime should be 1 to 2 minutes provided that the changes result in a valid configuration. To configure the KBOX Network Settings: 1. Select KBOX Settings | Control Panel. 2. Click Network Settings. The KBOX Network Settings page appears. If fields are grayed out, you may need to click [Edit Mode] before you can edit the field values. 3. Specify the following settings: KBOX Server (DNS) Hostname KBOX Web Server Name We recommend adding a static IP entry for “kbox” to your DNS, and using the default Hostname and Web Server Name. The fully-qualified domain name of the KBOX on your network is the value of Hostname concatenated with Domain. For example, kbox.kace.com. The clients will connect to KBOX using the Web Server Name, which can be the hostname, fully-qualified domain name, or IP address. For example, kbox.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

258

Static IP Address

The IP address of the KBOX server. Note: Be extremely careful when changing this setting. If the IP address is entered incorrectly, refer to the KBOX console and use the konfig login to correct it. The domain that the KBOX is on. The default value is corp.kace.com The domain that the KBOX is on. The default value is 255.255.255.0 Your default gateway. The primary DNS server the KBOX should use to resolve hostnames. The secondary DNS server the KBOX should use to resolve hostnames. This is an optional setting. Your network speed. The network speed setting should match the setting of your local LAN switch. When set to auto negotiate the system automatically determines the best value. This requires the switch to support auto-negotiate. Otherwise contact your network administrator for the exact setting to be used.

Domain Subnet mask Default gateway Primary DNS Secondary DNS Network Speed

4. To set Network Server Options, perform the following steps under Network Server Options: a Set the external SMTP Server, to enable e-mail notifications through this SMTP server. To set SMTP Server, select the Use SMTP Server check box, and then enter the SMTP Server name in the SMTP Server box. The server named here must allow anonymous (non-authenticated) outbound mail transport. Ensure that your organization’s network policies allow the KBOX to contact the SMTP server directly. The mail server must be configured to allow relaying of mail from the KBOX without authentication. You can test the e-mail service by using Network utilities. For more information on how to use Network Utilities, refer to “Troubleshooting Tools,” on page 268. b To set Proxy Server, select the Use Proxy Server check box, and then specify the following proxy settings, if necessary: Proxy Type Proxy Server Proxy Port Proxy (Basic) Auth Proxy Username Proxy Password Enter the proxy type, either HTTP or SOCKS5 Enter the name of the proxy server Enter the port for the proxy server, the default port is 8080 Select the check box to use the local credentials for accessing the proxy server Enter the user name for accessing the proxy server Enter the password for accessing the proxy server

The KBOX includes support for a proxy server which uses basic, realm-based authentication i.e a proxy server which prompts for a username and password as shown in the following figure.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

259

If your proxy server uses some other kind of authentication you must add the IP address of the KBOX on the exception list of the proxy server. 5. Click Set Options to set the Network Server options.

Managing System Console Users
When logged in as a system administrator, you can add users to access the System Console. When adding users, be sure to specify the correct user permission level If you want to setup users for a specific organization, log into that organization.

To add a user: 1. Select KBOX Settings | Control Panel. 2. Click Users. The KBOX System Admin Users page appears. 3. In the Choose action drop-down list, select Add New Item. The KBOX System Admin: Edit Detail page appears. 4. Enter the necessary user details. Do not specify legal characters in any field. User Name Full Name Email Domain Budget Code Location Work Phone Home Phone Mobile Phone Enter the name the user types to enter the system console. This field is mandatory. Enter user’s full name. This field is mandatory. Enter user’s e-mail address. This field is mandatory. Enter an active directory domain. This field is optional. Enter the financial department code. This field is optional. Enter the name of a site or building. This field is optional. Enter the user’s work phone number. This field is optional. Enter the user’s home phone number. This field is optional. Enter the user’s mobile phone number. This field is optional.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

260

Pager Phone Custom 1 Custom 2 Custom 3 Custom 4 Password

Enter the user’s pager phone number. This field is optional. Enter information in the custom fields if necessary. This field is optional.

Enter the password for the new user. Blank or empty passwords are not valid for new users. The user will be created but the user cannot be activated without a valid password. This field is mandatory. Reenter the user’s password. This field is mandatory. Specify the user’s logon permissions. This field is mandatory: Admin—This user can logon to and access all features of the system console. ReadOnly Admin—This user can log on, but cannot modify any settings in the system console.

Confirm Password Permissions

5. Click Save. To delete a user: 1. Select KBOX Settings | Control Panel. 2. Click Users. The KBOX System Admin Users page appears. You can delete users in two ways: From the Users List view From the KBOX System Admin: Edit Detail page. 3. To delete users, do one of the following: From the Users List view, select the check box beside the user, then select Delete Selected Item(s) from the Choose action drop-down list. From the KBOX System Admin: Edit Detail page, click Delete. 4. Click OK to confirm deleting the selected user. To change the password: 1. Select KBOX Settings | Control Panel. 2. Click Users. The KBOX System Admin Users page appears. 3. Click the user name whose password you want to change. The KBOX System Admin: Edit Detail page appears. 4. Modify the password as follows: Password Enter the password for the new user. Blank or empty passwords are not valid for new users. The user will be created but the user cannot be activated without a valid password. This field is mandatory. Reenter the user’s password. This field is mandatory.

Confirm Password

5. Click Save to save the changes.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

261

Configuring Security Settings for the Server
Security Settings are not mandatory but are required to enable certain functionalities like Samba Share, SSL settings, SNMP, SSH, Offbox DB Access, and FTP access on the KBOX Server. To use any of the Security Settings features, you must enable them. If you make changes to the security settings, the KBOX will need to be rebooted before any changes can take effect.

To configure Security Settings: 1. Select KBOX Settings | Control Panel. 2. Click Security Settings. The KBOX Security Settings page appears. 3. Click [Edit Mode] to edit the security settings fields. 4. In the General Security Settings area, specify the following security settings: SSH Enabled Enable backup via ftp Select this check box if you want to permit someone to login to the KBOX via SSH. Select this check box if you want to enable backup via ftp. The KBOX creates a backup of the database and the files stored on it, daily. By default, these files can be accessed by you via a read-only ftp server. Refer Chapter 16,“To access the backup files through ftp:,” starting on page 295. If you do not need this feature and want to disable the FTP server, clear this check box. Select this check box if you want to prevent users from accessing the KBOX backup files without logging on to the KBOX. Note: Even if the Secure backup files check box is not selected, you can still access the KBOX backup files. You can do this by entering the full URL in the browser without logging on to the KBOX. Select this check box if you want to allow SNMP monitoring. The SNMP is a network or appliance monitoring protocol that is supported by many third party products. If you do not want to expose the KBOX SNMP data, clear this check box. Select this check box if you want to allow the KBOX database access. The KBOX database is accessible via port 3306, to allow you to run reports via an off board tool like Access or Excel. If you do not want to expose the database in this way, clear this check box.

Secure backup files

Enable SNMP monitoring

Enable database access

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

262

5. In the Samba Share Settings area, specify the following settings: Enable Organization File Shares Select this check box if you want to allow each organization to leverage the KBOX's client share as an install location for the client. The KBOX has a built-in windows file server that can be used by the provisioning service to assist in distributing the KBOX Client on your network. KACE recommends that this file server only be enabled when performing client software installs. Select this check box if you want to allow NTLMv2 authentication for the KBOX files shares. When you enable this option, the clients connecting to the KBOX File Shares require support for NTLMv2 and have to authenticate to the KBOX using NTLMv2. Enabling this option disables "lanman auth" and "ntlm auth" on the samba server. Note: NTLMv2 is more secure than NTLM and LANMAN, but nonNTLMv2 configurations are more common, and this option is usually turned off. Certain functions on the KBOX are supported via samba client functions (e.g. Agent Provisioning). Select this check box if you want to force these functions to authenticate to off-board network file shares using NTLMv2. Enabling this option enables the "client ntlmv2 auth" option on samba client functions. Note: NTLMv2 is more secure than NTLM and LANMAN, but nonNTLMv2 configurations are more common, and this option is usually turned off.

Require NTLMv2 on KBOX File Shares

Require NTLMv2 on KBOX Samba Client Usage

6. In the Optional SSL Settings area, specify the following settings, if required: Enable port 80 access When you activate SSL, port 80 continues to be active, unless Enable port 80 access check box is unchecked. By default, the standard KBOX Agent installers attempt to contact the KBOX via port 80, and then switch to SSL over port 443, after getting the server configuration. If you disable port 80, you need to contact KACE Support to adjust the agent deployment scripts to handle SSL. For ease of agent deployment, leave port 80 active. Select this check box if you want to allow the clients check in to the KBOX server using https. Refer “SSL Certificate Wizard,” on page 264. If you have your own SSL certificate and SSL private key, click [Edit Mode] to edit the field values. In the Set SSL Private Key File field, browse to the SSL Private Key file and browse to the signed SSL Certificate, in the Set SSL Certificate File field. Note: Once you switch over to SSL, this is a one-way automatic shift for the clients. The clients need to be reconfigured manually, if you later decide not to use SSL. 7. Click Set Security Options, to save the changes and reboot the KBOX.

SSL Enabled on port 443

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

263

8. In the Download New Patch Definitions area, click [Edit Mode] to edit the fields and specify as follows: Disable download of new patches Download Every day/specific day at HH:MM AM/PM Download on the nth of every month/specific month at HH:MM AM/PM Select to disable download of new patches. Select to download the patches on specified day at the specified time. Select to download the patches on the specified time on the 1st, 2nd or any other date of every month or only the selected month.

9. In the Stop Download Of Patch Definitions area, click [Edit Mode] to edit the field values and specify the following: Allow download of patch definitions to complete Stop patch download process by at HH:MM AM/PM Select to allow download of the patch definitions to complete. Select to stop the download the patches at the specified time.

10. Click Set Patching Options, to save the changes and reboot the KBOX.

SSL Certificate Wizard
A properly signed SSL Certificate is required to enable SSL. Certificates should be supported by a valid Certificate Authority. SSL settings should only be adjusted after you have properly deployed the KBOX 1000 Series on your LAN in non-SSL mode. If you are enabling SSL, you will need to identify the correct SSL Private Key File and SSL Certificate File. The files must be in Privacy Enhance Mail (PEM) format, similar to those used by Apache-based Web servers and not in the PCKS-12 format used by some Web servers. It is possible to convert a PCKS-12 certificate into a PEM format using software like the OpenSSL toolkit. Contact KACE Technical Support if you wish to enable SSL on your KBOX. To enable SSL, you need the correct SSL Private Key file and a signed SSL Certificate. If your private key has a password it will prevent the KBOX from restarting automatically. Contact KACE support if you have this issue. To generate a SSL certificate using the wizard: 1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears. 2. Click Security Settings. The KBOX Security Settings page appears. 3. Click SSL Certificate Wizard. The KBOX Advanced SSL Settings page appears. 4. Click [Edit Mode] to edit the fields and specify the following: Country Name State or Province Name Locality Name Organization Name Organization Unit Name Enter the name of your country. Enter the name of your State or Province. Enter your locality name. Enter the name of your organization. Enter the name of unit your organization belongs to.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

264

Common Name e-mail

Enter a common name of the KBOX you are creating the SSL certificate for. Enter your e-mail address.

5. Click Set CSR Options. Your Certificate Signing Request is displayed in the field below the Set CSR Options button. You need to copy the text between the lines “-----BEGIN CERTIFICATE REQUEST----and -----END CERTIFICATE REQUEST-----” along with these lines, and then send it to the person who provides your company with web server certificates. 6. Your Private Key is displayed under Private Key field. It will be deployed to the KBOX when you upload a valid certificate and subsequently click Deploy. Do not send the private key to anyone. It is displayed here in case you want to deploy this certificate to another web server. Click Create Self Signed Certificate and for Deploy to be displayed. 7. Click Create Self Signed Certificate. The SSL certificate is generated. This certificate will not be accepted by any of the KBOX clients until it is added into the trusted certificate database on every machine running the KBOX client. 8. Click Deploy to deploy the certificates and turn on SSL on the KBOX. Click OK to reboot the KBOX.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

265

Configuring AMP Settings
Agent Messaging Protocol (AMP) is the KBOX Communications Protocol used by the KBOX Server with its respective KBOX Agents. KACE's AMP includes server, client, and communications components to perform optimized real-time communications for control of systems management operations. AMP provides: Persistent connection between the KBOX Server Server driven inventory updates Higher scalability in terms of number of nodes supported on one KBOX 1000 Server Better scheduling control and reliability These settings are specific to the AMP infrastructure and do not affect other KBOX configuration settings or runtime operations. These settings control both the runtime state of the AMP server and also the operational state of the KBOX Agent.

Changing these settings will temporarily interrupt communications between the KBOX Appliance and the KBOX Agents. Exercise caution when changing these settings and contact KACE Technical Support for any questions regarding these parameters.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

266

To configure AMP Settings: 1. Select KBOX Settings | Control Panel. 2. Click AMP Settings. The KBOX AMP Settings page appears. 3. Specify the AMP General Settings: Server Port Specify the Server Port. The AMP Server on the KBOX SERVER will listen on port 52230 by default. In order for the KBOX Agents to connect to the KBOX SERVER via AMP, you must have the AMP Protocol Port 52230 open and available OUTBOUND. (i.e. the KBOX AGENT must be able to connect through this port number OUTBOUND without restriction from any OUTBOUND filter/firewall.) Example of an OUTBOUND restriction: “Windows XP Firewall blocking outbound port 52230”. Allow outbound Protocol Port 52230. This can be configured in your Filter/Firewall Software or Hardware as an allowed OUTBOUND Exception. In order for the KBOX SERVER to accept connections via AMP it must have the AMP Protocol Port 52230 open and available INBOUND to the KBOX IP ADDRESS. (i.e. the KBOX SERVER must be able to accept connections through this port number INBOUND without restriction from an INBOUND filter/firewall.) Example of an INBOUND restriction: “A NAT Firewall such as Cisco or SonicWall blocking INBOUND port 52230 to the KBOX IP ADDRESS.” Allow inbound Protocol Port 52230 to the KBOX SERVER. This can be allowed through a One-to-One Inbound NAT Policy. Note: If you change the default AMP Port of 52230 you must update the ALLOWED OUTBOUND/INBOUND port on your filter/firewall. Enable Server Debug Enable SSL for AMP Select the check box to enable different levels of "server" debug/logging to the server's log file. Select the check box to enable SSL for AMP. The activation of SSL is for AMP Only. The check box must be selected to activate SSL over AMP even though the General KBOX settings may have SSL enabled already. This allows the separate configuration of AMP traffic to be un-encrypted even though all other KBOX communication is SSL encrypted. Note: Select the check box only if SSL is already enabled on the KBOX and you want the client to server AMP traffic to be encrypted.

4. Click Save and Restart to the save the settings and restart the AMP server. 5. You can click Restart AMP Server to restart the AMP server without saving the settings. Restarting the AMP Server will not restart the KBOX.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

267

Configuring Date & Time Settings of the KBOX Server
It is very important to keep the time of the KBOX accurate as most time calculations are made on the server. When updating the time zone, the KBOX Web Server will be restarted in order for it to reflect the new zone information. Active connections may be dropped during the restart of the web server. After saving changes, this page will automatically refresh after 15 seconds. To configure Date & Time settings: 1. Select KBOX Settings | Control Panel. 2. Click Date & Time Settings. The KBOX Date & Time Settings page appears. 3. Click [Edit Mode] link to edit the field values. 4. Specify the following information: Last Updated Current Time Time Zone Automatically synchronize with an Internet time server Set the clock on the KBOX manually Displays the date and time when the settings were last updated. It is a readonly field. Displays the current date and time. It is a read-only field. Select the appropriate time zone from the drop-down list. Select the check box to automatically synchronize the KBOX time with an internet time server. Enter the time server in the text box. For example, time.kace.com Select the check box to manually set the KBOX clock. Select the appropriate time and date from the drop-down lists.

5. Click Set Options to set the date & time settings.

Troubleshooting Tools
The KBOX Troubleshooting Tools page contains tools to help KBOX administrators and KACE Technical Support to troubleshoot problems with this KBOX. To access the KBOX Troubleshooting Tools page, go to Settings | Support | Troubleshooting Tools. The Troubleshooting Tools page appears. You can use Network Utilities to test various aspects of this KBOX's network connectivity. To use Network Utilities: 1. Select Settings | Support. The KBOX Settings: KACE Support page appears. 2. Click Troubleshooting Tools. The Troubleshooting Tools page appears. 3. Click the [Edit Mode] link. 4. Enter the IP Address in the text box.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

268

5. Select the appropriate network utility from the drop-down list. 6. Click Test. You can download KBOX Troubleshooting Logs. KACE Technical Support may request that you send them KBOX Troubleshooting Logs to help in troubleshooting some issues. Click the click here link to download KBOX Troubleshooting Logs. Select the Enable Tether check box under KACE Support Tether to allow KACE Technical Support to access your KBOX. Enter the key supplied by KACE in the text box. KACE Technical Support will provide you a key when this type of support is required.

Single Sign-On
The Single Sign-On feature (KBOX Linking and Manage Linked KBOX Appliances) enables users to authenticate once and gain access to multiple KBOXs. The Single Sign-On feature allows users to switch between different KBOXs without having to re-login into each appliance individually. The KBOX linking allows multiple KBOX appliance owners to easily switch between their different KBOX management consoles. To configure KBOX appliance linking on your network, enable or select the Enable KBOX Appliance Linking check box on each appliance. Assign a unique name to each KBOX appliance must be given a unique friendly name. For example, “KBOX A”. The other appliances are shown preceded by this unique name in the fast switching drop-down list located in the top left-hand corner of the user interface. This name (KBOX A) is used to identify the appliance when it is listed in the fast switching dropdown list located at the top right corner of each page. After you link the KBOX Appliance, you can manage the linked KBOX Appliances from the KBOX Linked Appliances list page. Only those appliances that have the same login username and password appear in the fast switching drop-down list.

Only the linked appliances must be accessible to each other. If a hostname is specified instead of an IP address while linking two or more appliances, the hostname entry must exist in the hosts file of the appliance. Following combination of appliances can be linked: KBOX 1000 and KBOX 2000 appliances KBOX 1000 and KBOX 1000 appliances

Linking KBOX Appliances Settings
Click the Linking KBOX Appliances Settings link on the KBOX Settings: Control Panel page to enable KBOX linking, set linking timeout parameters, and establish a linking key. To configure a KBOX for linking a KBOX appliance: 1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears. 2. Click Linking KBOX Appliances Settings. The Linking KBOX Appliances Settings page appears. By default, this page is disabled. 3. Click the [Edit Mode] link. This enables the Linking KBOX Appliances Settings page. 4. Select the Enable KBOX Appliance Linking check box to enable the linking.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

269

Once linking is enabled, return to the Control Panel page and click the Manage Linked KBOX Appliances link to configure remote KBOX appliances. After enabling linking on the KBOX appliance, the organizations of the linked KBOX 1200 appliance are listed in the fast switching drop-down list. Only those organizations of the KBOX 1200 appliance, that have the same login username and password appear in the fast switching drop-down list. For linking between KBOX 1100 and KBOX 2000 or two KBOX 1100 appliances, only the friendly name of the linked KBOX is displayed in the fast switching drop-down list. 5. Specify the following: KBOX Friendly Name (this server) This value is used by all other KBOXs as a system reference in the user interface.

Remote Login Expiration This value corresponds to the amount of time after the initial login to this server. You can use the fast switching drop-down to switch to a linked KBOX Appliance without providing login credentials. After this time lapse, provide the login credentials when switching to a linked KBOX Appliance. Request Timeout Key Fingerprint This value corresponds to the amount of time this server waits for a remote KBOX Appliance to respond to a linking request. Key Fingerprint is a symbolic part of the linking key from the functionality point of view, and is not used when linking any appliances. This key is generated after you click Set Options. Linking Key is used for linking two KBOX appliances. This key is generated after you click Set Options. Copy the Linking Key details into the other KBOX appliance for linking them together.

Linking Key

6. Repeat the above steps to create linking for the other KBOX appliance. To disable KBOX linking: 1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears. 2. Click Linking KBOX Appliances Settings. The Linking KBOX Appliances Settings page appears. By default, this page is disabled. 3. Click the [Edit Mode] link. This enables the Linking KBOX Appliances Settings page. 4. Clear the Enable KBOX Appliance Linking check box to disable linking. 5. Click Set Options.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

270

Manage Linked KBOX Appliances
Click the Manage Linked KBOX Appliances link on the KBOX Settings: Control Panel page for linking other KBOX Appliances to the KBOX you configured earlier. If KBOX linking is not enabled, you are redirected to the Linking KBOX Appliances Settings page when you click the Manage Linked KBOX Appliances link.

For linking two KBOX appliances, the Linking Key of one KBOX appliance (for example, KBOX A) must be copied into the other KBOX appliance (for example, KBOX B). Similarly, the Linking Key of the “KBOX B” appliance must be copied into the “KBOX A” appliance. To manage KBOX Linked Appliances: 1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears. 2. Click Manage Linked KBOX Appliances. The KBOX Linked Appliances page appears. 3. Select Add New Item from the Choose action drop-down list. The KBOX Linking Appliance: Edit Detail page is displayed. 4. Specify the following: Remote KBOX Host Name The name of the KBOX on which linking is enabled. For example, KBOX A. Connect using SSL Linking Key Status Messages 5. Click Save. 6. Repeat the above steps to add another KBOX appliance (for example, KBOX B). 7. Login to the previously configured KBOX appliance (for example, KBOX A) and copy the linking key. Paste it in the Linking Key field of KBOX B. 8. Similarly, copy the linking key from the KBOX B appliance and paste it in the Linking Key field of KBOX A. 9. Click Save. 10. Click Test Connection to verify the linking between the two linked KBOX appliances. 11. Re-login into the KBOX to see the newly updated linked KBOX Appliances with the friendly name prefixed in the fast switching drop-down list. Select this check box if the remote KBOX Appliance is configured for SSL. The linking key of the KBOX appliance on which linking is enabled. The linking details can only be edited here. If the settings are configured correctly, the Connection successful message is displayed after you click Save and Test Connection.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

271

The KBOX Linked Appliances page contains the fields described in the table below: Field Host Name Status Indicates the host name. Indicates whether the host was unavailable or the connection was successful. Description

Key Fingerprint Displays the key fingerprint associated with the KBOX linked appliance. Table 14-1: Provisioned Configurations Page Fields

You can now navigate from one KBOX appliance to another and then back to the previous KBOX appliance from the fast switching drop-down list using the Single SignOn feature. The login credentials should be same for the two KBOX appliances to be able to get linked. To delete a KBOX linked appliance: 1. Select KBOX Settings | Control Panel. The KBOX Settings: Control Panel page appears. 2. Click Manage Linked KBOX Appliances. The KBOX Linked Appliances page appears. 3. Select the check box beside the KBOX Link Appliance(s) you want to delete. 4. Select Delete Selected Item(s) from the Choose action drop-down list. 5. Click OK to confirm deletion. After a linked appliance is deleted, you can still switch between the appliances until you log off and login again from the KBOX Server. The linked appliance will not appear in the fast switching drop-down list, and you cannot switch between the appliances after you perform a logoff and login action.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

272

The KBOX Summary
The KBOX Summary page provides information about the configuration and operation of your KBOX appliance. When you log on to the KBOX System Console, by default the System Home module displaying the System Summary tab appears. To View KBOX Summary: 1. Select Home | Summary. The KBOX System Summary page appears. 2. The sections that follow provide a description of the summary information that is displayed. 3. Click Refresh to refresh the information displayed.

Client Check-In Rate
Displays the total number of clients that have checked in to the server in an hour.

The counter automatically adjusts if the number increases beyond one hundred.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

273

Web Server Load
Displays the number of apache sockets connected to the server.

The counter automatically adjusts if the number of sockets connected increases beyond one hundred.

Tasks in Progress
Displays the total number of tasks in progress on server.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

274

To view KBOX Summary details: 1. Select Home | Summary. The KBOX Summary page appears. 2. Scroll down, and then click View Details. The KBOX System Summary Details page appears. 3. The sections that follow provide a description of the summary details provided. The summary displayed is for all the organizations of KBOX Server. Clicking on the links displayed, opens a corresponding report for respective type. As this page is refreshed, the record count information is refreshed. A new KBOX installations will mostly contain zero or no record counts.

KBOX Version
Provides information of the KBOX version that you are currently running. For example, the KBOX server build at your end is 4.3.16712. KACE comes up with a new patch for the server build 4.3.16712. The patch name is 4.3.16800 and it is pushed to the corporate server. If you click on the Check for upgrade button in the KBOX Settings| Server Maintenance page, the latest build is available in the Upgrade KBOX field on the KBOX Settings: Server Maintenance page. Click Upgrade now to upgrade your KBOX Server to the build 4.3.16800 build. The An upgrade to 4.3.16800 is now available link also appears in the Home | Summary page.

Computer Statistics
Provides a summary of the computers on your network, including a breakdown of the operating systems in use. In addition, if the number of computers on your network exceeds the number allowed by your KBOX license key, you are notified of it here.

Software Statistics
Provides a summary of the software in the KBOX Inventory. The summary the number of software titles that have been uploaded to the KBOX.

Software Distribution Summary
Provides a summary of the packages that have been distributed to the computers on your network, separated out by distribution method. The summary also indicates the number of packages that are enabled and disabled.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

275

Alert Summary
Provides a summary of the alerts that have been distributed to the computers on your network, separated by message type. This also indicates the number of alerts that are active and expired. The IT Advisory refers to the number of Knowledge Base Articles in Help Desk.

Patch Bulletin Information
Provides a summary of the patches received from Microsoft. The summary includes the date and time of the last patch (successful and attempted), total patches, and total packages downloaded.

OVAL Information
Provides a summary of the OVAL definitions received and the number of vulnerabilities detected on your network. The summary includes the date and time of the last OVAL download (successful and attempted) and the number of OVAL tests in the KBOX, in addition to the numbers of computers that have been scanned.

Network Scan Summary
Provides a summary of the results of Network Scans run on the network. The summary includes the number of IP addresses scanned, the number of services discovered, the number of devices discovered, as well as the number of detected devices that are SNMP-enabled.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

276

C H A P T E R 15 Organizations - System Admin
The KBOX 1000 Series System Management Appliances organization feature provides you to create different organizations within your KBOX. Roles can be assigned to these organizations to limit access to specific tabs.
“Overview of Organizations,” on page 278 “Creating and Editing Organizations,” on page 278 “Organizational Roles,” on page 284 “Creating and Editing Organizational Roles,” on page 284 “Organizational Filters,” on page 287 “Creating and Editing Organizational Filters,” on page 287 “KBOX Computers,” on page 290

277

Overview of Organizations
The KBOX 1000 Series System Management Appliances organization feature enables you to group machines to allow for a high level of separation between logical areas of responsibility within a company. These groups are referred to as an Organization. This feature is accessible to the system administrator through the System Administrative Console. The system administrator creates these organizations and assigns them roles to limit access to specific tabs. The administrators of each organization cannot view or perform activities on machines that belong to other organizations other than their own.

Default Organization
The default organization will have everything coming into the KBOX. The default organization will allow the administrator to view or perform activities on machines in all organizations. If a machine is not set in a filter then the machine will go to the default organization.

Creating and Editing Organizations
You can create new organizations or edit the existing organizations from the KBOX Organizations page by going to Organizations | Organizations tab. It is recommended that you first create the roles and then create the organizations, since it is mandatory to specify the role while creating an organization. To create an organization: 1. Select Organizations | Organizations. The KBOX Organizations page appears. 2. Select Add New Item from the Choose action drop-down list. The KBOX Organization: Edit Detail page appears. 3. Enter Organization information as follows: Record Created Record Last Modified Name Description Role Displays the date and time that the Organization was first created. This field is read-only. Displays the date and time that the Organization was last modified. This field is read-only. Enter the name for the new organization. This field is mandatory. Enter the description for the new organization. Select the appropriate role from the drop-down list. Note: You should first create the role by going to Organizations | Roles tab, before you can select that specific role from this list.

4. Click Save. After clicking Save you will be taken to the next page. 5. Scroll down and click the [Edit Mode] link. 6. Enter the following information: Record Created Record Last Modified Displays the date and time that the Organization was first created. This field is read-only. Displays the date and time that the Organization was last modified. This field is read-only.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

278

Name

Enter a name for the organization. This field is mandatory. This field retains the information you specified in the previous page. You can modify the name if required. Enter the description for the organization. This field retains the information you specified in the previous page. You can modify the description if required. Select the appropriate role from the drop-down list. This field retains the role you selected in the previous page. You can modify this selection if required. Note: You must first create the role by going to Organizations | Roles tab, before you can select that specific role from this list. Select the filter that will be used to direct a new machine checking into the KBOX, to the this organization. Press CTRL and click to select more than one filter. Note: You must first create the filter by going to Organizations | Filters tab, before you can select that specific filter from this list. Displays the number of computers checking in to the organization. This field is read-only. Displays the name of the database the organization is using. This field is read-only. Displays the report user name used to generate all reports in the specific organization. By having a report user name you can provide access to the organizational database (for additional reporting tools), but not give write access to anyone. Enter the report user password.

Description

Role

Organization Filters

Computer Count Database Name Report User

Report User Password

7. Specify the agent settings for the organization: Field Communications Window Suggested Setting 12:00 AM to 12:00 AM Notes The interval during which the KBOX Agent is allowed to communicate with the KBOX 1000 Series appliance. For example, to allow the KBOX Agent to connect between 1:00 AM and 6:00 AM only, select 1:00 AM from the first dropdown list, and 6:00 AM from the second drop-down list. The interval that the KBOX Agent will check into the KBOX 1000 Series. Each time a KBOX Agent connects, it will reset its connect interval based on this setting. The default setting is once every hour. The interval (in hours) that the KBOX Agent will inventory the computers on your network. If set to zero, the KBOX 1000 Series will inventory clients at every Run Interval.

Agent “Run interval”

1 hours

Agent “Inventory Interval”

0

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

279

Agent “Splash Page Text”

KBOX is verifying your PC Configuration and managing software updates. Please Wait... 15 minutes

The message that appears to users when communicating with the KBOX 1000 Series.

Scripting Update Interval Scripting Ping Interval

Set the frequency with which the KBOX Agent should download new script definitions. The default interval is 15 minutes. Set the frequency with which the KBOX Agent should test the connection to the KBOX 1000 Series appliance. The default interval is 600 seconds. To view historical connection information, go to KBOX Settings | Logs. Click Stats.

600 seconds

Agent Log Retention

Agent Log Retention disallows the server to store the scripting result information that comes up from the agents. The default is to store all the results. This can have a performance impact on the KBOX. Turning this off, gives you less information about what each client is doing, but will allow the agent check-ins to process faster.

8. Click Save. To troubleshoot clients which fail to show up in the inventory: Sometimes it may happen that your machine does not show up in the KBOX Inventory after installing the KBOX Agent. By default the KBOX Agent communicates with the KBOX using http: over port 80. Assuming network connectivity is in place, newly-installed the KBOX Agents to fail to connect to the KBOX during the first-time setup due to the problems with the default "KBOX" host name in DNS. 1. If you set up the KBOX in your DNS using a host name other than the default "kbox", or need agents to reach KBOX by using the IP address instead of the DNS name, you must install the KBOX Agent specifying the SERVER property. For example, Windows: c:\>KInstallerSetup.exe -server=mykbox -display_mode=silent or c:\>KInstallerSetup.exe -server=192.168.2.100 -display_mode=silent Macintosh®: /Library/KBOXAgent/Home/bin/setkbox mykbox or /Library/KBOXAgent/Home/bin/setkbox 192.168.2.100 Linux: /KACE/bin/setkbox mykbox or /KACE/bin/setkbox 192.168.2.100

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

280

Solaris: /KACE/bin/setkbox mykbox or /KACE/bin/setkbox 192.168.2.100 2. To correct the server name for an already-installed client, edit the "ServerHost" value in: Windows: c:\program files\kace\kbox\config.xml Macintosh®: /var/kace/kagentd/kbot_config.yaml Linux: /var/KACE/kagentd/kbot_config.yaml Solaris: /var/KACE/kagentd/kbot_config.yaml 3. Verify that you are able to ping the KBOX and reach it via a web browser at http://kbox. 4. Verify that Internet Options are not set to use proxy, or proxy is excluded for the local network or the KBOX. 5. Verify that no firewall or anti-spyware software is blocking communication between the KBOX and any of the agent components, including: KBOXManagementService.exe KBOXClient.exe KUpdater.exe kagentd (OS X/ Unix) 6. Verify that the KBOXManagementService.exe (Windows) or the kagentd (OS X/ Unix) processes are running. The agent will show up as 'perl' in the OS X Activity Monitor. If after verifying these items, you are still unable to get the agent to connect to the KBOX, contact KACE Support for further assistance. To edit an organization: 1. Select Organizations | Organizations. The KBOX Organizations page appears. 2. Click the linked name of the organization. The KBOX Organization : Edit Detail page appears. 3. Scroll down and click the [Edit Mode] link. 4. Edit the organization details: Record Created Record Last Modified Name Displays the date and time that the Organization was first created. This is a read-only field. Displays the date and time that the Organization was last modified. This is a read-only field. Enter a name for the organization. This field is mandatory. This field retains the information you specified in the previous page. You can modify the name if required.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

281

Description

Enter the description for the organization. This field retains the information you specified in the previous page. You can modify the description if required. Select the appropriate role from the drop-down list. This field retains the role you selected in the previous page. You can modify this selection if required. Note: You must first create the role by going to Organizations | Roles tab, before you can select that specific role from this list. Select the filter that will be used to direct a new machine checking into the KBOX, to this organization. Press CTRL and click to select more than one filter. Note: You must first create the filter by going to Organizations | Filters tab, before you can select that specific filter from this list. Displays the number of computers checking in to the organization. This field is read-only. DIsplays the name of the database the organization is using. This field is read-only. Displays the report user name used to generate all reports in the specific organization. By having a report user name you can provide access to the organizational database (for additional reporting tools), but not give write access to anyone. Enter the report user password.

Role

Organization Filters

Computer Count Database Name Report User

Report User Password

5. Specify the agent settings for the organization: Field Communications Window Suggested Setting 12:00 AM to 12:00 AM Notes The interval during which the KBOX Agent is allowed to communicate with the KBOX 1000 Series appliance. For example, to allow the KBOX Agent to connect between 1:00 AM and 6:00 AM only, select 1:00 AM from the first dropdown list, and 6:00 AM from the second drop-down list. The interval that the KBOX Agent will check into the KBOX 1000 Series. Each time a KBOX Agent connects, it will reset its connect interval based on this setting. The default setting is once every hour. The interval (in hours) that the KBOX 1000 Series appliance will inventory the client computers on your network. If set to zero, the KBOX 1000 Series will inventory clients at every Run Interval. The message that appears to users when communicating with the KBOX 1000 Series.

Agent “Run Interval”

1 hours

Agent “Inventory Interval”

0

Agent “Splash Page Text”

KBOX is verifying your PC Configuration and managing software updates. Please Wait...

Table 15-1: Agent Settings

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

282

Field Scripting Update Interval Scripting Ping Interval

Suggested Setting 15 minutes

Notes Set the frequency with which the KBOX Agent should download new script definitions. The default interval is 15 minutes. Set the frequency with which the KBOX Agent should test the connection to the KBOX 1000 Series appliance. The default interval is 600 seconds. To view historical connection information, go to KBOX Settings | Logs. Click Stats.

600 seconds

Agent Log Retention

Agent Log Retention disallows the server to store the scripting result information that comes up from the agents. The default is to store all the results. This can have a performance impact on the KBOX. Turning this off, gives you less information about what each client is doing, but will allow the agent check-ins to process faster.

Table 15-1: Agent Settings 6. Click Save. The default credentials admin/admin are automatically created when you create an organization.

To delete an organization: 1. Select Organizations | Organizations. The KBOX Organizations page appears. 2. Click the linked name of the organization. KBOX Organization: Edit Detail page appears. 3. Scroll down and click the [Edit Mode] link. 4. Click Delete to delete the organization. A confirmation message appears. 5. Click OK to confirm deleting the organization. Else, click Cancel to cancel the deletion.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

283

Organizational Roles
Roles are assigned to each organization to limit access to different tabs in the Administrator Console and the User Portal. You can restrict what tabs an organization is allowed to see when the administrator logs in to the Administrator Console and the user logs in to the User Portal. Following are the permissions that can be applied for each tab. Write: The organization will have write access for the tab. The administrator or user will be able to edit the fields present on the screen. Read: The organization will have only read access for the tab. The administrator or user will be not be able to edit the fields present on the screen. He/she will be not be able to add / edit / delete any item present in the list. Hide: The tab will be hidden and the administrator or user will not be able to view that tab.

Default Role
Default role will have access to all tabs in the Administrator Console and the User Portal. The default role will have write access for all tabs. The administrator or user will be able to edit the fields present on the screen.

Creating and Editing Organizational Roles
You can create new roles or edit the existing roles from the Organizational Roles page by going to Organizations | Roles tab. It is recommended that you first create the roles and then create the organizations, since it is mandatory to specify the role while creating an organization. To create a role: 1. Select Organizations | Roles. The Organizational Roles page appears. 2. Select Add New Item from the Choose action drop-down list. The Organizational Role : Edit Detail page appears. 3. Enter the Role information as follows: Record Created Record Last Modified Name Description Displays the date and time that the Organization was first created. This field is read-only. Displays the date and time that the Organization was last modified. This field is read-only. Enter the name for the new organization. This field is mandatory. Enter the description for the new organization.

4. Under Permissions ADMIN Console, click the individual tab link to expand it. Or click the [Expand All] link to expand all the tabs. 5. Under each tab, click the All Write option, All Read option or the All Hide option to assign the respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to individual sub tabs.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

284

6. If you click Custom option, select the appropriate permission from the drop-down list next to each tab. 7. Under Permissions USER Console, click the UserUI link to expand it. 8. Under each tab, click the All Write option, All Read option or the All Hide option to assign the respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to individual sub tabs. 9. If you click Custom option, select the appropriate permission from the drop-down list next to each tab. 10. Click Save. If you assign HIDE permission to General Settings and User Authentication under Settings, then the Control Panel tab is hidden. For users upgrading from 1100 to 1200: When using 1100, if you assign HIDE permission to all tabs other than Logs and Server Maintenance under Settings. Then after upgrading to 1200 the settings tab gets hidden from the Administrator console.

From KBOX 1000 Release 4.3 onwards, you can set and edit the permissions for Virtual Kontainers tab from the Organization Role: Edit detail page. You must have the appropriate KBOX license to access the Virtual Kontainer tab on this page. To edit a role: 1. Select Organizations | Roles. The Organizational Roles page appears. 2. Click the linked name of the role. The Organizational Role: Edit Detail page appears. 3. Edit the role details: Record Created Record Last Modified Name Description Displays the date and time that the Organization was first created. This field is read-only. Displays the date and time that the Organization was last modified. This field is read-only. Enter the name for the new organization. This field is mandatory. Enter the description for the new organization.

4. Under Permissions ADMIN Console, click the individual tab link to expand it. Or click the [Expand All] link to expand all the tabs. 5. Under each tab, click the All Write option, All Read option or the All Hide option to assign the respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to individual sub tabs. 6. If you click Custom option, select the appropriate permission from the drop-down list next to each tab. 7. Under Permissions USER Console, click the UserUI link to expand it. 8. Under each tab, click the All Write option, All Read option or the All Hide option to assign the respective permission to all the sub tabs. Or click the Custom option to assigned appropriate permission to individual sub tabs. 9. If you click Custom option, select the appropriate permission from the drop-down list next to each tab. 10. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

285

To delete a role: 1. To delete a role, do one of the following: From the Organizational Roles page, select the check box beside the role, then select Delete Selected Item(s) from the Choose action drop-down list. From the Organizational Role: Edit detail page, click Delete. 2. Click OK to confirm deleting the role. Else, click Cancel to cancel the deletion operation. To duplicate a role: 1. Select Organizations | Roles. The Organizational Roles page appears. 2. Click the role you want to duplicate. The Organizational Role : Edit Detail page appears. 3. Click Duplicate to duplicate the organization details. The page refreshes. 4. Enter the Role information as follows: Name Description 5. Click Save. The Associated Organizations table displays the list of organizations associated with this role. Enter a name for the role. This is a mandatory field. Enter the description for the role.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

286

Organizational Filters
Filters are used to direct a new machine checking into the KBOX, to the appropriate organization. Each organization can be assigned more than one filter. The filters will execute according to the ordinal specified when the filters are created. If a machine is not set in a filter, it will go to the default organization. A machine can be directed to the appropriate organizations, in following ways: One or more Filters will be executed against the machine that is checking in. If one of the filters is successful, the machine will be redirected to the correct organization. If there is no filter that matches to the machine, it will be put into the default organization. The system administrator can then manually move that machine from the default organization to the appropriate organization. Filters are of two types: Data Filter: Data Filter allows the automatic organization of machines based on a search criteria. Whenever machines that check in meet the criteria, they will be directed to the specific organization. LDAP Filter: LDAP Filter allow the automatic organization of machines based on LDAP or Active Directory interaction. The filter will be applied to the external server and if any entries are returned they are automatic organized. If the external server requires credentials for administrative login (aka non-anonymous login), supply those credentials. If no LDAP user name is given, then an anonymous bind will be attempted. Each LDAP filter may connect to a different LDAP/AD server

Creating and Editing Organizational Filters
You can create new filters or edit the existing filters from the Organizational Filters page by going to Organizations | Filters tab. To add a data filter: 1. Select Organizations | Filters. The KBOX Organization Filters page appears. 2. Select Add New Data Filter from the Choose action drop-down list. The KBOX Organization Filter : Edit Detail page appears. 3. Enter the Filter information as follows: Enabled Name Description Evaluation Order Select the check box to enable the data filter. You have to enable the filter in order to use it. Enter a name for the filter. Enter the description for the filter. Enter a number. The filter will be executed according to the evaluation order specified.

4. Enter the Machine Filter Criteria. 5. Select an attribute from the drop-down list. For example, IP Address.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

287

6. Select the condition from the drop-down list. For example, contains 7. Enter the Attribute Value. For example, XXX.XX.* In the above example, machines from the specified IP range will be filtered and directed to the organization to which this filter is applied. Note: You can add more than one criteria. 8. Select the Conjunction Operator from the drop - down list to add more criteria. For example, AND. 9. Click the Add Criteria link to add one more criteria. 10. Click Save. To add a LDAP filter: 1. Select Organizations | Filters. The KBOX Organization Filters page appears. 2. Select Add New LDAP Filter from the Choose action drop-down list. The KBOX Organization LDAP Filter : Edit Detail page appears. 3. Enter the Filter information as follows: Enabled Name Description Evaluation Order Select the check box to enable this filter. You have to enable the filter in order to use it. Enter a name for the filter. Enter the description for the filter. Enter a number. The filter will be executed according to the evaluation order specified.

4. Enter the LDAP Machine Filter Criteria. Server Host Name (or IP ) Specify IP or Host Name of the LDAP Server. Note: For connecting through SSL, use the IP or the Host Name, as ldaps://HOSTNAME Specify the LDAP Port number which could be either 389 / 636 (LDAPS). Enter the Search Base DN. For example: CN=Users,DC=hq,DC=corp,DC=kace,DC=com Search Filter Specify the Search Filter. For example: (samaccountname=admin) LDAP Login Specify the LDAP login. For example: LDAP Login: CN=Administrator,CN=Users,DC=hq,DC=corp,DC=kace,DC=com LDAP Password (if required) Enter the password for the LDAP login.

LDAP Port Number Search Base DN

5. To test your Filter, click Test LDAP Filter.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

288

6. Click Save. To edit a filter: 1. Select Organizations | Filters. The KBOX Organization Filters page appears. 2. Click the linked name of the filter. The KBOX Organization Filter : Edit Detail page appears. 3. Edit the filter details: Enabled Name Description Evaluation Order Select the check box to enable this filter. You have to enable the filter in order to use it. Enter a name for the filter. Enter the description for the filter. Enter a number. The filter will be executed according to the evaluation order specified.

4. Edit the Machine Filter Criteria. 5. Select an attribute from the drop-down list. For example, IP Address. 6. Select the condition from the drop-down list. For example, contains 7. Specify the Attribute Value. For example, XXX.XX.* In the above example, machines from the specified IP range will be filtered and directed to the organization to which this filter is applied. Note: You can add more than one criteria. 8. Select the Conjunction Operator from the drop - down list to add more criteria. For example, AND. 9. Click the Add Criteria link to add one more criteria. 10. To test your Filter, click Test Filter. 11. Click Save. To delete a filter: 1. To delete a filter, do one of the following: From the KBOX Organization Filters page, select the check box beside the filter, then select Delete Selected Item(s) from the Choose action drop-down list. From the KBOX Organization Filter : Edit Detail page, click Delete. 2. Click OK to confirm deleting the filter. Else, click Cancel to cancel the deletion operation.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

289

KBOX Computers
The KBOX Computers page lists all the machines that are checking into the KBOX. It displays details for each computer such as Name, Organization - the computer is currently checking into, Last Sync - when the computer last checked in to the KBOX, Description and the IP Address.

Advanced Search
Although you can search computer inventory using keywords like Windows XP, or Acrobat, those types of searches might not give you the level of specificity you need. Advanced search, on the other hand, allows you to specify values for each field present in the inventory record and search the entire inventory listing for that value. For example, if you needed to know which computers had a particular version of BIOS installed in order to upgrade only those affected machines. To specify advanced search criteria: 1. Click the Advanced Search tab. 2. Select an attribute from the drop-down list. For example, IP Address. 3. Select the condition from the drop-down list. For example, contains. 4. Specify the Attribute Value. For example, XXX.XX.* In the above example, machines from the specified IP range will be searched. Note: You can add more than one criteria. 5. Select the Conjunction Operator from the drop - down list to add more criteria. For example, AND. 6. Click Search. The search results will be displayed below. You can refilter the computers displayed in the list, for more information refer to “Refiltering Computer(s),” on page 291. You can redirect the computers displayed in the list, for more information refer to “Redirecting Computer(s),” on page 291.

Test Organization Filter
You can test an existing organization filter to check whether it is getting applied to the computers. To test an organization filter: 1. Click the Test Organization Filter tab. 2. Select the appropriate filter from the drop-down list. 3. Click Test. The test results will be displayed below. You can refilter the computers displayed in the list, for more information refer to “Refiltering Computer(s),” on page 291. You can redirect the computers displayed in the list, for more information refer to “Redirecting Computer(s),” on page 291. Note: If you do not see any computers listed in the test results, then either there are no existing computers that match the machine filter criteria you have set up or the machine filter criteria is invalid.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

290

You can edit the machine filter criteria. For more information on how to edit a filter, refer to “Creating and Editing Organizational Filters,” on page 287.

Refiltering Computer(s)
You can refilter the computers, which will recheck the computers against all filters. For example, you can check if the filter created by you is being applied correctly to the intended computers. You first create the new filter by going to the Organizations | Filters tab. Now in the KBOX Computers page, you refilter the computers. The organizations column will display the new organization name in red besides the old organization name, against those computers on which the filter has got applied. To refilter computer(s): 1. Select Organizations | Computers. The KBOX Computers page appears. 2. Select the check box beside the computer(s) that you want to refilter. 3. Select Refilter Selected Computer(s) from the Choose action drop-down list, to recheck the computers against all filters.

Redirecting Computer(s)
You can redirect a computer to a different organization. For example, a computer is checking into organization A, you can redirect that computer to organization B. So next time when the computer checks in, it will check into organization B. To redirect computer(s): 1. Select Organizations | Computers. The KBOX Computers page appears. 2. Select the check box beside the computer(s) that you want to redirect. 3. Select the appropriate organization name under Change Sync to Organization, from the Choose action drop-down list, to redirect the computer(s) to the appropriate organization.

Understanding Computer Details
To view computer details: 1. Select Organizations | Computers. The KBOX Computers page appears. 2. Click the name of the computer whose details you want to view. The Computers : Detail Item page appears. 3. To expand the sections, click Expand All. Click on a heading to expand or collapse it. The Computer Detail page provides details about a computer’s hardware, software, install, patch, help desk, and OVAL vulnerability history, among other attributes. The computer details displayed here are same as those displayed from Inventory | Computers. The main difference is that this Computers : Detail Item page does not display Security details for any machine. For understanding rest of the computers details, refer Chapter 3,“Computers Inventory,” starting on page 58.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

291

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

292

C H A P T E R 16 Server Maintenance - System Admin
This chapter describes the most commonly used features and functions that the System Administrator will use in administering and maintaining your KBOX.
“The KBOX Maintenance Overview,” on page 294 “Backing up the KBOX Data,” on page 295 “Restoring the KBOX Settings,” on page 296 “Updating the KBOX Software,” on page 297 “Updating Patch Definitions,” on page 299 “Updating OVAL Definitions,” on page 300 “Troubleshooting the KBOX,” on page 301

293

The KBOX Maintenance Overview
The KBOX Settings | Server Maintenance page allows you to perform a variety of functions to maintain and update the KBOX 1000 Series appliance like: Access the most recent KBOX server backups Upgrade your KBOX 1000 Series server to newer server versions Retrieve updated OVAL definitions Restore to backed-up versions and also create a new backup of the KBOX 1000 Series at any time The KBOX Settings | Server Maintenance tab also enables you to reboot and shutdown the KBOX, as well as update the KBOX license key information. From the Server Maintenance tab you can: Upgrade the KBOX appliance Update OVAL vulnerability definitions Create a backup the KBOX appliance Enter or update the KBOX License Key Restore to most recent backup Restore to factory default settings Restore from uploaded backup files Reboot the KBOX Shutdown the KBOX The following sections describe some of the most commonly used features of the KBOX Settings | Server Maintenance tab.

Upgrading the KBOX
Whenever KACE comes up with a new patch for the server build, it makes it available on the corporate server. The KBOX will check kace.com nightly for recommended upgrades, which you can apply from the server maintenance page. To upgrade your KBOX : 1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Click Check for Upgrade. If the upgrade is available, the label Available Upgrade along with the build number is displayed. Click the [Release Notes] link to view the release notes of the available build. If the upgrade is not available, the label ‘Your KBOX is up to date’, is displayed. 4. Click Upgrade Now to upgrade to the available build. When the KBOX has finished upgrading the latest updates, your KBOX will reboot with the latest features.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

294

Backing up the KBOX Data
By default, the KBOX 1000 Series automatically takes backup at 2:00 AM and creates two files on the backup drive: kbox_dbdata.gz, containing the database backup, and kbox_file.tgz, containing any files and packages you have uploaded to the KBOX 1000 Series appliance.

Backing up the KBOX Manually
In some cases, you might want to invoke a KBOX backup before the nightly backup occurs. In such cases, you can create a KBOX backup manually. To create a KBOX backup manually: 1. Select KBOX Settings | Server Maintenance. 2. Scroll down and click the [Edit Mode] link. 3. Beside Run nightly KBOX Backup script, click Run Backup. After creating the backup, the KBOX Settings | Logs tab will appear.

Downloading Backup Files to another location
The backup files are used to restore your KBOX 1000 Series configuration in the event of a data loss or during an upgrade or migration to a new hardware. The KBOX 1000 Series contains only the most recent backup files. For a greater level of recoverability (for instance if you want to keep rolling backups), you can offload the backup files to another location so that they can be restored later if necessary. You can access the backup files for downloading from the System Admin UI as well as through ftp. To download backup files to another location: 1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Click the backup links on the sidebar. Contains the database backup

Contains the files and packages you have uploaded to the KBOX Figure 16-1: Links to backup files 3. Click Save in the alert that appears, then specify a location for the files. 4. Browse to the location where you want to store the files, then click Save. To access the backup files through ftp: 1. Open a command prompt.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

295

2. At the C:\ prompt, type: ftp kbox 3. Enter the following login credentials: Username: kbftp Password: getbxf 4. Type the following ftp commands:

Figure 16-2: FTP command for accessing backup files

Restoring the KBOX Settings
The backup files are used to restore your KBOX configuration in the event of data loss or during an upgrade or migration to new hardware. Restoring any type of backup file will destroy the data currently configured in the KBOX Server. KACE recommends off loading any backup files or data that you want to keep before performing a restore.

Restoring from most recent backup
The KBOX 1000 Series has a built-in ability to restore files from the most recent backup directly from the backup drive. You can access the backup files from the KBOX Administrator UI or through ftp. To restore from the most recent backup: 1. Click KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Click the Restore from Backup button.

Uploading Files to Restore Settings
If you have off-loaded your backup files to another location, you can upload those files manually, rather than restoring from the backup files stored on the KBOX. To upload backup files: 1. Click KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. In the Database Backup Files field, click Browse and locate the backup file. 4. In the KBOX Backup Files field, click Browse and locate the backup file.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

296

5. Click Restore from Upload Files.

Restoring to Factory Settings
The KBOX 1000 Series has a built-in ability to restore the KBOX back to its factory settings. To view the factory settings refer to “Setting Up the KBOX Server,” on page 4. To restore to factory settings: 1. Click KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Click the Restore Factory Settings button.

Updating the KBOX Software
Part of maintaining your KBOX appliance involves updating the software that runs on the KBOX server. This process also involves verifying that you are using the minimum required version of the KBOX, as well as updating the license key in the KBOX to reflect the current product functionality.

Verifying Minimum Server Version
Before applying this update, verify your KBOX server version meets the minimum version requirement. To verify minimum server version: 1. Open your browser and go to the URL for the KBOX appliance (http://kbox/admin). 2. Click the About KBOX link located at the bottom of the page.

Server Version

Figure 16-3: About KBOX

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

297

Updating the license key
After installing an upgrade to the KBOX server, you may need to enter a new KACE license key to fully activate the KBOX. You should have the new license key to upgrade your KBOX 1000 Series appliance. Updating your KBOX license key: 1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Under License Information, enter your new license key 4. Click Save License.

Applying the server update
If you are using a previous version of the KBOX, you must apply the earlier updates separately before continuing. Refer to the release notes for your version of the KBOX to determine the minimum updates. To apply the server update: 1. Download the kbox_upgrade_server_XXXX.bin file and save it locally. 2. Open your browser to http://kbox/admin. 1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Under Update KBOX, click Browse, and locate the update file you just downloaded. 4. Click Update KBOX. When the file has completed uploading, your KBOX will reboot with the latest features.

Verifying the update
After applying the upgrade, verify successful completion by reviewing the update log. To verify the upgrade: 1. Select KBOX Settings | Logs. 2. Select Updates from the Current log drop-down list. 3. Review the Update log for any error messages or warnings. 4. Click About KBOX in the upper right corner to verify the current version.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

298

Patch Definitions
Although the definitions for Microsoft patches are updated automatically on a scheduled basis, you can retrieve the latest files manually from the Server Maintenance page.

Updating Patch Definitions
You update patch definitions as follows: To update the patch definitions: 1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Click Update Patching to update your patch definitions.

Deleting Patch files
You can delete downloaded patches as follows: To delete patch files: 1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Click Delete Patch All files to delete all the patch files downloaded. 4. Click Delete Unused Patch files to delete unused downloaded patch files.

Enhanced Content
You can enable or disable Enhanced Content as follows: To enable enhanced content: 1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Click Enable Enhanced Content to switch to the EC (Enhanced Content) Mode. To disable enhanced content: 1. Select KBOX Settings | Server Maintenance. The KBOX Server Maintenance page appears. 2. Scroll down and click the [Edit Mode] link. 3. Click Disable Enhanced Content to switch to the Non-EC (Enhanced Content) Mode. After changing the EC mode, you should update patches. Click Update Patching besides Update Patch Definitions from KACE field to do so. The Patch Subscription Settings page displays the language support only when EC is enabled.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

299

The following table depicts the difference between EC Mode and Non-EC Mode: Criteria KBOX Agent Versions Supported Effect on Replication Share EC Mode Only the 4.3+ agents. You upgrade all the existing KBOX Agents to 4.3 version before switching to this mode. Disables any ongoing update to any older 4.x Replication Shares. Replication updated only for 4.3+ agents. Supports: Microsoft Windows Server 2008 Not Supported: Microsoft Windows Server 2003 SP3 Microsoft Windows XP SP1 English, French, German, Italian, and Spanish. Non-EC Mode All 4.x agents with traditional patching content supported. All 4.x agents access patching data from any configured Replication Shares that have the Maintain 4.2 Replication Share enabled. Not Supported: Microsoft Windows Server 2008

Operating System Specifics

Language Support

English only.

Table 16-4: Differences between EC Mode and Non-EC Mode

Rebooting and shutting down the KBOX appliance
You may need to reboot the KBOX appliance from time to time when troubleshooting or upgrading the KBOX settings. When rebooting the KBOX, you should always do so by clicking the Reboot KBOX button located on the KBOX Settings | Server Maintenance tab. Before you perform any hardware maintenance, shutdown the KBOX and then unplug the appliance. You can shutdown the KBOX appliance either by pressing the power button ONCE, quickly, or by clicking the Shutdown KBOX button on the KBOX Settings | Server Maintenance tab. You can use the Reboot and Shutdown buttons after you click the "Edit Mode" link at the bottom of the page.

Updating OVAL Definitions
Although the definitions for OVAL vulnerabilities are updated automatically on a scheduled basis, you can retrieve the latest files manually from the Server Maintenance page. To update the OVAL & Patch definitions: 1. Select KBOX Settings | Server Maintenance. 2. Scroll down and click the [Edit Mode] link. 3. To update OVAL definitions, click Update OVAL.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

300

Troubleshooting the KBOX
The KBOX provides several log files that can help you detect and resolve errors. The log files are rotated automatically as each grows in size so no additional administrative log maintenance procedures are required. Log maintenance checks are performed daily. The KBOX maintains the log of all the activities performed in the last seven days. KACE Technical Support may request that you send the KBOX Server logs if they need more information in troubleshooting an issue. To download the logs, click the Download Logs link. For more information, see “Downloading Log Files,” on page 301.

Accessing the KBOX Logs
You can access the KBOX Server logs by going to the KBOX Settings | Logs tab. Select the appropriate log to view from the Current log drop-down list. This area also provides a reference for any KBOX informational or exception notices. Log Type Hardware Server Log Name Disk Status KBOX Log Access Server errors Stats Updates Client Client Errors AMP Server AMP Queue Description Displays the status of the KBOX disk array. Displays the errors generated on the server. Displays the HTTP Server's access information. Displays errors or server warnings regarding any of the onboard server processes. Displays the number of connections the KBOX is processing over time. Displays details of any KBOX patches or upgrades applied using the Update KBOX function. Displays the KBOX Agent exception logs. Displays AMP server errors. Displays AMP Queue errors.

Table 16-5: Types of Server Logs

Downloading Log Files
The KBOX provides the ability to download the logs into one file directly from the System Admin UI. You may be asked by KACE Technical support to submit the KBOX logs in order to help diagnose a problem. To download the KBOX logs: 1. Select KBOX Settings | Logs. 2. Click the Download logs link on the right of the Log page. The logs are downloaded in a file called kbox_logs.tgz. 3. Click Save. In addition to the standard logging, there are some additional debug logs that can be enabled on a KBOX target machine: KBOX Management Service—Enable debug logging on the KBOX Management Service for detailed information on script execution and to troubleshoot script scheduling issues

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

301

KBOX Agent—Enable debug logging on the KBOX Agent to troubleshoot machine inventory, managed installations, and file synchronizations KBOX AMP Service—Enable debug logging on the windows KBOX Agent to troubleshoot the ondemand running of Desktop Alerts, Run-Now scripts, and Patching. You can enable debug logging by configuring AMP Settings. For information on how to configure AMP Settings page, refer to Chapter 1,“Configuring AMP Settings for the Server,” starting on page 24. Windows Debugging To enable debug logging for the KBOX Management Service: Stop the KBOX management service and edit the file: C:\Program Files\KACE\KBOX\config.xml and change the value of the debugLoggingEnabled flag to read: <debugLoggingEnabled>true</debugLoggingEnabled> Now restart the KBOX Management service. This will cause KBOXManagementService to log additional debugging information to the file KBOT_LOG.txt To enable the KBOX Client debug log: Create an empty file with the name: C:\Program Files\KACE\KBOX\KBCLIENT_DEBUG. This will cause KBOX Client to log debug information to a file in the same directory named debug.log The KBOX Client debug log file documents the details of gathering machine inventory, executing custom inventory rules, and outputs the managed installs and file synchronizations to be run based on interaction with the KBOX server. If an installation fails, it is possible to duplicate the issue using the same command found in the debug.log file and run locally on the client machine. If there are any errors they can be tested and investigated on the client machine. To log on the AMP Service: The AMP service can be debugged by adding the following to the c:\program files\kace\kbox\AMP.conf file debug=true

For information on debug logging on Linux, Solaris, and Macintosh® platforms, refer to Appendix D,“Manual Deployment of the KBOX Agent,” starting on page 342.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

302

Understanding Disk Log Status Data
The log you are likely to interact with most often when troubleshooting the KBOX is the Disk Status log. If there is a physical problem with the KBOX, that issue should be reflected here. The KBOX 1000 Series Server and the KBOX Agent exceptions are reported every night to kace.com if you enabled crash reporting on the KBOX Settings | General tab.

Figure 16-6: Disk status without error

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

303

Error Status is displayed here

Figure 16-7: Disk status with error The figures above display the difference in the Disk status log when no error is found and when an error exists. Although this section does not describe every possible error message that could be displayed here, many of the errors that occur can be resolved by following the same set of steps:

Step
Step 1: Rebuild

Description
If the disk status log error reads “Degraded” this is an indication that you need to rebuild the array. To do this, click the Rebuild Disk Array button. Rebuilding can take up to 2 hours. If the error continues to display, proceed to step 2.

Table 16-8: Troubleshooting your KBOX 1000 appliances

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

304

Step
Step 2: Power Down and Reseat the Drives

Description
In some cases, the degraded array may be caused by a hard-drive that is no longer seated firmly in the drive-bay. In these cases, the disk status will usually show "disk missing" for that drive in the log. Power down the KBOX 1000 Series. Once the appliance is powered off, eject each of the hard-drives and then re-insert them, making sure that the drive is firmly in the bay. Power the machine back on and then look again at the disk status log to see if that has resolved the issue. If an error state still exists, try rebuilding again or proceed to Step 3. If you have the previous steps and are still experiencing errors, please contact KACE Technical Support by e-mail (support@kace.com) or phone (888) 522-3638 option 2.

Step: Call KACE Technical Support

Table 16-8: Troubleshooting your KBOX 1000 appliances

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

305

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

306

C H A P T E R 17 Reporting - System Admin
The KBOX appliance provides a variety of alerts and reporting features that enable you to communicate easily with the users and to get a detailed view of the activity on your network.
“The KBOX Reports Overview,” on page 308 “Creating and Editing Reports,” on page 312 “Exporting Reports,” on page 319 “Importing Reports,” on page 320

307

The KBOX Reports Overview
The KBOX appliance ships with many included stock reports. The reporting engine utilizes XML-based report layouts to generate reports in HTML, PDF, CSV, XSL and TXT formats. By default, the KBOX appliance provides reports in the following general categories: Compliance Hardware KBOX Network Patching Security Software Template

Types of Reports
Within each of the general categories mentioned above, there are various reports you can run to display information about the computers on your network. Descriptions of each type of report you can run are provided below. Category Compliance Compliance Report Hotfix Compliance Software Compliance Simple Description Shows which computers have the specified hotfix installed. Lists the licenses and counts like the License list page with details such as vendor, PO#, and Notes. Lists software and computers that are impacted by each license record. Lists software found on computers that do not have approved licenses. Shows which computers have less than 2 gigabytes of free space. Lists all computers and their video, RAM and processor information sorted by label and name. This report is intended to generate a CSV listing for data export to other programs. Detail listing of all computers on the KBOX Appliances network with full field detail. Note: When this report is opened in XLS format, it gives an Apache Tomcat error. Lists computer disk drives in order of total free disk space.

Compliance Compliance Hardware Hardware Hardware Hardware

Software License Compliance Complete Unapproved Software Installation C drives less than 2G free Computer - Video/Ram/Proc by Label Computer Export Computer Inventory Detail

Hardware

Computer Listing by Free Disk Space

Table 17-1: Default reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

308

Category Hardware Hardware Hardware Hardware KBOX KBOX KBOX KBOX KBOX Network Network Network Patching Patching Patching Patching Patching Patching Patching Security Security Security

Report Computer Listing by Label Computer Listing by Memory Computer Listing by Operating System Computer Uptime Report Boot/Login Policies KBOX Agent Roll Out Log KBOX Communication MI's enabled on all machines

Description Lists all computers by all the KBOX labels. Lists computer RAM in order of total memory size. Sorts all computers by Operating System type and sums OS Types. Reports the uptime of the computers. Lists all the activities that could happen at machine boot time or after the user logs in. Reports when a computer record was first created. Lists by day the latest communication from computers on the network. Lists all the managed installations that are enabled on all machines.

Scripts enabled on all machines This report lists the scripts that are enabled on all machines. Network Info - Domain Listing Network Info - IP Address Listing Network Scan Report Critical Bulletin List For each Machine, what patches are installed For each Patch, what machines have it installed How many computers have each Patch installed Installation Status of each enabled Patch Needs Review Bulletin List Patches waiting to be deployed Number of machines with OVAL vulnerabilities OVAL Machine Report SANS Top 10 - Q2 2005 This report lists computers groups and computers by domain/workgroup. Lists computers in ascending order of IP Address Displays the results of the nightly Network Scan. Lists all critical bulletins. Lists of all patches on each computer in the KBOX network. Lists the computers having each software patch in inventory. Software Inventory listing sorted by software title showing number of seats deployed. Lists the installation status of each enabled patch. List of all the Bulletins that need review. Lists all patches waiting to be deployed. Lists, for each OVAL test, how many machines failed the test and are therefore vulnerable. Reports all the machines and the OVAL tests failed by each of them. Reports all OVAL results from vulnerabilities reported by SANS.

Table 17-1: Default reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

309

Category Security Security

Report Threatening Items Top 10 OVAL Vulnerabilities

Description Displays all items of threat level 4 or 5 and the computers which have them. Displays a Pie graph of the top 10 OVAL vulnerabilities that have been reported by the OVAL scan. Generates a CSV listing for data export to other programs. Lists, by software item, where software has been installed but not been used according to the software metering. This only works when you have attached the metering to a particular software item which limits you to a particular version of software. Software Inventory listing grouped by vendors showing number of seats deployed. Lists all software titles organized by all the KBOX labels. Listing of all software titles that are not currently installed on any computers. Listing of all software on each computer in the KBOX network. List showing the count of Operating Systems currently deployed on your network.

Software Software

Software Export Software Installed But Not Used Last 6 Months

Software Software Software Software Software Software Software Software Software Template

Software Inventory By Vendor Software Listing By Label Software not on any computer Software on Computer Software OS Report

Software Title & Version - Com- This report lists the computers having each softputer List ware title in the inventory. Software Title - Computer List Software Title - Computer List (MS Only) Software Title Deployed Count Computer Listing - XP SP2 installed? This report lists the computers having each software title in the inventory. This report lists computers having each Microsoft software title in the inventory. Software Inventory sorted by software titles showing number of seats deployed. Lists all computers, and identifies whether XP SP2 is installed or not. Change 'Windows XP Service Pack 2' to any other Software title you are interested in. Sorted by installation status. Computer Listing sorted by LABEL with computers having software names like "Microsoft Office Professional%".

Template

Computer Listing with Software Template

Table 17-1: Default reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

310

Category Template

Report Custom Inventory Template

Description Reports the values returned by a custom inventory rule that you can setup in the Software Item page. Change 'McAfeeDATFile' to be the name of the Software item with the Custom Inventory Rule in it. This is a template that lists the values returned from a 'Log File Information' action in a script. Replace 'AccessedDate: ' with the actual attribute that you returned. This template lists the values returned from a script using the 'Log Registry Value' action. Replace the value '!doc =' with the appropriate value name that you entered in the script. Reports all the machines in label(s) and indicates if they have a particular software product installed. Replace the KBOX with the name of the software you are looking for and QA_LABEL and KBOX_LABEL with the labels of the machines you want included.

Template

Log File Information Template

Template

Log Registry Value Template

Template

Machines By Label X with Software Y Installed

Table 17-1: Default reports

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

311

Running Reports
To run any of the KBOX reports, click the desired format (HTML, PDF, CSV, XLS or TXT). For the HTML format, the report is displayed in a new window. If you select PDF, CSV, XLS or TXT formats, you can open the file or save it to your computer.

Creating and Editing Reports
If you have other reporting needs not covered by the reports previously mentioned, you can either create a new report from scratch, or you can modify one of the templates provided in the KBOX Template category. You can create a report in the following ways: Duplicate an existing report - Another way to create a report is to open an existing report and create a copy of it, which you can then modify to suit your needs. Create a new report using the Report Wizard. Create a new report from scratch. You can create a report using the Table or Chart presentation type. The table presentation type gives you a tabular report with optional row groupings and summaries and the Chart presentation type gives you a bar, line or pie chart. To create a new report using the table presentation type: 1. Select Reports | Reports. The KBOX Reports page appears. 2. Select Add New Report from the Choose action drop-down list. 3. Enter the report details as shown below: Report Title Report Category Description Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others. Enter the category for the report. If the category does not already exist, it is added to the drop-down list on the Reports list page. Describe the information that the report provides.

4. Click the appropriate topic name from the Available Topics list. For example, software. 5. Click the Table presentation type icon. 6. Click Next. 7. To choose table columns: a Click the Appropriate column name from the Available columns list. b Click clicking to add that column to the Display Columns list. You can change the column order by or . .

c To remove a column from the Display list, click the appropriate column and click 8. Click Next. 9. To define the criteria for displaying records in the report:

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

312

a Click the Appropriate field name from the Available Fields list. Columns that you chose in the previous step appear under display fields. You can also choose a field from among all fields available for that topic. For example, Threat Level. b Click Add. c Select the appropriate operator from the comparison drop-down list. For example, Greater Than. d Enter the appropriate value in the text field. For example, 3. This rule filters the data and display only software that has Threat Level greater than 3. e Click OK. The rule is added in the list of Current Rules. You can add more than one rule. f Click to remove a rule from the list of Current Rules.

g Select the Use Expanded logic check box to use expanded logic. Expanded logic enables you to define a syntactic structure for your rules to override operator precedence. h Click the Check Syntax button to check whether the rule syntax is valid. i Once you add more than one rule, you can click the Move Up or Move Down button to change the order of rules.

10. Click Next. 11. To choose columns to be displayed in the report: a Click the Appropriate column name from the Available columns list. b Click clicking to add that column to the Display Columns list. You can change the column order by or . .

c To remove a column from the Display list, click the appropriate column and click 12. Click Next.

13. You can customize the report layout. You can drag to set column order, width and add spacers. You can drag and drop between columns as well as between columns and spacer. Click on the column and report headings for further menu of labels, grouping, summary and other options. The options available are as follows: Title Spacer Column Click on the title displayed before spacer to display the field name of spacer, Add as a group and Add as a column options. Click on spacer to display the field name of spacer and Add as a column options. Click on column to display the column name, change label, switch to group, remove column, summaries and move to right or left depending upon the column alignment options.

14. Click Save to save the report. The KBOX Reports page is displayed with the new report in the list. To run the new report, click the desired format (HTML, PDF, CSV, XLS or TXT). For the HTML format, the report is displayed in a new window. If you select PDF, CSV, XLS or TXT formats, you can open the file or save it to your computer. You can jump to steps 1-5 of the Reporting Wizard Step. Step 1 and 2 are mandatory and can not be left blank.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

313

To create a new report using the chart presentation type: 1. Select Reports | Reports. The KBOX Reports page appears. 2. Select Add New Report from the Choose action drop-down list. 3. Enter the report details as shown below: Report Title Report Category Description Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others. Enter the category for the report. If the category does not already exist, it is added to the drop-down list on the Reports list page. Describe the information that the report provides.

4. Click the appropriate topic name from the Available Topics list. For example, software. 5. Click the Chart presentation type icon. 6. Click Next. 7. To choose table columns: a Click the Appropriate column name from the Available columns list. b Click clicking to add that column to the Display Columns list. You can change the column order by or . .

c To remove a column from the Display list, click the appropriate column and click 8. Click Next. 9. To define the criteria for displaying records in the report:

a Click the Appropriate field name from the Available Fields list. Columns that you chose in the previous step appear under display fields. You can also choose a field from among all fields available for that topic. For example, Threat Level. b Click Add. c Select the appropriate operator from the comparison drop-down list. For example, Greater Than. d Enter the appropriate value in the text field. For example, 3. This rule filters the data and display only software that has Threat Level greater than 3. e Click OK. The rule is added in the list of Current Rules. You can add more than one rule. f Click to remove a rule from the list of Current Rules.

g Select the Use Expanded logic check box to use expanded logic. Expanded logic enables you to define a syntactic structure for your rules to override operator precedence. h Click the Check Syntax button to check whether the rule syntax is valid. i Once you add more than one rule, you can click the Move Up or Move Down button to change the order of rules.

10. Click Next. 11. Select the appropriate chart type from the following: Simple 3-D Bar: Displays categories along the X-axis, values along the Y-axis. 3-D Pie: Displays a slice for each category. The corresponding value determines the size of the slice.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

314

Line: Displays categories or dates along the X-axis, values along the Y-axis. 12. Select the appropriate category field from the Category Field drop-down list. 13. Select the summary from the Summary drop-down list, beside appropriate Value field name. If you have more than one Value field, you can change the value field order by clicking 14. Select the Show legend check box if you want to display a legend in the chart. 15. Specify the Chart width and Chart height in pixels, in the text fields. 16. Click Save to save the report. The KBOX Reports page is displayed with the new report in the list. You can jump to steps 1-5 of the Reporting Wizard Step. Step 1 and 2 are mandatory and can not be left blank. or .

To duplicate an existing report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Click the report title you wish to duplicate. The Report Wizard page appears. 3. Click Duplicate. 4. Modify the report details as necessary, then go to the last step - step report layout, and click Save. To create a new SQL report from scratch: 1. Select Reports | Reports. 2. Select Add New SQL Report from the Choose action drop-down list. The KBOX Report: Edit Detail page appears. 3. Specify the following report details: Title Report Category Output File Name Description Output Types SQL Select Statement Break on Columns Enter a display name for the report. Make this as descriptive as possible, so you can distinguish this report from others. Enter the category for the report. If the category does not already exist, it is added to the drop-down list on the Reports list page. Enter the name for the file that is generated, when this report is run. Describe the information that the report provides. Specify the formats that should be available for this report. Enter the query statement for generating the report data. For reference, consult the MYSQL documentation. A comma-separated list of SQL column names. The report is generated break headers and sub totals for these columns. This setting refers to the auto-generated layout. Select this check box to query the databases of all organizations.

Query All Orgs

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

315

XML Report Layout

When checked, this option creates the XML layout based on the SQL you enter. Select this check box if you have changed the columns that are being returned by the query so that the XML Report Layout is regenerated using the new columns.

4. Click Preview. Refer to “Previewing SQL report,” on page 317. 5. Click Save to add this SQL report to the list of reports on the KBOX Reports page. The KBOX Reports page appears. For assistance with formatting the report XML, JRXML format is used. You can use iReports to design reports with JRXML. The documentation is available a http:// jasperforge.org/jaspersoft/opensource/business_intelligence/ireport/. Once you click the Save button, the report wizard is disabled for that report. To edit a report using SQL Editor: 1. Select Reports | Reports. The KBOX Reports page appears. 2. Click the report you want to edit. The Report Wizard page appears. 3. Click the Edit SQL button. 4. Click OK to proceed. The KBOX Report: Edit Detail page appears. 5. Edit the following report details: Title Report Category Output File Name Description Output Types SQL Select Statement Break on Columns Edit the display name for the report if required. Make this as descriptive as possible, so you can distinguish this report from others. Edit or enter the category for the report. If the category does not already exist, it is added to the drop-down list on the Reports list page. Edit or enter the name for the file generate when this report is run. Describe the information that the report provides. Select the appropriate formats that should be available for this report. Edit or enter the query statement for generating the report data. For reference, consult the MYSQL documentation. A comma-separated list of SQL column names. The report is generated break headers and sub totals for these columns. This setting refers to the auto-generated layout. Select this check box if you have changed the columns that are being returned by the query so that the XML Report Layout is regenerated using the new columns. This option creates the Report XML layout based on the SQL you enter. You can edit, if necessary. Note: If you have just changed a sort order or a where clause, you need not recreate the layout.

XML Report Layout

6. Click Save.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

316

Editing the SQL of a report disables modifying it with the Report Wizard.

To duplicate an existing SQL report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Click the report title you wish to duplicate. The KBOX Report: Edit Detail page appears. 3. Click Duplicate. 4. Modify the report details as necessary, then click Save. Refer to Appendix B,“Adding Steps to a Task,” starting on page 330.

Previewing SQL report
The KBOX provides preview functionality, to view the report created using SQL Editor. You can also customize an existing report by changing its title, layout, SQL query, break columns, and then view the modified report using preview button. To preview the SQL report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select Add New SQL Report from the Choose action drop-down list. The KBOX Report : Edit Detail page appears. 3. Specify title, report category, output file name, description, SQL Select Statement, Break on Columns. 4. Click Preview. The SQL report is displayed in KBOX Report : Preview Page Layout. 5. To customize the column width, hover the mouse over the report column you want to adjust the width. Drag the mouse pointer to change the size of the column width.

6. Click on Save button to update these settings.
To preview the existing SQL report: 1. Click on existing SQL report. The KBOX Report : Edit Detail page appears. 2. Click Preview to view the report. You can customize the report by changing its title, SQL query, or layout. 3. Click Preview to view the customized report.

Scheduling Reports
Reports can be scheduled from the Schedule Reports tab. From the Report Schedules List page you can open existing schedules, create new schedules, or delete them. You can also search schedules using keywords. To create a report schedule: 1. Select Reports | Schedule Reports. The Report Schedules page appears.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

317

2. Select Create a New Schedule from the Choose action drop-down list. The Schedule Reports: Edit Detail page appears. 3. Specify the following schedule details: Record Created Record Last Modified Schedule Title Description Report to Schedule Report Output Formats Displays the date and time when the schedule was first created. This field is read-only. Displays the date and time that the schedule was last modified. This field is read-only. Enter a display name for the schedule. Make this as descriptive as possible, so you can distinguish this schedule from others. Enter the information that the schedule would provide. Select the appropriate report you would like to schedule. You can filter the list by entering any filter options. Click the desired output report format (HTML, PDF, Excel, CSV, or TXT) that should be available for this scheduled report. Recipients Click the icon to enter the recipient’s e-mail address, or choose Select user to add from the drop-down list. This is a mandatory filed. Enter the subject of the schedule. The subject can help to quickly identify what the schedule is about. Enter the message text in the notification.

Email Notification

Subject Message Text

4. Specify scan schedule: Don’t Run on a Schedule Run Every n hours Run Every day/specific day at HH:MM AM/PM Select to run the schedules in combination with an event rather than on a specific date or at a specific time. Select to run the schedules at the specified time. Select to run the schedules on specified day at the specified time.

Run on the nth of every month/ Select to run the tests on the specified time on the 1st, 2nd, or specific month at HH:MM AM/PM any other date of every month or only the selected month. 5. Click Save or Run Now to run the schedule reports immediately. To run a schedule: 1. Select Reports | Schedule Reports. The Report Schedules page appears. 2. Select the check box beside the schedule(s) you want to run. 3. In the Choose action box, select Run Selected Schedules Now. To delete a schedule: 1. Select Reports | Schedule Reports. The Report Schedules page appears. 2. Select the check box beside the schedule(s) you want to delete. 3. Select Delete Selected Item(s) from the Choose action drop-down list. 4. Click Yes to confirm deleting the schedule(s)

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

318

Exporting Reports
You can export the existing reports of individual organizations in the .jrxml format, which can be viewed through iReport. You can customize the exported report by changing the layout, font size or background color in iReport and import this customized report in the KBOX. To export a report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select the check box beside the report(s) that you want to export. 3. Select Export Selected Report(s) from the Choose action drop-down list. The File Download popup window opens. 4. Select Save File to save the reports.zip file to the desktop of your machine. The reports.zip file contains the exported report in the .jrxml format, which can be viewed in iReport. You can download iReport from http://jasperforge.org/jaspersoft/opensource/ business_intelligence/ireport/. To view the exported .jrxml file in iReport: 1. Create a connection between iReport and mysql database of the KBOX. 2. Open the .jrxml file in iReport and execute the report with active connection. You can view the exported report and change its layout using iReport.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

319

Importing Reports
You can import an existing report exported or a new report created in the .jrxml format, using the iReport wizard. To import the report: 1. Select Reporting | Reports. The KBOX Reports page appears. 2. Select Import Reports from the Choose action drop-down list. The KBOX Reports : Import Reports page appears. 3. Click Browse and locate the .jrxml file that you want to import and then click Open. 4. Click Upload Reports to upload the .jrxml file in the KBOX. View the import results to verify the successful import of the report. This report is displayed in the KBOX Reports page. The Reporting module of the KBOX currently does not support the subreport feature of JasperReports.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

320

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

321

A P P E N D I X A Macintosh® Users
This appendix provides information for Macintosh® users.
“Inventory,” on page 323 “Distribution,” on page 324 “Patching,” on page 328 “User Portal and Help Desk,” on page 328 “Asset Management,” on page 329 “AppDeploy Live,” on page 329 “Reporting,” on page 329 “Logs,” on page 329

322

Inventory
The KBOX 1000 Series Inventory feature lets you identify machines and software on your network and organize computers by using labels and filters. Inventory is collected by the KBOX Agent and reported when computers check in with the KBOX 1000 Series. The data is then listed on one of the following Inventory tabs: Computers Software MIA The inventory data is collected automatically according to the schedule specified under the KBOX Agent Settings. For information on how to change the Agent settings, Refer to Chapter 2,“KBOX Agent Settings,” starting on page 44. You can search for Macintosh® machines in the Computer Search & Filter page using Advanced search. In the Advanced Search sub tab you can search for Macintosh® machines using attributes like OS Name, and so on. For more information on how to use Advanced Search, Refer to Chapter 3,“Using Advanced Search for Computer Inventory,” starting on page 56. You can use the Create Notification feature to search the inventory for Macintosh® machines that meet certain criteria, such as disk capacity or OS version, and then send an e-mail automatically to an administrator. For example, if you wanted to know when computers had a critically low amount of disk space left, you could specify the search criteria to look for a value of 5 MB or smaller in the Disk Free field, and then notify an administrator who can take appropriate action. For more information on how to create notifications, Refer to Chapter 3,“Creating Computer Notifications,” starting on page 57. Filtering provides a way to dynamically apply a label based on search criteria. It is often helpful to define filters by inventory attribute. For example, you could create a label called “San Francisco Office” and create a filter based on the IP range or subnet for machines in San Francisco. Whenever machines check in that meet that attribute, they would receive the San Francisco label. This is particularly useful if your network includes laptops that often travel to remote locations. You can also create a label to group all your Macintosh® machines. Once grouped by a label, software, reports, or software deployments on your Macintosh® machines can all be managed very easily. For more information on the labeling feature, Refer to Chapter 3,“Labels,” starting on page 84.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

323

Distribution
The KBOX 1000 Series Distribution feature provides various methods for deploying software, updates, and files to computers on your network. Managed Installations enable you to deploy software to the computers on your network that require an installation file to run. You can create a Managed Installation package from the Distribution | Managed Installation page. From the Managed Installations tab you can: Create or delete Managed Installations Execute or disable Managed Installations Specify a Managed Action Apply or remove a label Search Managed Installations by keyword

Examples of Common Deployments on Macintosh®
On the Apple MacOS X platform, there is a universal installer with the usual file extension of .pkg. (Note that this format is not the same as the Solaris .pkg files.) You cannot upload a .pkg file directly, as these files consist of low level directories and web browsers can't handle uploading entire directories. You do not require an installer to install plain packages using the KBOX. These are the ".app" packages you might normally drag to your Applications folder. These packages must be archived as well, since they consist of low level directories, just like the installer packages. You can even archive installers along with plain applications. The KBOX will run the installers first and then copy the applications into the Applications folder. The supported package deployments are .pkg, .app, .dmg, .zip, .tgz, and tar.gz. If you package the file as a disk image, the KBOX will mount and unmount it quietly. This section provides examples for each type of deployment. For each of these examples, you must have already uploaded the file to the KBOX prior to creating the Managed Installation package. We recommend, that you install the software on a test machine, wait till the KBOX Agent connects to the KBOX 1000 series appliance. The KBOX will then create an inventory item and a Managed Installation package for the software. To create a managed installation: 1. Select Distribution | Managed Installations. The Managed Installations page appears. 2. Select Add New Item in the Choose action drop-down list. The Managed Installation: Edit Detail Page appears. 3. Select the software from the Select software drop-down list. You can filter the list by entering any filter options. 4. By default the kbox agent will attempt to install the .pkg file via the following command, which is sufficient to install a new package or update an existing one to a new version: installer -pkg packagename.pkg -target / [Run Parameters]

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

324

5. If you have selected a zip/tgz/tar.gz file, then the contents will be unpacked and the root directory is searched for all .pkg files. The installation command will be run against each of these .pkg files. The KBOX will search for all the .pkg files on the top level of an archive and execute that same installer command on all the files in alphabetical order. After that, the KBOX will search for all plain applications (.app) on the top level of the archive and copy them to /Applications with the following command: ditto -rscs Application.app /Applications/Application.app If you wish to execute a script or change any of the above mentioned command lines, you can specify the appropriate script invocation as the Full Command Line. You can specify wildcard in the filenames you use. Enclose the filename in single or double quotation marks if it contains spaces. The files will be extracted into a directory in "/tmp" and that will become the current working directory of the command. On MacOS, you do not need to include any other files in your archive other than your script if that's all you wish to execute.

Ensure that you specify the relative path to the executable in the Full Command Line field, if you wish to execute a shell script or other executable that you have included inside an archive. Remember, you'll be executing your command inside a directory alongside the files which have been extracted. For example, if you want to run a file called "installThis.sh", you would package it up alongside a .pkg file and then put the command "./installThis.sh" in the Full Command Line field. If you archived it inside another directory, like "foo", the Full Command Line field should be "./foo/installThis.sh". Both these examples, as well as some other KBOX functions, assume that "sh" is in root's PATH. If you're using another scripting language, you may need to specify the full path to the command processor you wish to run in the Full Command Line, like "/bin/sh ./installThis.sh". Be sure to include appropriate arguments for an unattended, batch script. If you select the uninstall check box in the MI detail, the KBOX will remove each .app it finds in the top level of your archive from the Applications folder. Thus, if you include two files in your archive named "MyApp.app" and "MyOtherApp.app", those two applications will disappear from your Applications folder if they exist there. Uninstallation in this way will be performed only if the archive or package is downloaded to the client. If you select the check box for "Run Command Only", you should specify a full command line to ensure the correct removal command is run on the correct package. Since no package is downloaded in this case, you should specify the path in the installation database where the package receipt is stored or run the correct file removal command to delete the files from the Applications folder. In that case, you can download a script inside an archive and run the script on the Full Command Line.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

325

6. If your package requires additional options, you can enter the following installation details: Run Parameters Full Command Line You can not apply "Run Parameters" to the above mentioned commands. You do not need to specify a full command line. The server executes the installation command by itself. The Macintosh® client will try to install this via: installer -pkg packagename.pkg -target / [Run Parameters] or ditto -rsrc packagename.app /Applications/theapp If you do not want to use the default command at all, you can replace it completely by specifying the complete command line here. Remember that if you have specified an archive file, this command will run against all of the .pkg files or .app files it can find. Select this check box to uninstall software. If the Full Command Line above is filled in, it will be run. Otherwise, by default the agent will attempt the command, which is generally expected to remove the package. Select this check box to run the command line only.This will not download the actual digital asset. Enter additional information in this field, if any. Managed Action allows you to select the most appropriate time for this package to be deployed. Execute anytime (next available) and Disabled are the only options available for Macintosh® platform.

Un-Install using Full Command Line

Run Command Only Notes Managed Action

7. Specify the deployment details: Deploy to All Machines Limit Deployment To Selected Labels Select this check box if you want to deploy to all the machines. Select a label to limit deployment only to machines grouped by that label. Press Command and click labels to select more than one label. If you have selected any label that has a replication share or an alternate download location specified, then the KBOX will copy digital assets from that replication share or alternate download location instead of downloading them directly from the KBOX. Note: The KBOX will always use a replication share in preference to an alternate location. You can limit deployment to one or more machines. From the dropdown list, select a machine to add to the list. You can add more than one machine. You can filter the list by entering filter options. The order in which software should be installed. Lower deploy order will deploy first. Enter the maximum number of attempts, between 0 and 99, to indicate the number of times the KBOX 1000 Series appliance will try to install the package. If you specify 0, the KBOX will enforce the installation forever.

Limit Deployment To Listed Machines Deploy Order Max Attempts

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

326

Deployment Window(24H clock)

Enter the time (using a 24 hr. clock) to deploy the package. Deployment Window times affect any of the Managed Action options. Also, the run intervals defined in the System Console, under Organizations | Organizations for this specific organization, override and/or interact with the deployment window of a specific package.

8. Set user interaction details: Allow Snooze Custom Pre-Install Message Custom Post-Install Message Delete Downloaded Files Use Alternate Download This option is not available for Macintosh® platform. This option is not available for Macintosh® platform. This option is not available for Macintosh® platform. Select the check box to delete the package files after installation. Select the check box to specify details for alternate download. When you select this check box, the following fields appear: Alternate Download Location—Enter the location from where the KBOX Agent can retrieve digital installation files. Alternate Checksum—Enter an Alternate Checksum (MD5) that matches the MD5 checksum on the remote file share (for security purposes). Alternate Download User—Enter a user name that will have the necessary privileges to access the Alternate Download Location. Alternate Download Password—Enter the password for the user name specified above. Note: If the target machine is part of a replication label, then the KBOX will not fetch software from the alternate download location. For more information on using an alternate location, Refer to Chapter 6,“Distributing Packages through an Alternate Location,” starting on page 105. Here you specify an alternate download location only for a specific managed installation. You can also edit an existing label or create a new label that can be used for specifying the alternate location globally. But since that label will not be specific to any managed installation, you cannot specify an alternate checksum for matching the checksum on the remote file share. For more information on how to create or edit labels, Refer to Chapter 3,“Labels,” starting on page 84. 9. Click Save. For more information about Distribution, Refer to Chapter 6,“Distribution,” starting on page 102. For more information about Managed installations, Refer to Chapter 6,“Managed Installations,” starting on page 106.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

327

Patching
The KBOX 1000 Series Patching feature enables you to quickly and easily deploy patches to your network. The Detect and Deploy Patches feature allows you to create schedules for detecting and deploying patches. Patching schedules are used to define when patch detection and deployment will run on a set of machines. For more information about Detect and Deploy patches, Refer to Chapter 9,“Detect and Deploy Patches,” starting on page 172. The Patch Listing feature allows you to review the list of available patches. You can search for Macintosh® patches in the Patching Listing page by selecting the appropriate Macintosh® operating system under View by Operating System from the View by drop-down list. Refer to Chapter 9,“Patch Listing,” starting on page 169. You can use the Advanced Search feature to search for Macintosh® patches. In the Advanced Search sub tab you can select the appropriate Macintosh® operating system from the OS drop-down list. For more information on how to use Advanced Search, Refer to Chapter 9,“Using Advanced Search for Patching,” starting on page 170. You can use the Filter feature to automatically search the patch list using predefined search criteria. In the Filter sub tab you can select the appropriate Macintosh® operating system from the OS drop-down list. To allow the KBOX to download Apple Security updates for Macintosh®, you need to select the appropriate operating system from the Macintosh Platform list in the Patch Subscription Settings page. You can select more than one Macintosh® operating system. For more information on patch download settings, Refer to Chapter 9,“Subscription Settings,” starting on page 169.

User Portal and Help Desk
The User Portal provides the ability for users to download software, track computer info, and view a record of what they have downloaded. You can log onto the User Portal by visiting the root URL of the KBOX 1000 Series machine name (for example, http://kbox/). Although users can access the User Portal even if they do not have the KBOX Agent installed on their machine, they will not be able to run installations. The User Portal is administered from the User Portal tab. For more information about the User Portal, Refer to Chapter 11,“Overview of the User Portal,” starting on page 194. If you have purchased the optional KBOX 1000 Series Help Desk Module, additional tabs or options are added. The optional KBOX 1000 Series Help Desk Module provides a ticket submission, tracking, and management system that allows you to solve problems in real time. The KBOX 1000 Series Help Desk Module provides integrated access with KBOX 1000 Series capabilities for hardware and software inventory, software deployment, updates and patching, remote control, and alerting and reporting. After installation, you can customize the Help Desk settings according to the needs of your organization. For more information about using the features added by the Help Desk Module, Refer to Chapter 11,“Overview of the Help Desk Module,” starting on page 206.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

328

Asset Management
The KBOX 1000 Series allows you to manage and track assets in your environment in a flexible and customizable way. By establishing asset types and relationships to other asset types and other objects in the KBOX, you will be able to report on existing assets as well as track licensing and cost information in a way that works for you in your environment. For more information about Asset Management Refer to, Chapter 4,“Asset Management,” starting on page 86.

AppDeploy Live
AppDeploy.com contains information on installation, deployment and systems management automation. By putting all of the relevant information in one place, it eliminates the need for searching answers through vendor sites, discussion boards and technical publications. It offers computer administrators an easy way to search for answers and solutions. For more information about AppDeploy Live, Refer to Chapter 3,“AppDeploySM Live,” starting on page 76.

Reporting
The KBOX 1000 Series provides a variety of alert and reporting features that enable you to communicate easily with users and to get a detailed view of the activity on your network. The KBOX 1000 Series ships with many included stock reports. The reporting engine utilizes XML-based report layouts to output report types of HTML, PDF, CSV, and TXT. You can view various types of reports like, Computer Listing By Label, Computer Listing By Operating System, Patches installed, Software OS Report - Graph, and so on. For more information on Reporting, Refer to Chapter 12,“Reporting,” starting on page 225.

Logs
The KBOX provides several log files that can help you detect and resolve errors. The KBOX maintains the last seven days of activity in the logs. KACE Technical Support may request that you send the KBOX Server logs if they need more information in troubleshooting an issue. To download the logs, click the Download Logs link. For more information, Refer to Chapter 16,“Downloading Log Files,” starting on page 301. You can access the KBOX Server logs by going to the KBOX Settings | Logs tab. For more information on KBOX Logs, Refer to Chapter 16,“Troubleshooting the KBOX,” starting on page 301.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

329

A P P E N D I X B Adding Steps to a Task
This appendix describes steps for adding a script task. The steps documented here are available on the Scripting tab. For more information, see “Scripting,” on page 142.
“Adding Steps to Task Sections,” on page 331

330

Adding Steps to Task Sections
Refer to the following table when adding steps to a Policy or Job task. These are the steps available in the step drop-down lists in the Verify, On Success, Remediation, On Remediation Success, and On Remediation Failure sections of a task. The Column headings V, OS, R, ORS, and ORF indicate whether a particular step is available in the corresponding Task sections. Step Always Fail Call a Custom DLL Function Create a Custom DLL Object Create a message window Call function "%{procName}" from "%{path}\%{file}" Create object "%{className}" from "%{path}\%{file}" Create a message window named "%{name}" with title "%{title}", message "%{message}" and timeout "%{timeout}" seconds. Delete "%{key}" from the registry. Delete "%{key}!%{name}" from the registry. Destroy the message window named "%{name}". Install "%{name}" with arguments "%{install_cmd}". Note: This step requires you to choose from a list of software packages already uploaded using the functionality in the Inventory/Software tab. For more information, see “Adding Software to Inventory,” on page 68. Kill the process "%{name}". Launch "%{path}\%{program}" with params "%{parms}". Log “%{key}!%{name}”. Log “%{attrib}”from “%{path}\%{file}” Log “%{message}”to “%{type}” Restart service “%{name}” X X X Description V X X X X X X X OS R X X X X X X ORS ORF

Delete a registry key Delete a registry value Destroy a message window Install a software package

X X X X

X X X X X X

Kill a process Launch a program Log a registry value Log file information Log message Restart a service

X X

X X X X X X

X X

X X

X

X

Table B-1: Adding steps to Tasks in Policy & Job scripts

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

331

Step Run a batch file

Description Run the batch file "%{_fake_name}" with params "%{parms}". Note: In this step, you do not need to upload the batch file. You create the batch file by pasting the script in the space provided.

V X

OS X

R X

ORS

ORF

Search the file system Set a registry key Set a registry value Start a service Stop a service Unzip a file Update message window text Update Policy and Job schedule Upload a file Upload \ logs Verify a directory exists Verify a file exists Verify a file version is exactly Verify a file version is greater than Verify a file version is greater than or equal to... Verify a file version is less than Verify a file version is less than or equal to

Search for "%{name}" in "%{startingDirectory}" on "%{drives}" and "%{action}". Set "%{key}". Set "%{key}!%{name}" to "%{newValue}". Restart service “%{name}” Stop service “%{name}” Unzip "%{path}\%{file}" to "%{target}". Set the text in the message window named "%{name}" to "%{text}". Update policy and job schedule from the KBOX Upload "%{path}\%{file}" to the server. Upload the KBOX Agent logs to the KBOX Verify that the directory "%{path}" exists. Verify that the file "%{path}\%{file}" exists. Verify that the file "%{path}\%{file}" has version "%{expectedValue}". Verify that the file "%{path}\%{file}" has version greater than "%{expectedValue}". Verify that the file "%{path}\%{file}" has version greater than or equal to "%{expectedValue}” Verify that the file "%{path}\%{file}" has version less than "%{expectedValue}". Verify that the file "%{path}\%{file}" has version less than or equal to "%{expectedValue}

X X X X X X X X X X X X X X X X X X X X X X X X X X X

X X

Table B-1: Adding steps to Tasks in Policy & Job scripts

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

332

Step Verify a file version is not Verify a file was modified since Verify a process is not running Verify a process is running

Description Verify that the file "%{path}\%{file}" does not have version "%{expectedValue}". Verify that the file "%{path}\%{file}" was modified since "%{expectedValue}". Verify the process "%{name}" is not running. Verify the process "%{name}" is running.

V X X X X X X

OS

R

ORS

ORF

Verify a product ver- Verify that the product "%{path}\%{file}" sion is exactly.. has version "%{expectedValue}" Verify a product ver- Verify that the product "%{path}\%{file}" sion is greater than has version greater than "%{expectedValue}". Verify a product ver- Verify that the product "%{path}\%{file}" sion is greater than has version greater than or equal to "%{expected-Value}” or equal to... Verify a product ver- Verify that the product "%{path}\%{file}" sion is less than has version less than "%{expectedValue}". Verify a product ver- Verify that the product "%{path}\%{file}" sion is less than or has version less than or equal to "%{expectedValue}” equal to Verify a product ver- Verify that the product "%{path}\%{file}" sion is not does not have version "%{expectedValue}" Verify a registry key does not exist Verify a registry key exists Verify a registry key’s subkey count is exactly Verify a registry key’s subkey count is greater than Verify a registry key’s subkey count is greater than or equal to Verify a registry key’s subkey count is less than Verify that "%{key}" does not exist. Verify that "%{key}" exists. Verify that "%{key}" has exactly "%{expectedValue}" subkeys. Verify that "%{key}" has greater than "%{expectedValue}" subkeys. Verify that "%{key}" has greater than or equal to "%{expectedValue}" subkeys.

X

X X

X

X X X

X

X

Verify that "%{key}" has less than "%{expectedValue}" subkeys.

X

Table B-1: Adding steps to Tasks in Policy & Job scripts

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

333

Step Verify a registry key’s subkey count is less than or equal to Verify a registry key’s subkey count is not Verify a registry key’s value count is exactly Verify a registry key’s value count is greater than Verify a registry key’s value count is greater than or equal to Verify a registry key’s value count is less than

Description Verify that "%{key}" has less than or equal to "%{expectedValue}" subkeys.

V X

OS

R

ORS

ORF

Verify that "%{key}" does not have exactly "%{expectedValue}" subkeys. Verify that "%{key}" has exactly "%{expectedValue}" values. Verify that "%{key}" has greater than "%{expectedValue}" values. Verify that "%{key}" has greater than or equal to "%{expectedValue}" values.

X

X

X

X

Verify that "%{key}" has less than "%{expectedValue}" values.

X

Verify a registry Verify that "%{key}" has less than or key’s value count is equal to "%{expectedValue}" values. less than or equal to Verify a registry key’s value count is not Verify that "%{key}" does not have exactly "%{expectedValue}" values.

X

X

Verify a registry pat- Verify that "%{key}!%{name}=%{expecttern doesn’t match edValue}" doesn't match. Verify a registry pat- Verify that "%{key}!%{name}=%{expecttern matches edValue}" matches. Verify a registry Verify that "%{key}!%{name}" does not value does not exist exist Verify a registry value exists Verify a registry value is exactly Verify a registry value is greater than Verify a registry value is greater than or equal to Verify that "%{key}!%{name}" exists Verify that "%{key}!%{name}" is equal to "%{expectedValue}" Verify that "%{key}!%{name}" is greater than "%{expectedValue}" Verify that "%{key}!%{name}" is greater than or equal to "%{expectedValue}"

X X X X X X

X

Table B-1: Adding steps to Tasks in Policy & Job scripts

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

334

Step Verify a registry value is less than Verify a registry value is less than or equal to Verify a registry value is not Verify a service exists Verify a service is running

Description Verify that "%{key}!%{name}" is less than "%{expectedValue}" Verify that "%{key}!%{name}" is less than or equal to "%{expectedValue}" Verify that "%{key}!%{name}" is not equal to "%{expectedValue}" Verify the service "%{name}" exists Verify the service "%{name}" is running

V X X

OS

R

ORS

ORF

X X X

Table B-1: Adding steps to Tasks in Policy & Job scripts

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

335

A P P E N D I X C Database Tables
This appendix contains a list of the table names used in the KBOX database. Use this as a reference when creating custom reports.
“The KBOX Database Tables,” on page 337

336

The KBOX Database Tables
Refer to the following table when creating custom reports for a specific organisation. For more information, see Chapter 12,“Reporting,” starting on page 225. Table ADVISORY ADVISORY_LABEL_JT ASSET ASSET_DATA_1 ASSET_DATA_2 ASSET_DATA_3 ASSET_DATA_4 ASSET_DATA_5 ASSET_DATA_6 ASSET_DATA_7 ASSET_DATA_8 ASSET_FIELD_DEFINITION ASSET_FILTER ASSET_HIERARCHY ASSET_HISTORY ASSET_TYPE AUTHENTICATION CLIENTDIST_LABEL_JT CLIENT_DISTRIBUTION CUSTOM_FIELD_DEFINITION CUSTOM_VIEW FILTER FS FS_LABEL_JT FS_MACHINE_JT GLOBAL_OPTIONS HD_ATTACHMENT HD_CATEGORY HD_EMAIL_EVENT HD_IMPACT HelpDesk HelpDesk Asset Asset Asset Asset Asset Asset Asset Asset Asset Asset Asset Asset Asset Asset KBOX KBOX KBOX Custom Fields Custom View Labeling File Synchronization File Synchronization File Synchronization KBOX Help Desk Help Desk Help Desk Help Desk Used In

Table C-1: The KBOX database table names

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

337

Table HD_MAIL_TEMPLATE HD_PRIORITY HD_QUEUE HD_QUEUE_OWNER_LABEL_JT HD_QUEUE_SUBMITTER_LABEL_JT HD_STATUS HD_TICKET HD_TICKET_CHANGE HD_TICKET_FILTER HD_TICKET_RELATED HD_TICKET_RULE* HD_WORK IM_CRON IPHONE_PROFILE* IPHONE_PROFILE_LABEL_JT KBOT KBOT_CRON_SCHEDULE KBOT_DEPENDENCY KBOT_EVENT_SCHEDULE KBOT_FORM KBOT_FORM_DATA KBOT_LABEL_JT KBOT_LOG KBOT_LOG_DETAIL KBOT_LOG_LATEST KBOT_OS_JT KBOT_RUN KBOT_RUN_MACHINE KBOT_RUN_TOKEN KBOT_SHELL_SCRIPT KBOT_UPLOAD KBOT_VERIFY KBOT_VERIFY_STEPS Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Help Desk Scheduling IPhone IPhone Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting Scripting

Used In

Table C-1: The KBOX database table names

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

338

Table LABEL LDAP_FILTER LDAP_IMPORT_USER LICENSE LICENSE_MODE MACHINE MACHINE_CUSTOM_INVENTORY MACHINE_DISKS MACHINE_KUID MACHINE_LABEL_JT MACHINE_NICS MACHINE_NTSERVICE_JT MACHINE_PROCESS_JT MACHINE_REPLITEM MACHINE_SOFTWARE_JT MACHINE_STARTUP_PROGRAMS MACHINE_STARTUPPROGRAM_JT MESSAGE MESSAGE_LABEL_JT MI MI_ATTEMPT MI_LABEL_JT METER METER_COUNTER MSP_MI_TEMPLATE NODE NODE_LABEL_JT NODE_PORTS NODE_SNMP_IF NODE_SNMP_SYSTEM NOTIFICATION NTSERVICE NTSERVICE_LABEL_JT Labeling Labeling User Inventory Inventory Inventory Inventory Inventory Inventory Inventory Inventory Inventory Inventory Replication Inventory Inventory Inventory Alerts Alerts

Used In

Managed Installs Managed Installs Managed Installs Software Metering Software Metering Patching Network Scan Network Scan Network Scan Network Scan Network Scan Alerts Inventory Inventory

Table C-1: The KBOX database table names

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

339

Table OPERATING_SYSTEMS OVAL_STATUS PORTAL PORTAL_LABEL_JT PROCESS PROCESS_LABEL_JT PROVISION_CONFIG PROVISION_NODE REPLICATION_LANGUAGE REPLICATION_PLATFORM REPLICATION_SCHEDULE REPLICATION_SHARE REPORT REPORT_FIELD REPORT_FIELD_GROUP REPORT_JOIN REPORT_OBJECT REPORT_SCHEDULE SCAN_FILTER SCAN_SETTINGS SOFTWARE SOFTWARE_LABEL_JT SOFTWARE_OS_JT STARTUPPROGRAM STARTUPPROGRAM_LABEL_JT THROTTLE USER USERIMPORT_SCHEDULE USER_HISTORY USER_KEYS USER_LABEL_JT USER_ROLE USER_ROLE_PERMISSION_VALUE Inventory OVAL User Portal User Portal Inventory Inventory Provisioning Provisioning Replication Replication Replication Replication Reporting Reporting Reporting Reporting Reporting Reporting Labeling Network Scan Inventory Inventory Inventory Inventory Inventory KBOX User User User Portal User Portal User User User

Used In

Table C-1: The KBOX database table names

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

340

Table VK_APP_IMAGE VK_APP_IMAGE_POD_IMAGE_JT VK_APP_LINEAGE VK_APP_SHORTCUT* VK_APP_VENDOR VK_DISTRIBUTION VK_DISTRIBUTION_LABEL_JT VK_DISTRIBUTION_MACHINE_JT VK_IMAGE VK_IMAGE_LINEAGE VK_IMAGE_SETTINGS VK_IMAGE_SHORTCUT VK_POD VK_PODDED_APP VK_POD_ATTACHMENT VK_POD_SETTINGS

Used In Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container Virtual container

Table C-1: The KBOX database table names Refer to the below table for creating system reports, Table ORGANIZATION ORGANIZATION_FILTER ORG_ROLE OVAL_DEFINITION PATCHLINK_ARCHITECTURE PATCHLINK_LANGUAGE PATCHLINK_OS_TYPE PATCHLINK_PATCH PATCHLINK_PLATFORM PATCHLINK_RESOURCE REPORT REPORT_JOIN REPORT_SCHEDULE Organisation Organisation Organisation Organisation Patching Patching Patching Patching Patching Patching Reporting Reporting Reporting Used In

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

341

A P P E N D I X D Manual Deployment of the KBOX Agent
This appendix contains a list of tasks and commands that you can carry out using the command line interface.
“Manual Deployment of the KBOX Agent on Linux,” on page 343 “Manual Deployment of the KBOX Agent on Solaris,” on page 345 “Manual Deployment of the KBOX Agent on Macintosh®,” on page 347

342

Manual Deployment of the KBOX Agent on Linux
Installing and Configuring the KBOX Agent
1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer. 2. Open the command line interface. 3. Type rpm -ivh kboxagent-buildnumber.i386.rpm, and then press ENTER. The installer creates the following directories on your computer: /KACE - This is the base directory in which the entire KBOX Agent is installed on the client machine. /KACE/bin - This directory contains all the executable files. /KACE/lib - This directory contains data such as version number, default configuration files, and others for the KBOX Agent. /KACE/data - This directory contains the application code organized as libraries. /var/KACE/kagentd - This directory contains the kbot_config.yaml file. 4. Type cd KACE/bin, and then press ENTER. 5. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 6. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.

Upgrading the KBOX Agent
1. Ensure that you have kboxagent-buildnumber.i386.rpm on your computer. 2. Open the command line interface. 3. Type rpm -uvh kboxagent-linux_buildnumber.rpm, and then press ENTER.

Removing the KBOX Agent
1. Open the command line interface. 2. Type rpm -e kboxagent-buildnumber.i386, and then press ENTER.

Verifying Deployment of the KBOX Agent
This section describes tasks to manage the KBOX Agent using the command line interface.

Starting and Stopping the KBOX Agent
1. Open the command line interface. 2. Type cd KACE/bin, and then press ENTER. 3. To start the KBOX Agent, type ./SMMPctl start, and then press ENTER. To stop the KBOX Agent, type ./SMMPctl stop, and then press ENTER.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

343

Checking whether the Agent is Running
1. Open the command line interface. 2. Type ps aux | grep kagentd, and then press ENTER.

Checking the Version of the KBOX Agent
1. Open the command line interface. 2. Type cat /KACE/data/version, and then press ENTER.

Performing an Inventory check
1. Open the command line interface. 2. Type sudo /KACE/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname n'.txt, and then press ENTER. This command saves the inventory results to a file named yourcomputer.txt, where yourcomputer is the name of your computer.

Linux Debugging
Logging on to the Management Service: 1. Open the command line interface. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER. 3. Type sudo /etc/rc.d/init.d/SMMPctl stop, and then press ENTER. 4. Type sudo /etc/rc.d/init.d/SMMPctl start, and then press ENTER. The debug_agent.log file contains debug logs.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

344

Logging on to the AMP Service: edit /var/kace/SMMP/SMMP.conf add a new line debug = true stop the SMMP service /KACE/bin/SMMPctl stop start the SMMP service /KACE/bin/SMMPctl start

Manual Deployment of the KBOX Agent on Solaris
Installing and Configuring the KBOX Agent
1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer. 2. Open the command line interface. 3. Type /usr/bin/gunzip KBOX-agent-all-buildnumber.pkg.gz, and then press ENTER. 4. Type /usr/sbin/pkgadd -n -d KBOX-agent-all-buildnumber.pkg all, and then press ENTER. The installer creates the following directories on your computer: /KACE /KACE/bin /KACE/lib /KACE/data /var/KACE/kagentd. This directory contains the kbot_config.yaml file. 5. Type cd KACE/bin, and then press ENTER. 6. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 7. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.

Upgrading the KBOX Agent
1. Ensure that you have KBOX-agent-all-buildnumber.pkg.gz on your computer. 2. Open the command line interface. 3. Type /etc/init.d/SMMPctl stop, and press ENTER. 4. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER. 5. Type /usr/bin/rm -rf /KACE/, and press ENTER. 6. Type /usr/bin/gunzip -v KBOX-agent-all*.pkg.gz, and press ENTER. 7. Type /usr/sbin/pkgadd -n -d KBOX-agent-all*.pkg all, and press ENTER. 8. Type /etc/init.d/SMMPctl start, and press ENTER.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

345

Removing the KBOX Agent
1. Open the command line interface. 2. Type /etc/init.d/SMMPctl stop, and press ENTER. 3. Type /usr/sbin/pkgrm -A -n KBOX-agent, and press ENTER. 4. Type /usr/bin/rm -rf /KACE/, and press ENTER.

Verifying Deployment of the KBOX Agent
This section describes the tasks to manage the KBOX Agent using the command line interface.

Starting and Stopping the KBOX Agent
1. Open the command line interface. 2. Type cd KACE/bin, and then press ENTER. 3. To start the KBOX Agent, type ./SMMPctl start, and then press ENTER. To stop the KBOX Agent, type ./SMMPctl stop, and then press ENTER.

Checking whether the Agent is Running
1. Open the command line interface. 2. Type ps ef | grep kagentd, and then press ENTER.

Checking the Version of the KBOX Agent
1. Open the command line interface. 2. Type cat /KACE/data/version, and then press ENTER.

Performing an Inventory check
1. Open the command line interface. 2. Type sudo /KACE/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo /KACE/bin/inventory > 'uname n'.txt, and then press ENTER. This command saves the inventory results to a file named yourcomputer.txt, where yourcomputer is the name of your computer.

Solaris Debugging
Logging on to the Management Service: 1. Open the command line interface. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER. 3. Type sudo /etc/init.d/SMMPctl stop, and then press ENTER. 4. Type sudo /etc/init.d/SMMPctl start, and then press ENTER. The debug_agent.log file contains debug logs.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

346

Logging on to the AMP Service: edit /var/kace/SMMP/SMMP.conf

add a new line debug=true stop the SMMP service /KACE/bin/SMMPctl stop start the SMMP service /KACE/bin/SMMPctl start

The KBOX Agent normally checks in using the "Run Interval" schedule specified in the KBOX Agent Settings page. For debugging and testing purposes, KACE provides ways that can be used to force a check-in outside this normal schedule. You can run the file runallkbots located in /KACE/bin to force the KBOX Agent to check in with the KBOX 1000 appliance.

Manual Deployment of the KBOX Agent on Macintosh®
To run the commands, you must be logged in as the root user. A “root” is a user with administrator privileges on the client machine.

Installing and Configuring the KBOX Agent
1. Double-click KBOX Agent 4.3.buildnumber.dmg. 2. Double-click KBOX Agent.pkg. 3. The Introduction page is displayed. Click Continue. 4. The Read Me page is displayed. Click Continue. 5. The Select Destination page is displayed, select the destination volume where you want to install the KBOX Agent, and then click Continue. 6. The Installation Type page is displayed. Click Install. 7. The Finish Up page is displayed. Click Close. The installer creates the following directories on your computer: /Library/KBOXAgent/Home/bin /Library/KBOXAgent/Home/data /Library/KBOXAgent/Home/lib

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

347

/var/kace/kagentd - This directory contains the kbot_config.yaml file. 8. Type cd Library/KBOXAgent/Home/bin, and then press ENTER. 9. Set the name of the KBOX server by typing ./setkbox name_of_kbox_server. 10. Restart all KBOX Agent services and connect to the KBOX server by typing ./runallkbots.

Upgrading the KBOX Agent
1. Double-click KBOX Agent 4.3.buildnumber.dmg. 2. Double-click KBOX Agent.pkg. 3. The Introduction page is displayed. Click Continue. 4. The Read Me page is displayed. Click Continue. 5. The Select Destination page is displayed, select the destination volume where you want to install the KBOX Agent, and then click Continue. 6. The Installation Type page is displayed. Click Upgrade. 7. The Finish Up page is displayed. Click Close.

Removing the KBOX Agent
1. Browse to /Library/KBOXAgent. 2. Removing the KBOX Agent, you first need to Drag the KBOXAgent folder to the Trash and then kill the process ID.

Verifying Deployment of the KBOX Agent
This section describes the various tasks you can perform to manage the KBOX Agent using the command line interface.

Starting and Stopping the KBOX Agent
1. Open Terminal from the Applications/Utilities folder. 2. Type cd Library/KBOXAgent/Home/bin, and then press ENTER. 3. To start the KBOX Agent, type ./SMMPctl start, and then press ENTER. To stop the KBOX Agent, type ./SMMPctl stop, and then press ENTER.

Checking whether the Agent is Running
1. Open Terminal from the Applications/Utilities folder. 2. To check if the kagentd process is running enter the command ps aux | grep kagentd, and then press ENTER. This indicates that the process is running if you see the following result: root 2159 0.0 1.1 94408 12044 p2 S 3:26PM 0:10.94 /Library/KBOXAgent/Home/bin/kagentd

Checking the Version of the KBOX Agent
1. Open Terminal from the Applications/Utilities folder.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

348

2. Type cat Library/KBOXAgent/Home/data/version, and then press ENTER.

Performing an Inventory check
1. Open Terminal from the Applications/Utilities folder. 2. Type sudo Library/KBOXAgent/Home/bin/inventory, and then press ENTER. If you want to save the inventory results to a file, type sudo Library/KBOXAgent/Home/bin/ inventory > computer_name.txt. Replace computer_name with the name of your computer, and then press ENTER. This command saves the inventory results to a file named computer_name.txt, where computer_name is the computer name that you specified.

Macintosh® Debugging
Logging on to the Management Service: 1. Open Terminal from the Applications/Utilities folder. 2. Type sudo touch /var/kace/kagentd/debug_agent.tag, and then press ENTER 3. Type sudo /Library/KBOXAgent/Home/bin/SMMPctl stop, and then press ENTER. 4. Type sudo /Library/KBOXAgent/Home/bin/SMMPctl start, and then press ENTER. The debug_agent.log file contains debug logs. Logging on to the AMP Service: edit /var/kace/SMMP/SMMP.conf add a new line debug=true stop the SMMP service /Library/KBOXAgent/Home/bin/SMMPctl stop start the SMMP service /Library/KBOXAgent/Home/bin/SMMPctl start

The KBOX Agent normally checks in using the "Run Interval" schedule specified in the KBOX Agent Settings page. For debugging and testing purposes, KACE provides ways that can be used to force a check-in outside this normal schedule. You can run the file runallkbots located in /Library/KBOXAgent/Home/bin to force the KBOX Agent to check in with the KBOX 1000 appliance.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

349

A P P E N D I X E Agent Customization
This appendix explains the procedure to create a self-executing zip file that includes custom installation items like non-standard path or custom server name.
“Agent Customization,” on page 351

350

Agent Customization
You can create a self-executing zip file that includes custom installation items like non-standard path or custom server name. To create a self-executing zip that includes custom installation: 1. Copy the necessary files for your customization. You will need the following files: 7zip-v442.exe, 7zip-v442_extra.zip, The KInstallerSetup.exe, from the client version you want to customize. The 7zip-v442.exe and 7zip-v442_extra.zip files can be downloaded from the internet. The KInstallerSetup.exe is file is available at the KACE Support website. 2. Install 7-zip. 3. Unzip the 7zip_v442_extra.zip file into the directory where the 7-zip is installed. (by default the directory is C:\Program Files\7-Zip). Ensure that the file 7zS.sfx is in the top-level directory. The path used for this location is 7-Zip-install. This file is important because it has the actual executable stub for a self-extracting installer executable. 4. Start the 7-Zip File Manager from the Start menu. 5. Select the KInstallerSetup.exe executable for the client version to customize using the 7-Zip File Manager. 6. Click the extract button to extract it into a directory of your choice. Keep the Current Path names selected in the Path mode box. The Overwrite without prompt option can be selected for the Overwrite mode. Do not specify a password. 7. Navigate to the desired folder and edit the kinstaller.exe.config file with a text editor to change any settings for customization. The display_mode can have the values interactive, quiet, and silent. The hostname of the server is server_name. 8. Save your changes. Execution of the kinstaller.exe file in this directory installs with the settings as specified in the .config file. 9. Open the 7-Zip File Manager and select kinstaller.exe, kinstaller.exe.config, es-ES and install_files. 10. Click the Add button. The archive format is 7z, Create SFX archive in the options box is cleared. 11. Save the .7z file and note down the path. Here the .7z file is "jkboxInstaller.7z" and the path to it is <<jkbox-installpath>> 12. Create a text file - config.txt - which includes the settings for the self-executing zip. Ensure that the file is saved with UTF-8 encoding. The file should contain the following commands, which will indicate to 7-zip that the kinstaller should run when the self-executing zip runs: ;!@Install@!UTF-8! Progress="no" RunProgram="kinstaller.exe" Directory="" ;!@InstallEnd@!

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

351

13. Open a new command-line window. 14. Execute the following command to create a self-executing file from the .7z file: Copy /b "<<7-Zip-install>>\7zS.sfx" + "<<config-file-path>>\config.txt" + "<<jkbox-installpath>>\jkboxInstaller.7z" "<<Installer_Name>>.exe"

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

352

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

353

A P P E N D I X F Understanding the Daily Run Output
The daily run output is sent to the System Administrator via email. This email is automatically sent to system administrators every night at 3:00 AM. This appendix contains a sample of the daily run output. Your output may vary slightly from the sample shown.

354

The following syntaxes are the standard freebsd maintenance messages: Removing stale files from /var/preserve: Cleaning out old system announcements: Removing stale files from /var/rwho: Backup passwd and group files: Verifying group file syntax: Backing up mail aliases: Disk status: Filesystem /dev/twed0s1a devfs /dev/twed0s1f 1K-blocks 2026030 1 134105316 Used 36780 1 1003568 Avail 1827168 0 122373324 Capacity 2% 100% 1% / /dev /kbox Mounted on

Table F-1: Disk Status /dev/twed0s1e /dev/twed0s1d /dev/twed1s1d 10154158 2026030 151368706 6365810 3858 2722542 2976016 1860090 136536668 68% 0% 2% /usr /var /kbackup

Last dump(s) done (Dump '>' file systems): The above table reports information about your disks. Of interest are /kbox and /kbackup. /kbox is where all the software for the kbox server is located. It is also holds the software packages uploaded to the server. If this drive starts getting close to full you must remove old unused packages or contact KACE for an upgrade. /kbackup is the drive where /kbox is backed up. It is generally as full as the /kbox. If it is close to full you must remove old unused packages or contact KACE for an upgrade. Network interface status: Name Coll em0 0 em0 em0 1500 fe80:1::230:4 fe80:1::230:48ff: 0 4 1500 192.168.2 kboxdev 308055 - 201832 1500 00:30:48:73:07:4c 332146 0 204673 0 Mtu Network Address Ipkts Ierrs Opkts Oerrs

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

355

0 plip0 1500 0 lo0 16384 0 lo0 16384 your-net lo0 16384 localhost lo0 16384 fe80:4::1 The above table reports information about the network status of the KBOX. Make sure the Ierrs/Oerrs are zero. Other values indicate some sort of network failure. If you notice consistent errors, contact KACE support for assistance. Local system status: 3:04PM up 3 days, 4:12, 0 users, load averages: 0.05, 0.20, 0.15 The above indicates the amount of time the KBOX has been up since the last time it was powered off. There will not be any users logged onto the machine. The load averages will vary depending on the load on the KBOX was when this report was run. Mail in local queue: /var/spool/mqueue is empty Total requests: 0 Mail in submit queue: /var/spool/clientmqueue is empty Total requests: 0 Security check: (output mailed separately) Checking for rejected mail hosts: Checking for denied zone transfers (AXFR and IXFR): fe80:4::1 0 0 ::1 0 0 localhost 699 699 699 0 699 0 0 0 0 0

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

356

tar: Removing leading /' from member names The message above are the standard freebsd messages regarding the health of the mail systems. There should not be mail in the queues. However, if an item still exists, check your SMTP settings from the KBOX Settings page. [Thu Mar 17 15:05:31 PST 2005] KBOX Backup: Backup Complete. Backup files available for off-box storage via ftp. The above message indicates a KBOX specific message telling you that the backups have been successfully completed and are on the /kbackup disk, available through the ftp interface. [Thu Mar 17 15:05:31 PST 2005] KBOX RAID Status Disk Array Detail Info not available during a rebuild. If Rebuild in progress, % completion listed below Disk Array Detail Status: Unit u0 u0-0 u0-1 UnitType Status RAID-1 DISK DISK OK OK OK %Cmpl Port Stripe Size(GB) Blocks p0 p1 149.05 149.05 149.05 312579760 312579760 312579760 -----------------------------------------------------------------------

Disk Array REBUILD Status: /c0/u0 is not rebuilding, its current state is OK The above table indicates the status of your raid drives. If you ever see the disks DEGRADED or not REBUILDING properly, contact KACE support to address the problem.

[Thu Mar 17 15:05:31 PST 2005] KBOX Database Maintenance Daily routines to maintain database performance. DB Table Maintenance Log: # Connecting to localhost... # Disconnecting from localhost... KBDB.ADVISORY KBDB.AUTHENTICATION KBDB.CATEGORY KBDB.CLIENT_DISTRIBUTION OK OK OK OK

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

357

KBDB.FILTER KBDB.FS KBDB.FS_LABEL_JT KBDB.GLOBAL_OPTIONS KBDB.LABEL KBDB.LDAP_FILTER KBDB.LICENSE KBDB.LICENSE_MODE KBDB.MACHINE KBDB.MACHINE_CUSTOM_INVENTORY KBDB.MACHINE_DISKS KBDB.MACHINE_LABEL_JT KBDB.MACHINE_NICS KBDB.MACHINE_PROCESS KBDB.MACHINE_SOFTWARE_JT KBDB.MACHINE_STARTUP_PROGRAMS KBDB.MESSAGE KBDB.MESSAGE_LABEL_JT KBDB.MI KBDB.MI_LABEL_JT KBDB.NETWORK_SETTINGS KBDB.NOTIFICATION KBDB.OPERATING_SYSTEMS KBDB.PORTAL KBDB.PORTAL_LABEL_JT KBDB.PRODUCT_LICENSE KBDB.REPORT KBDB.SCHEDULE KBDB.SERVER_LOG KBDB.SOFTWARE KBDB.SOFTWARE_LABEL_JT KBDB.SOFTWARE_OS_JT KBDB.THROTTLE KBDB.TIME_SETTINGS KBDB.TIME_ZONE KBDB.USER

OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK OK

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

358

KBDB.USER_HISTORY KBDB.USER_KEYS KBDB.USER_LABEL_JT -- End of daily output --

OK OK OK

The database is checked every night for any inconsistencies and these are automatically repaired. If you see any failures from this output, contact KACE Support for assistance.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

359

A P P E N D I X G Warranty, Licensing, and Support
“Warranty and Support Information,” on page 361. “Third Party Software Notice,” on page 361

360

Warranty and Support Information
Information concerning hardware and software warranty, hardware replacement, product returns, technical support terms and product licensing can be found in the KACE End User License agreement accessible at: http://www.kace.com/license/standard_eula

Third Party Software Notice
The KBOX TM is licensed as per the accompanying Third Party License Agreements in addition to the KBOX license noted above. The KBOX includes software redistributed under license from the following vendors. In addition, the KBOX contains paid licence to MySQL and JRXML that have been purchased and embedded within the KBOX by KACE, Copyright 2009, KACE Networks, Inc. and other copyrights. FreeBSD Apache OpenLDAP OpenSSL Exim Samba OVAL PHP Sendmail #ZipLib Other Copyrights

FreeBSD
This product (KBOX) includes software developed by Free Software Foundation, Inc. GNU GENERAL PUBLIC LICENSE, Version 2, June 1991. Copyright (C) 1989, 1991 Free Software Foundation, Inc.,675 Mass Ave, Cambridge, MA 02139, USA. The verbatim copies of the license document can be distributed, but the document should not be changed.

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

Preamble

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

361

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The “Program”, below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you”. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 2. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that Refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

362

3. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 4. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

363

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 5. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 6. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 7. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 8. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 10. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

364

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 11. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 12. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS

FREEBSD FOUNDATION Diablo Version 1.5.0-0 (Software) OEM LICENSE AGREEMENT
IMPORTANT LEGAL NOTICE CONCERNING SUN MICROSYSTEMS, INC. (Sun) JAVA STANDARD EDITION (JSE) TECHNOLOGY: There are certain branding and other requirements associated with your commercial use and redistribution of JSE that You must fulfill. You will need to sign a Trademark License Agreement with Sun. In addition, if you are interested in using the combined FreeBSD and JSE technology in a fieldof-use other than "Java-enabled general purpose desktop computers and general purpose servers", you will need to sign an additional commercial use license with Sun permitting redistribution in the desired field of use. Before downloading the Software, you must review and comply with the terms and conditions set forth in the Sun Licensed Rights Notice, which is attached as Exhibit A.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

365

You must be an OEM to download this Software. An OEM is a person who will download the Software and bundle it with other software before distributing the bundled product to its end users. You must have obtained a current Trademark License Agreement from Sun before downloading the Software. By pressing the ACCEPT button below you may continue your download, which is your representation and warranty that you have signed Suns Trademark License Agreement and (if applicable) an additional commercial use license with Sun. By completing your download you also agree to be bound by all of the terms of this License Agreement. IMPORTANT READ CAREFULLY: This OEM License Agreement (Agreement) is a legal agreement between you (in your capacity as an individual and as an agent for your company, institution, or other entity) and the FreeBSD Foundation (Foundation). Accessing, downloading, installing, using or copying of the Software (as hereafter defined) by you or a third party on your behalf indicates your agreement to be bound by the terms and conditions of this Agreement. If you do not agree to these terms and conditions, do not access, download, install, use or copy the Software. In the absence of this Agreement, you have no rights in the Software. 1. LICENSE GRANT. a Subject to all third party intellectual property claims and without warranty of any nature, Foundation hereby grants to you, and you hereby accept, a non-exclusive license (License) to: (i) download, install and use one copy of the Software in binary executable form on a single computer system located on your premises; (ii) use the Software in binary executable form to create or develop other software products; (iii) distribute and sublicense the Software to third parties in binary executable form, as an integrated component of another software product, only for use as an integrated component of that software product, and subject to the terms of this Agreement; (iv) to download and/or use one copy of the related materials provided by Foundation (Related Materials) in electronic format and/or hard copy format; and (v) distribute and sublicense the Related Materials in electronic and/or hard copy format in conjunction with the distribution of the Software as provided in this Agreement; all subject to the following terms and conditions: (i) you may not distribute any copies of the Software to third parties except in binary executable form, as an integrated component of another software product, only for use as an integrated component of that software product, and subject to the terms of this Agreement; (ii) you may not distribute copies of the Related Materials to third parties except in conjunction with the distribution of the Software in binary executable form as an integrated component of another software product; (iii) you agree to take reasonable precautions to prevent other parties from reverse engineering, decompiling, or disassembling your copy of the Software; (iv) you may not rent, lease, or lend the Software or the Related Materials; and (v) in the event that you breach any of the terms of this Agreement, Foundation may terminate the License and you must destroy all copies of the Software and Related Materials. b Subject to the terms and conditions of this Agreement, you may create a hyperlink between an Internet website owned and controlled by you and the Foundations website, which hyperlink describes in a fair and accurate manner where the Software may be obtained, provided that you do not frame the Website or otherwise give the false impression that Foundation is somehow associated with, or otherwise endorses or sponsors your website. Any goodwill associated with such hyperlink shall inure to the sole and exclusive benefit of Foundation. Other than the creation of such hyperlink, nothing in this Agreement shall be construed as conferring upon you any right to make any reference to Foundation or to its trademarks, service marks or any other indicia of origin owned by Foundation, or to indicate in any way that your products or services are in any way sponsored, approved, endorsed by or affiliated with Foundation.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

366

2. RIGHTS RESERVED. a This License does not grant you any right to enhancements or updates to, or support or maintenance for, the Software or any modifications made by Foundation; b Foundation is free to license the Software on terms different from those contained herein; c Foundation and its licensors hereby expressly reserve all rights in the Software which are not expressly granted to you under the License; and, without limiting the generality of the foregoing, Foundation and its licensors retain all title, copyright, and other intellectual property and proprietary rights in the Software and any copies thereof, and you do not acquire any rights, express or implied, other than those expressly set forth in this Agreement. 3. COPYRIGHT. You hereby acknowledge and agree that the Software is protected by United States copyright law and international treaty provisions. You must reproduce all copyright notices, trademark notices and other proprietary notices of Foundation and its licensors on any copies of the Software and Related Materials and you must not remove such notices; 4. MAINTENANCE AND SUPPORT. Foundation is under no obligation whatsoever to provide maintenance or support for the Software or to notify you of bug fixes, patches, or upgrades to the features, functionality or performance of the Software (Enhancements) (if any), whether developed by Foundation or others. If, in its sole discretion, Foundation makes an Enhancement available to you and does not enter into a separate written license agreement with you relating to such Enhancement, then that Enhancement will be deemed incorporated into the Software and subject to this Agreement. 5. WARRANTY DISCLAIMER. THE SOFTWARE IS PROVIDED TO YOU AS IS WITHOUT WARRANTY OF ANY TYPE OR NATURE, AND FOUNDATION AND ITS LICENSORS HEREBY EXPRESSLY DISCLAIM ANY WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT OR ANY WARRANTIES ARISING BY USAGE OF TRADE, COURSE OF DEALING OR COURSE OF PERFORMANCE. IN ADDITION, FOUNDATION AND ITS LICENSORS EXPRESSLY DISCLAIM ANY LIABILITY FOR THE ACCURACY, COMPLETENESS OR USEFULNESS OF THE SOFTWARE AND DO NOT WARRANT THAT THE SOFTWARE WILL FUNCTION UNINTERRUPTED, THAT IT IS ERROR-FREE OR THAT ANY ERRORS WILL BE CORRECTED. YOU ASSUME TOTAL RESPONSIBILITY AND RISK FOR YOUR USE OF THE SOFTWARE, INCLUDING, BUT NOT LIMITED TO ANY DEFECTS OR INACCURACIES THEREIN. 6. LIMITATION OF LIABILITY. IN NO EVENT SHALL FOUNDATION OR ITS LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL OR PUNITIVE DAMAGES OF ANY KIND OR NATURE, INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS OR LOSS OF DATA, FOR ANY REASON WHATSOEVER, WHETHER SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT (INCLUDING NEGLIGENCE OR STRICT LIABILITY), OR OTHERWISE, EVEN IF FOUNDATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES. IN NO EVENT SHALL FOUNDATIONS LIABILITY FOR DAMAGES ARISING FROM OR IN CONNECTION WITH THIS AGREEMENT EXCEED THE GREATER OF $500 OR THE AMOUNT PAID BY YOU FOR THE SOFTWARE. BECAUSE SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU. IN THE EVENT THAT APPLICABLE LAW DOES NOT ALLOW THE COMPLETE EXCLUSION OR LIMITATION OF LIABILITY OF CLAIMS AND DAMAGES AS SET FORTH IN THIS AGREEMENT, FOUNDATIONS LIABILITY IS LIMITED TO THE GREATEST EXTENT PERMITTED BY LAW. 7. INDEMNIFICATION. You shall defend, indemnify and hold harmless Foundation and its licensors and their respective directors, officers, agents, employees and volunteers from and against any and all claims, suits, losses, damages, costs, fees and expenses arising out of or in connection with this Agreement. You shall pay all costs incurred by Foundation in enforcing this provision, including reasonable attorneys fees and court costs. You agree that under no circumstances will Foundation indemnify you or any other person.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

367

8. TERM AND TERMINATION. The License will continue perpetually unless terminated by Foundation in accordance with this Agreement. If you breach any term of this Agreement and failure to cure such breach within thirty (30) days after receipt of written notice specifying the breach, this Agreement shall automatically terminate. Upon the termination of this Agreement, you shall immediately cease using the Software and provide Foundation with written certification of your compliance with the foregoing. The termination of this Agreement shall not relieve you of your obligations arising prior to such termination. Notwithstanding any provision in this Agreement to the contrary, Sections 5 through 7 shall survive the termination of this Agreement. 9. EXPORT CONTROLS. You shall observe all applicable United States and foreign laws and regulations (if any) with respect to the export, re-export, diversion or transfer of the Software, related technical data and direct products thereof, including, but not limited to the Export Administration Regulations. 10. THIRD PARTY SOFTWARE. You acknowledge and agree that the Software includes Java Standard Edition (the Technology) and you agree to be bound by the terms of the Sun Community Source License (Copyright 1994-2006 Sun Microsystems, Inc. All rights reserved). You also represent and warrant that you have obtained all appropriate trademark and other licenses from Sun. You also agree to install and use the Software on a product which (i) has a principle purpose that is substantially different from that of the stand-alone Technology; (ii) represents a significant functional and value enhancement to the Technology; (iii) operates in conjunction with the Technology; and (iv) is not marketed as a technology which replaces or substitutes for the Technology. In addition, you must brand your product with the applicable Java logo. GENERAL. You shall not assert against Foundation or its licensors any claim for infringement or misappropriation of any intellectual property rights in any way relating to the Software. This Agreement shall be governed by, construed and enforced in accordance with the laws of the State of California, excluding its rules governing conflicts of laws. In the event that any provision of this Agreement is deemed illegal or unenforceable, Foundation may, but is not obligated to, post on the Website a new version of this Agreement which, in Foundations opinion, reasonably preserves the intent of this Agreement. This Agreement is binding upon and shall inure to the benefit of Foundation and its successors and assigns. This Agreement represents the entire understanding of the parties, and superceded all previous communications, written or oral, relating to the subject of this Agreement. Exhibit A Dear Valued Customer, Thank you for choosing the Java Standard Edition platform technology (Java SE) with your FreeBSD Operating Environment (FreeBSD). Your license with FreeBSD and Sun Microsystems, Inc. (Sun) currently only permits you to use and distribute the FreeBSD and Java SE technologies within a limited, noncommercial field of use. In an effort to maximize your options for both platforms, the FreeBSD Foundation and Sun want to share with you the process for enabling you to make commercial use of the FreeBSD and Java SE technologies in a broader field if you so desire. I. Current Field of Use for Java SE You may currently redistribute the combined FreeBSD and Java SE technologies so long as it is bundled with or integrated in Java-enabled general purpose desktop computers and servers, pursuant to your license with FreeBSD Foundation and you have executed a Trademark License with Sun (see Section III below). You may not distribute Java SE in any other devices or fields of use, including, without limitation, embedded applications, embedded devices, cell phones, wireless devices, TV devices, telematics devices and home gateway devices.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

368

II. Additional Fields of Use Commercial Use If you are interested in using the combined FreeBSD and Java SE technology in a field-of-use other than "Java-enabled general purpose desktop computers and general purpose servers", you will need to sign an additional commercial use license with Sun permitting redistribution in the desired field of use. There are fees associated with the commercial use license. In order to obtain the additional license for review and execution, please send an e-mail to Freebsd_Sun_Info@sun.com with the following information: Name of the company; Name, Title, Contact information of the person that will execute the license, field-of use of the product, name of the product. After you receive confirmation from a Sun representative, you will receive the commercial license agreement permitting the additional field of use for Java SE. Please review, sign and send two originals of this agreement to your Sun representative. III. Trademark Licensee There are certain branding requirements associated with your use and distribution of Java SE that You must fulfill. You will also need to sign a Trademark License Agreement with Sun. There are no additional fees associated with the Trademark License Agreement. In order to obtain the Trademark License Agreement for review and execution, lease send an e-mail to Freebsd_Sun_Info@sun.com with the following information: Name of the company; Name, Title, Contact information of the person that will execute the license, field-of use of the product, name of the product. After you receive confirmation from a Sun representative, you will receive the Trademark License Agreement. Please review, sign and send two originals of the Trademark License Agreement to your Sun representative. Thank you for your attention regarding this matter. Sincerely, FreeBSD Foundation

Apache
This product (KBOX) includes software developed by The Apache Software Foundation (http:// www.apache.org/). Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

1. Definitions. “License” shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. “Licensor” shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. “Legal Entity” shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, “control” means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. “You” (or “Your”) shall mean an individual or Legal Entity exercising permissions granted by this License. “Source” form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. “Object” form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. “Work” shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

369

“Derivative Works” shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. “Contribution” shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, “submitted” means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as “Not a Contribution.” “Contributor” shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: a You must give any other recipients of the Work or Derivative Works a copy of this License; and b You must cause any modified files to carry prominent notices stating that You changed the files; and c You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and d If the Work includes a “NOTICE” text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

370

e You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.

OpenLDAP
This product (KBOX 1000 Series) includes software developed by The OpenLDAP Foundation. The OpenLDAP Public License, Version 2.8, 17 August 2003. Redistribution and use of this software and associated documentation. (“Software”), with or without modification, are permitted provided that the following conditions are met: 1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

371

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.

OpenSSL
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.

OpenSSL License

Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

372

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

Original SSLeay License

Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.

This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related :-). 4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

373

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]

Exim
GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Preamble

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

374

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow.

GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that Refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

375

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

376

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

377

NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS

Samba
GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Preamble
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

378

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.

GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that Refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

379

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

380

c Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

381

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

382

OVAL
Berkeley Software Design, Inc. License Copyright (c) 2005, The MITRE Corporation All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

PHP
This product (KBOX) includes software developed by The PHP Group. The PHP License, version 3.0. Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name “PHP” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called “PHP”, nor may “PHP” appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying “Foo for PHP” instead of calling it “PHP Foo” or “phpfoo”. 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

383

6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes PHP, freely available from <http://www.php.net/>”. THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via E-mail at group@php.net. For more information on the PHP Group and the PHP project, please see http://www.php.net. This product includes the Zend Engine, freely available at http://www.zend.com.

Sendmail
This product (KBOX) includes software developed by Sendmail, Inc. SENDMAIL LICENSE The following license terms and conditions apply, unless a different license is obtained from Sendmail, Inc., 6425 Christie Ave, Fourth Floor, Emeryville, CA 94608, USA, or by electronic mail at license@sendmail.com. License Terms: Use, Modification and Redistribution (including distribution of any modified or derived work) in source and binary forms is permitted only if each of the following conditions is met: 1. Redistributions qualify as “freeware” or “Open Source Software” under one of the following terms: a Redistributions are made at no charge beyond the reasonable cost of materials and delivery. b Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to provide a copy of the Source Code for up to three years at the cost of materials and delivery. Such redistributions must allow further use, modification, and redistribution of the Source Code under substantially the same terms as this license. For the purposes of redistribution “Source Code” means the complete compilable and linkable source code of sendmail including all modifications. 2. Redistributions of source code must retain the copyright notices as they appear in each source code file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below. 3. Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other materials provided with the distribution. For the purposes of binary distribution the “Copyright Notice” refers to the following language: “Copyright (c) 1998-2003 Sendmail, Inc. All rights reserved.” 4. Neither the name of Sendmail, Inc. nor the University of California nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission. The name “sendmail” is a trademark of Sendmail, Inc.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

384

5. All redistributions must comply with the conditions imposed by the University of California on certain embedded code, whose copyright notice and conditions for redistribution are as follows: a Copyright (c) 1988, 1993 The Regents of the University of California. All rights reserved. b Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: (i) Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. (ii) Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. (iii) Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 6. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY SENDMAIL, INC. AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SENDMAIL, INC., THE REGENTS OF THE UNIVERSITY OF CALIFORNIA OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

#ZipLib
The license is released under the GPL with an exception which allows the linking to non GPL programs. The exception to the GPL is as follows: Linking this library statically or dynamically with other modules is making a combined work based on this library. Thus, the terms and conditions of the GNU General Public License cover the whole combination. As a special exception, the copyright holders of this library give you permission to link this library with independent modules to produce an executable, regardless of the license terms of these independent modules, and to copy and distribute the resulting executable under terms of your choice, provided that you also meet, for each linked independent module, the terms and conditions of the license of that module. An independent module is a module which is not derived from or based on this library. If you modify this library, you may extend this exception to your version of the library, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

385

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The “Program”, below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you”. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

Preamble

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

386

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that Refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

387

c Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

388

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

389

Other Copyrights
Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Copyright (c) 1998-2003 Sendmail, Inc.; All rights reserved.

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

390

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

391

Index
A
Adding computers to inventory 65 Adding Software to Inventory 68 Administrator Console 2, 3 Advanced Search - Computer Inventory 56 Advanced Search - Software Inventory 66 Agent Customization 351, 354 Alert Messages 238 AMP Message Queue 51 AMP Settings 24 AppDeploy Live 329 AppDeploySM Live 76 Asset Association 88 Asset Management 87 Managing Assets 91 Asset Types 87 Auto Provisioning 31

B
Backing up KBOX 1000 Series data 295 Downloading backup files 295

C
Client bundle 49 Client Check-In Rate 9, 273 Clients Connected 11 Common Deployments on Linux 115 Standard RPM Example 115 Standard TAR.GZ Example 119 Common Deployments on Macintosh® 124 Common Deployments on Solaris™ 120 Standard TAR.GZ Example 123 Common Deployments on Windows 110 Standard EXE Example 114 Standard MSI Example 110 Standard ZIP Example 114 Compression mode 114 Computer Asset 88 Computer Details 58 Activities 62

Failed Managed Installs 62 Help Tickets 62 Labels 62 To Install List 62 Asset 64 Asset History 64 Asset Information 64 Related Assets 64 Inventory Information 59 Hardware 59 KBOX Agent 60 Network Interfaces 60 Notes 61

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

392

Operating System 61 Printers 60 User 61 Logs 63 KBOX Agent Logs 63 Portal Install Logs 64 Scripting Logs 64 Security 63 Oval Vulnerabilities 63 Patching Detect/Deploy Status 63 Threat Level 5 List 63 Software 61 Custom Inventory Fields 62 Installed Patches via Inventory 62 Installed Programs 61 Running Processes 62 Services 62 Startup Programs 62 Uploaded Files 62 Summary 58 Computer Notifications 57 Computer statistics 13, 275 Computers 290 Configuration Policies 157 Conventions xiii Custom Data Fields 71 Custom Inventory ID (rule) 69 Customize download page 137 CVE 179 D
Daily Run Output 354 Database Tables 337 Date & Time Settings 26 Default Role 284 Delete a configuration 40, 41 Deployment Options 15 Desktop Settings Desktop Settings 158 Desktop Shortcuts Wizard 159 Detect and Deploy Patches 172 Digital Asset 72 Disable a configuration 42 Disk log status data 303 Distribution 103 Distributing Packages through an Alternate Location Distributing Packages through KBOX 104 Types of Distribution Packages 104 DNS 4 Download Location 105 Duplicate a configuration 40

105

E
Edit Mode Link xiii E-mail Alerts 239 Enable a configuration Enable Tether xvii

41
393

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

Escalation process 221 Event Log Reporter 160

F
Factory settings 297 File Synchronizations 124

G
General settings 16 Generating Reports 94 Global Search 14

H
Help Desk 206 Help Desk E-mail 213 Help Desk fields 210 Category Values 210 custom value fields 212 Help Desk Customization page Impact values 212 Priority values 211 Status Values 210 Ticket List View 213 Help Desk Reports 223 Help Desk Tickets 217 Helpdesk Queues 207 Home Module 9

210

I
Importing Asset 95 Installation Parameters 106 Inventory 55 IP Scan 97 iPhone 131 Administrative Access 131, 132 Asset Collection Script 134 Collection Settings Configuration 133 Configuration 135 Configuration Profiles 132 Profile Details 132

J
JumpStart Program

xvii

K
KACE Professional Services xviii KBOX Agent Update 47 Agent Patches 48 Update KBOX Agent Automatically KBOX Appliance Components 2 KBScriptRunner 45 Knowledge Base 197

47

L
Labels 84 LDAP Browser 243 LDAP Browser Wizard 245 LDAP Easy Search 244 LDAP Filters 247

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

394

License Compliance License key 298 Licensing 93 Log-in Script 16 Logs 301

11

M
Macintosh® Users 322 AppDeploy Live 329 Asset Management 329 Distribution 324 Inventory 323 Logs 329 Patching 328 Reporting 329 User Portal and Help Desk 328 Manage Enterprise Distribution 132 Managed Installations 106 Windows Platform 107 Managed Operating Systems 12 Manual Deployment of KBOX Agent 342 Linux 343 Macintosh® 347 Solaris 345 Manual Provisioning 34, 37 McAfee SuperDAT Updater 189 MIA Computers 83 MIA Settings 83 Minimum server version 297 Mobile UI into KBOX 137 MSI Installer policy 160 Multiple Machine Provisioning 29

N
Network Scan Summary Network Settings 258 Network Utilities 268

14, 276

O
Organizational Components 3 Organizational Filters 287 Data Filter 287 LDAP Filter 287 Organizational Roles 284 Organizations 278 OVAL 179 OVAL definitions 300 OVAL Reports 183 OVAL Settings and Schedule 182 OVAL Tests 180

P
Patch Bulletin Information 13, Patch Definitions 299 Deleting 299 Enhanced Content 299 Updating 299 Patching 167 Advanced Search 170 Enhancements 168 Patch Label 171

276

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

395

Patch Listing 169 Quality Assurance 167 Reports 176 Saved Search 170 Subscription Settings 169 Workflow 168 Processes 77 Provisioned Configurations 40 Provisioning Results 42, 43

Q
Quarantine Policy 190 Lift Quarantine Action

191

R
Rebooting KBOX 300 Redirecting computer(s) 291 Refiltering computer(s) 291 Registry Settings 157 Remote behavior 158 Replication 127 Replication Enhancements in KBOX Agent 4.3 Replication Share Details 129 Replication Share for patches 176 Reports 226, 308 Types of Reports 226, 308 Restoring KBOX 1000 Series Settings 296 Roles 203 Run Now Function 154

130

S
Satisfaction survey 222 Scheduled Scans 97 Script Detail 155 Scripting 143 Adding Scripts 145 Duplicating an existing script 153 Duplicating scripts 153 Editing Scripts 150 Importing scripts 152 Scripting Log Files 156 Search Filters - Computer Inventory 56 Search Filters - Software Inventory 67 Security 179 Security Policies 184 Disallowed Programs Settings 187 Internet Explorer Settings 184 McAfee AntiVirus Settings 188 Symantec AntiVirus Settings 189 XP SP2 Firewall Settings 186 Security Settings 262 Server Network Configuration 5 Server update 298 Service 81 Setting up your first KBOX Agent 14 Setting Up Your New KBOX server 4 Setup Location 4 Shutting down KBOX 300 Single Sign-On 269 Software Asset 71 Software Deployment Components 3 Software Distribution Summary 13, 275

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

396

Software Inventory 66 Software Library 195 Software Metering 74 Software statistics 13, 275 Software Threat Level 10 SSL Certificate Wizard 23, 264 Startup 79 Steps for Task sections 331 Summary 9 Support xiv Support page xiv Support ticket xv System Console 2 System Console Users 260 System requirements 29

T
Tasks In Progress 12 Test Organization Filter 290 The KBOX Modules 6 The KBOX Summary 273 Ticket Attributes 218 Ticket Rules 214 Token Replacement Variables Troubleshooting Tools 268

153

U
UltraVNC Wizard 162 Un-Installer 163 Unpacking the Appliance 4 Upgrading KBOX 294 Use Markdown 198 User Authentication 249 User Portal 3, 194 Administrator view 194 End user view 194 Users 199 Adding users automatically 201 Adding users manually 199 Importing users 201

V
Version

13

W
Wake-on-LAN 140 Troubleshooting Wake-on-LAN 141 Wake-on-LAN Request 140 Web Server Load 274 Windows Automatic Update Settings 164 Windows Debugging 302 Windows Update Policy 176

Administrator Guide for KBOX 1000 series, version 4.3 - 1200

397

Sign up to vote on this title
UsefulNot useful