SYSTEMS MANAGEMENT. Partner Guide

Transcription

1 SYSTEMS MANAGEMENT Partner Guide

2 Content 1. PROLOGUE Audience. Icons. 2. INTRODUCTION Main features of Systems Management. Systems Management User. Profile. Main components. Key players of Systems Management. 3. HIERARCHY OF LEVELS WITHIN THE SYSTEMS MANAGEMENT CONSOLE System Level. Profile Level. Device Level. 4. BASIC COMPONENTS OF THE SYSTEMS MANAGEMENT CONSOLE General Menu. Tab Bar / List Bar. Icon Bar / Action Bar. Filters and Groups panel. Dashboards. 5. DEVICES Downloading the Systems Management agent to the devices on the client s network. Installing the Systems Management Agent on Mac OS X and Linux platforms. Installing the Systems Management agent on Windows platforms. Installing the Systems Management Agent on Android and ios. Approving devices. Configuring a Connection Broker. Viewing device information. Managing the resource consumption of the devices. 6. FILTERS AND GROUPS What are Groups and Filters?. Types of Groups and Filters. 7. HOW TO EFFICIENTLY ADMINISTER THE MANAGED DEVICES Differences between Profiles, Groups and Filters. General approach and device management structure. Quick view of device information. 8. THE FIRST 8 STEPS TO START USING SYSTEMS MANAGEMENT Create and configure the first Profile. Deploy the Systems Management Agent. Check the device list in the Profile and basic Filtering. Hardware, software and license audit. Patch Management. Create Monitors. ComStore. Access remote managed device resources. 9. POLICIES What are Policies?. How to define a System Policy. How to define a Profile Policy. Policy types. How to deploy a Policy. 10. MONITORING What is it?. Composition of a Monitor. Manual creation of Monitors. Automatic creation of Monitors. 11. COMPONENT EXECUTION Why develop components?. What are the requirements for developing components?. General architecture of Systems Management components. Create a Monitor component. Create a Script type component. 12. ASSETS AUDIT Hardware audit at Profile Level. Software audit at Profile Level. Audits at Device Level. 13. CENTRALIZED SOFTWARE DEPLOYMENT AND INSTALLATION Package deployment and installation procedure. Centralized software installation requirements. Objective of centralized software installation. Deployment examples. Save bandwidth in software deployment. 14. TICKETING What is the Ticketing system?. Description of a Ticket. Create a Ticket. Ticket Management. 15. PATCH MANAGEMENT What is Patch Management?. What patches can I deploy / apply?. Patch deployment and installation. Audits. 16. USER ACCOUNTS AND ROLES What is a User account?. What is a Role?. Why are Roles necessary?. The accountadmin Role. Access User account and Role configuration. Create and configure User account. Create and configure Roles. Configure Roles. How many different Roles are needed?. 17. MOBILE DEVICE MANAGEMENT Which platforms are supported?. Mobile Device Management Policies. Tools for remotely managing mobile devices. 18. SECURITY AND CONTROL OVER ACCESS TO THE SYSTEMS MANAGEMENT SERVICE Two-factor authentication. Essential requirements. Settings. Enabling Two Factor Authenticator for all accounts. Password policy. Systems Management console IP Address Restriction. Agent IP. Address Restriction. APPENDIX A: Source code APPENDIX B: COMPATIBLE PLATFORMS

3 1 Prologue This guide contains basic information and procedures of use to get maximum benefit from the product Systems Management. Audience This documentation is written for technical staff that offer support services to Users without IT knowledge and in two possible environments: The IT Department which wishes to professionalize the internal support it provides to the rest of the company. The Managed Service Provider (MSP), which currently provides services to its client accounts onsite, remotely, reactively or proactively. Icons This guide contains the following icons: i Additional information, for example, an alternative method for performing a particular task. Suggestions and recommendations.! Important and/or useful tips for using Systems Management.

4 2 Introduction Systems Management is a cloud-based remote device Monitoring and management solution for IT departments that want to offer a professional service, while minimizing User disruption. Systems Management increases efficiency through centralized and straightforward management of devices, while promoting task automation. The overhead costs dedicated to serving each client or account are reduced as Systems Management: Requires no additional infrastructure on-site as the solution is hosted in the cloud. Has a very gentle learning curve for technical support, allowing you to deliver value from day one. Tools accessible from anywhere, anytime, allowing you to manage support remotely and avoiding wasted time and money by eliminating the need to travel to those sites. Task and response automation triggered by configurable Alerts that prevent failures before they occur. Systems Management is a product that promotes collaboration among the technicians in charge of providing support and minimizes or completely eliminates the time spent interacting with the User to determine the cause of problems

5 Main features Característica The following are the most important features of the product: Feature Cloud-based solution Managed via agent for compatible devices. Managed without agent Automatic detection of devices Scheduled and custom audits Description No additional infrastructure at the client or the MSP / IT Department site. Manage all your devices anytime, anywhere. Extremely light agent for compatible devices with Windows, Linux, Mac OS X, Android and ios. Managed via SNMP for those devices in which it is not possible to install the Systems Management Agent, such as printers. A Systems Management Agent installed on a single device can detect other devices connected to the same network and initiate automatic installation. Track all changes to the device (hardware, software and system). Reports Collaborative environment Activity log ComStore Mobile Device Management (MDM) Send scheduled or special Reports via . Find out who does what, when, and who uses most of those resources. Manage incident allocation, status and documentation with the Ticket System. Simplify creation of an intervention history with Device Notes. Communicate live with the end User through IM Messaging service. History of all administrators activity in the Systems Management Console Extend the capabilities of the platform. Select and download the components you need. Supports ios and Android, allowing monitoring and management of smart phones and tablets, configuring settings and user policies, geolocation of devices and safeguarding of data should the device be stolen or lost. Software license management Keep track of all software installed. Alerts and Monitoring Monitor CPU usage, memory and disk space, services and Exchange Servers, performance graphs, panel Alerts... all in real time. Create scripts and quick Jobs Create your own scripts, download our pre-configured scripts from the online ComStore and deploy either on a scheduled basis or as an automatic response to an Alert. All at a click. Patch management Automate deployment of updates and patches of the software installed. Software deployment Centralized update and software deployment. Policies Define a set of general settings to manage your IT environment in a flexible manner. Remote access Task manager, file transfer, registry editor, command prompt, event log viewer, etc. All of these integrated tools enable you to repair multiple devices without interrupting the Users. Remote control Shared access to the User's desktop or total control. Supports firewalls and NAT. Secure communications All communications between the Agents and the Systems Management Server are encrypted (SSL). Service access control Ensuring secure access to the Console by the service administrator with Two-factor authentication and with other resources that restrict access from devices to the Server.

6 User Profile Main components Most Systems Management Users will have a medium high technical Profile, as this tool provides daily maintenance of computing devices subject to constant use and change. However there are two specific, targeted user groups of Systems Management:: Enterprise level IT technicians Technicians subcontracted or belonging to a company to offer a company-wide support service for devices and end-users. These scenarios often include the remote offices to which access is restricted so technicians must use Monitoring tools and remote access for roaming Users or Users who work outside the office, which makes them vulnerable to all types of problems with their devices. Managed Service Provider (MSP) technicians Technical staff employed by a company to provide a professional service to client accounts that have decided to outsource or subcontract the IT Department for maintenance of their devices. SYSTEMS MANAGEMENT CONSOLE A web portal accessible via compatible browsers, from anywhere, anytime with any web enabled device. Most of the daily tracking and Monitoring tasks will be performed from this console via a browser. This resource is available to technical support only. SYSTEMS MANAGEMENT AGENT This is a small (3 MB) program installed on all supported devices to be managed. After installing the Systems Management Agent on the device, its information will become directly accessible through the Systems Management Console. For devices such as printers, on which it is impossible to install a Systems Management Agent, Systems Management can collect status information and display it in the Systems Management console using SNMP protocol. For more information, Chapter 5: Devices, Management of devices not supported by the Systems Management Agent section. The Systems Management Agent supports two execution modes: Administration Mode: In this mode, which is the usual mode, the agent is barely noticeable to the end-user and access to some specific settings can be delegated by the administrator. User Mode and Monitor Mode: After entering valid credentials, the network administrator can use the Systems Management Agent in to access remote devices. Install the Systems Management Agent on both client devices and those belonging to the technicians for remote management.. SYSTEMS MANAGEMENT SERVER The Systems Management Console, the processes required to collect, synchronize and redirect messages, events, and information flows generated by the Systems Management Agents and the databases that support them are all hosted on a cloud-based Systems Management Server and are available 24 hours a day. The status information that flows from each of the devices to the Systems Management Server is highly optimized so that the impact on the client s network is negligible. This information is sorted and consolidated in the Systems Management Server so that it is displayed as a flow of events to diagnose and even efficiently foresee problems on managed devices.

7 Key players IT ADMINISTRATOR / ADMINISTRATOR / MANAGED SERVICE PROVIDER / MSP / IT DEPARTMENT / SUPPORT TECHNICIAN / TECHNICAL TEAM These terms include all those who have access to the Systems Management Console, regardless of the privilege level associated with the credentials supplied. These are the technical staff from the IT department of the company that opts for Systems Management to manage and Monitor its systems or the MSP staff who access the client s devices to manage and Monitor them. SYSTEMS MANAGEMENT ADMINISTRATION ACCOUNT / PRINCIPAL ADMINISTRATION ACCOUNT Each client or company using Systems Management will be given a Principal administration account. An Account with the highest level of privileges that can manage all the resources of the product. Chapter 16: User account and roles describes how to create new Users and Roles in order to restrict the access of systems technicians to key Systems Management resources. CLIENT ACCOUNT / CLIENT A client account is a contract between the Managed Service Provider and a company that comes to them with the intention of outsourcing their day to day IT Support needs. Except in Chapter 16: User account and roles, in this manual, account has an organizational meaning: for the MSP, it is equivalent to a set of devices related to one another for belonging to the same client network that will require maintenance. USER The User is the person using the device that requires direct support from the MSP or IT department. DEVICE A device is a computer that has the Role of either client or server, which has a Systems Management Agent installed or is managed indirectly via SNMP. In Chapter 18: Security and control over access to the service you can see how to configure Two-Factor Authentication to access the Systems Management Console. Each Principal administration account belongs to a secure and separate product instance. Therefore, all of the settings of a Systems Management client and all of the devices managed will not be accessible or visible to other administration accounts.

8 In order to separate management of the devices of different client accounts and reuse and restrict procedures defined by technical staff in the Systems Management Console, and to expedite and refine management, Systems Management provides three entities / Group levels / operation levels. 3 Hierarchy of levels within the Systems Management Console From the most general to the most specific, these are the following: System level Profile level Device level System level Profile level Device level

9 System Level What is it? System Level also referred to as Account or Account level entity cluster is the most general and highest level, and is also unique for each MSP / IT Department. It automatically groups all devices managed by the MSP / IT Department belonging to their clients and Users with a Systems Management Agent installed. Scope The actions performed on this level will affect all devices registered on the system, although they can be limited to a subset of devices using Filters and Groups, described in Chapter 6: Filters and Groups. Access The System Level resources are accessed from General Menu, System. Parameter Password Policy Access Control Power Rating Agent Deployment Credentials End-User Ticket Assignee Variables Custom Labels Custom Agent Settings Agent Update Settings Description This lets you set password policies. See Chapter 18: Security and control over access to the Systems Management service for more details. Lets you set advanced access controls for the Console and the service. See Chapter 18: Security and control over access to the Systems Management service for more details. Lets you set power consumption parameters (in Watts) for each type of device in order to calculate monthly consumption. See Chapter 5: Devices for more details. Lets you set the credentials required for remotely installing the Agent. See Chapter 5: Devices for more details. Indicates the account to which users send the tickets that are opened directly from the Agent. See Chapter 14: Ticketing for more details. Variables passed to the scripts run on the devices. See Chapter 11: Component execution for more details. Lets you define the names of the labels used to collect the results of the scripts run on the devices. See Chapter 11: Component execution for more details. Lets you define how the Agents will perform as the Connection Broker. See Chapter 5: Devices for more details. Prevents or allows the automatic updates of the Agents installed. Funcionality System Level can perform global actions. Therefore, you can obtain the status of all managed devices, consolidated Reports on your environment and actions on all or part of the registered devices. Settings The System Level settings include a wide range of parameters that are dealt with in several chapters throughout this guide. Below you will find a complete list of all the options in the General Menu, Account, Settings and a short description of each one. Mail Settings Mail Recipients Update Profile Variables Apple Push Certificate Reset Columns Display Lets you configure the source/target account for s sent by the Server to service administrators. Lets you configure the accounts that will receive warnings, reports and notifications of new devices administered by Systems Management. Variables passed to the scripts run on the devices. Lets you configure the certificate required to administer Apple mobile devices. See Chapter 17: Mobile device management for more details. Lets you restore the default settings to display basic information about the devices managed. See Chapter 5: Devices for more details.

10 Profile Level What is it? Profile Level is a grouping entity immediately below System. It is a logical grouping that contains the devices that belong to the same client account or office. The Profiles list can be accessed from General Menu, Profiles. Each Profile is associated with a number of configurations accessible from Tab Bar, Settings in the Systems Management Console, which in turn, are bundled with the Systems Management Agent. Funcionality Profile Level can perform actions on all of the devices it contains. In this way, you can obtain the status of devices, consolidated Reports and tasks to perform on all or some of the devices which make up the Profile. Settings The Profile Level settings also include a wide range of parameters that are described in several chapters in this guide, some of these coincide with some of the parameters defined at System Level, in which case the latter shall have priority. Below is a complete list of all options, noting the chapters in which they are described if applicable. Scope The procedures triggered at Profile Level can affect all devices belonging to that Profile, while some actions can be restricted to a subset of devices using Filters and Groups, described in Chapter 6: Filters and Groups. Unlike System Level, which is unique, the administrator can create as many Profile Groups as needed. Membership Membership of a given device to a Profile is determined when installing the Systems Management Agent. i! Download the Systems Management Agent from the chosen Profile page so that when installed on the User s device, it will be automatically added to the Profile in question in the Systems Management Console. For further details, see Chapter 5: Devices. You can move devices from one Profile to another from the Systems Management Console after you have installed the Systems Management Agent on the User s device. In order to minimize the tasks required in the distribution phase, it is advisable to first create the Profile and then download the Systems Management Agent from there so that the relation between the devices and the Profile is automatic. Parameter General Power Rating Proxy Agent Deployment Credentials Connection Broker Local Caches End-User Ticket Assignee Variables Credentials Custom Labels Descripción General Profile information: Name, internal identifier, description and types of devices hosted. Lets you set power consumption parameters (in Watts) for each type of device in order to calculate monthly consumption. See Chapter 5: Devices for more details Lets you set the proxy details for network users without a direct Internet connection. See Chapter 5: Devices for more details. Lets you set the credentials required for remotely installing the Agent. See Chapter 5: Devices for more details. Lets you define how the Agents will perform as the Connection Broker. See Chapter 5: Devices for more details. Lets you assign the role of cache to one of the network devices. This saves bandwidth during software deployment. See Chapter 13: Centralized software deployment and installation for more details. Indicates the account to which users send the tickets that are opened directly from the Agent. See Chapter 14: Ticketing for more details. Variables passed to the scripts run on the devices. See Chapter 11: Component execution for more details. This is for setting the credentials for software deployment. See Chapter 13: Centralized software deployment and installation for more details. Lets you define the names of the labels used to collect the results of the scripts run on the devices. See Chapter 11: Component execution for more details.

11 Device Level What is it? This represents a single node, end-point, or device with a Systems Management Agent installed and Reporting to the Systems Management Server. Devices are automatically created in the Systems Management Console, as they are added as the Agents are installed on the client s devices or it is managed indirectly through SNM. Scope All actions performed at this level affect only the selected device. Funcionality Device Level can perform actions on a particular device. This way you can get detailed lists from the device as well as Reports and actions.

12 4 Basic components of the Systems Management Console The Systems Management Console is structured in an intuitive and visual manner, so that most management resources are just a click away, avoiding the clutter of unnecessary checkboxes and settings. The goal is a Systems Management Console which is clean, quick and convenient to use, while avoiding, wherever possible, full page reloads and offering a gentle and short learning curve so that the IT department can deliver value to a client from the outset. The basic components of the Systems Management Console to which we will refer throughout this guide are:

13 4. Basic components of the Systems Management Console GENERAL MENU This menu is accessible from anywhere in the Systems Management Console. It consists of 6 entries: Elements: Menu System Profiles Components ComStore Scheduled Jobs Scheduled Reports Help Center Account Description Access to System Level. Access to Profile Level. Access to components downloaded by and accessible to the administrator Repository of components created by Panda Security that extend the functionality of Systems Management List of active and finished Jobs List of configured and default Reports Help center with links to Panda Security resources Access to the details of the Principal administration account and to resources for creating new Roles and Users. For more information, see Chapter 16: User account and roles. Components: Tab Accessible from Description Summary Profile, Device Status Information Dashboard System General control panel Devices Profile List of devices accessible with associated information Audit System, Profile, Device Hardware, software and license audit list Manage System, Profile, Device List of patches pending and applied Monitor System, Profile, Device List of Alerts created by Monitors or finished Jobs Support System, Profile, Device List of Tickets generated Report System, Profile, Device List and generation of on-demand Reports Policies System, Profile, Device List and generation of Policies, described later. Settings Profile Configuration associated to the Profile. TAB BAR / LIST BAR The Tab Bar and also the List Bar provides access to the tools available in the Systems Management Console for generating and presenting consolidated lists on-screen, with details of the status of the devices belonging to the level accessed. It also allows configurations to be defined and viewed. This bar is slightly different if it is accessed from Profile Level, System Level or Device Level for a specific device, as each management scope is also different. Suspended devices System List of uninstalled Devices The scope of the Tab Bar refers to the current level. Therefore, If you go to the Tab bar at System level, you ll see consolidated information on all Devices. If you access at Profile Level, it will show consolidated information on the devices in the Profile. If you access at Device Level, it will only show information for that particular device.

14 4. Basic components of the Systems Management Console ICON BAR / ACTION BAR The Icon Bar or Action Bar accesses actions to change the status of the devices. This bar does not exist in General Menu, System and varies slightly if accessed from General Menu, Profile or a specific device, as the management scope is different. The scope of the Icon Bar will be formed by manually selecting the devices that have been selected in a Profile. Elements: Request audit Profile, Device Force the launch of an audit. For more details see Chapter 12: Assets Audit Schedule Job Profile, Device Create a scheduled Job for a later date Run a Quick Job Profile, Device Create and run a Job already created Download Profile Download the list of devices in the Profile Add/Remove Cache Profile, Device Mark the device as network cache. Turn Privacy On Profile, Device Prevent remote access to the devices by the administrator unless approved by the User Send a message Profile, Device Send a message to the selected devices Schedule Reports Profile Schedule Reports for a later date Refresh Profile, Device Refresh the data on the screen Show device(s) on Google Map Device Geolocation of devices on a map. QR Code Device QR code associated to the device for paper auditing Refresh the current view Profile, Device Reloads the list of devices displayed or the specific device. Icon Accessible from Description Move Device to Profile, Device Move a or the devices selected to another Profile Add Device to Profile, Device Move a or the devices selected to a Group! If you want to perform actions at System Level, you will need to create a Filter or Group, as System Level does not display the Icon Bar by default. Edit Toggle Delete Profile Profile Profile, Device Add notes and custom fields to the selected devices that can be used by Filters. Mark devices as favorite for quick access from Summary / Dashboard Delete a Device from a Profile. The device will no longer be managed, the Systems Management Agent will be uninstalled and the device will be added to the Suspended Devices Tab under General Menu, System.

15 4. Basic components of the Systems Management Console FILTERS AND GROUPS PANEL The left of the Systems Management Console contains three panels with different groups: System Dashboard Accessible from General Menu, System, clicking System Dashboard. Default Filters: Filters automatically generated by the system Profile Filters / System Filters: device Filters created by the administrator at Profile Level or System Level, respectively. Profile Device Groups / System Device Groups: device Groups created by the administrator at Profile Level or System Level, respectively. System Profile Groups: only available at System Level, these are Groups of various Profiles. DASHBOARD It collects general information on the status of all devices: Notifications, Jobs, Alerts, etc The Dashboards reflect the status of a set of devices. There are four types of Dashboard. Security Status Accessible from General Menu, System, it reflects the security status of all managed devices.

16 4. Basic components of the Systems Management Console SUMMARY (PROFILE) Accessible from General Menu, Profile and by selecting a specific Profile. It reflects the status of all the devices that belong to the selected Profile. There will be a Summary Dashboard for each Profile created. SUMMARY (DEVICE) Accessible from a Device. It reflects the status of a specific device. There will be one for each managed device.

17 i See Appendix B to see the platforms that support installation of the Systems Management Agent. 5 Devices In an environment managed by Systems Management a device is a computer that can be accessed from the Systems Management console for remote management and maintenance. All devices managed by Systems Management send and receive information that the Systems Management Server collects, catalogs and displays in real-time in the Systems Management Console. There are three possible forms of communication between the Systems Management Server and any given device: Directly by installing the Agent on supported platforms (see Appendix B). In this scenario Agents connect directly to the Internet and communicate with the Server without proxies. Indirectly via a proxy for those devices without a direct Internet connection. Later in this chapter we describe how to configure a proxy. Indirectly via SNMP For devices on which it is not possible to install the Systems Management Agent, another device on the same subnet with the Systems Management Agent installed can be used as a relay or gateway and communicate with the device via SNMP. This way, the gateway device receives commands from the Systems Management server and converts them to SNMP protocol before sending them to the device without the agent installed. In the response from the device, the same Systems Management Agent undoes the changes to deliver information from the incompatible device to the Systems Management server. i The discovery of manageable devices using SNMP is an automatic task. See Management of unsupported devices (printers) later in this chapter. See Chapter 12: Assets Audit for information about the process of discovering assets.

18 5. Devices DOWNLOADING THE SYSTEMS MANAGEMENT AGENT TO THE DEVICES ON THE CLIENT S NETWORK The download process varies slightly depending on the platform, although in all cases the Systems Management Agent sent to the User s devices requires certain basic information to be able to operate once installed: For network configurations that have a proxy for Internet access, the Systems Management Agent will need this information, which will have to be entered manually or globally, by entering it in the Profile. This can be done from Profiles in the General menu, selecting the Profile to which the newly installed device belongs, then select the Tab Bar, Settings and enter the required data in the Proxy section. The Profile to which it will belong. The essential information it will need to connect with the Systems Management Server. Profile to which the Systems Management Agent belongs In order to keep all managed devices organized they must be put in the appropriate Profile within the Systems Management Console. For desktop platforms (Windows, Linux and Mac OS X) the Profile to which the device belongs is set automatically when the Systems Management Agent generated from the Profile is installed. This avoids having to manually configure the Systems Management Agent in each of the User s devices. For mobile platforms (tablets and smartphones), the Profile that the Systems Management Agent belongs to must be entered manually through a configuration file provided by the Systems Management Server. See the section Installing the Systems Management agent on Android and ios platforms later in this chapter Essential information for connecting to the Systems Management server In addition to belonging to the Profile designated by the administrator, the newly installed Systems Management Agent requires Internet connection information in order to communicate with the Systems Management server. On most IT infrastructures, Internet access only requires a basic TCP/IP configuration established by the operating system installed on the User s device, which the Systems Management agent will use for communications. Once this information has been entered, all Systems Management Agents installed from this Profile will have this proxy data.

19 5. Devices Sending the Systems Management Agent via To start sending the Systems Management Agent via to any supported device, go to the General menu, Profiles, select the Profile with the devices you want to manage, in the Tab Bar, Devices, click Add Device. You will see a dialog box with all the platforms supported by the Systems Management Agent: Windows, Mac OS X, Linux, ios and Android. Once you ve selected the platform, you ll be asked for the addresses of the Users of the devices to be managed, separated by a semi-colon ;. Sending the download URL via You can use the same procedure for sending an with the download URL for Windows, Mac OS X and Linux: En este caso el usuario recibirá una URL desde donde podrá iniciar la descarga del Agente Systems Management. Direct download Administrators can download the Systems Management Agent from the Systems Management Console, then distribute it manually or using distribution tools such as Active Directory. To do this, use the same procedure but click the platform icon. Depending on the platform, the User will receive an with the Systems Management Agent in an attachment (Windows, Mac OS X and Linux), or with a link to download it from Google Play or Apple Store.! Unmodified mobile platforms only allow apps to be downloaded from the corresponding app store. For this reason, the only certificated method for delivering the Systems Management Agent to tablets and smartphones is by ing the URL for the app in the app store.

20 5. Devices INSTALLING THE SYSTEMS MANAGEMENT AGENT ON WINDOWS PLATFORMS The Systems Management Agent can be downloaded in three ways: Sending the Systems Management Agent via Sending the download URL via Direct download Once you ve received or downloaded the Systems Management Agent, you only need to double-click the downloaded package. There is no confirmation and the process is completely silent. The installed Systems Management Agent will connect to the Systems Management Server automatically and will appear in the list of managed devices in the Profile selected from the Systems Management Console. Given that remote installation of a Agent is a process that creates services on the device and needs to be configured in order to be launched whenever the operating system is started, remote installation has to be done with administrator (or equivalent) permissions. The domain account used for the installation is configured in the Settings tab of the Profile corresponding to the devices. Enter the user name and password of the domain administrator in the Agent Deployment Credentials section. Given that installing the Systems Management Agent on networks with many devices can be a long and tedious process if you have to do it independently on each device, the process can be streamlined with the Remote deployment function, following the steps below: Send the Systems Management Agent to the first Windows device on the network using any of the methods described. Once installed, use the Remote deployment function to deploy the agent to the rest of the Windows devices on the network from the Systems Management Console. From the Audit tab, select the devices discovered by the installed Agent within the network segment and click the Deploy Agents icon..

21 5. Devices INSTALLING THE SYSTEMS MANAGEMENT AGENT ON MAC OS X AND LINUX PLATFORMS Mac OS X and Linux platforms support the three installation methods described above: Sending the Systems Management Agent via Sending the download URL via Direct download In all cases, Users receive the installation package which downloads all the necessary libraries and dependencies, and the agent will be installed automatically when the operating system is restarted. i Even though the Mobile Device Management component is free, every mobile device with a Systems Management Agent installed will count as a regular license for the purpose of counting the total number of purchased licenses. Once the component is added, the ios and Android operating systems will appear in Add Devices. Import the certificate into the Systems Management Console (for ios-based devices) It will also be necessary to incorporate -into the Systems Management Console- the certificate generated by Apple for ios devices to be able to connect to the Systems Management Server.! Mac OS X and Linux do not support Remote deployment. i Importing the Apple certificate is a mandatory, one-time process for each client/ partner who wants to manage one or multiple ios-based devices. INSTALLING THE SYSTEMS MANAGEMENT AGENT ON ANDROID AND IOS Follow the steps below to manage your mobile devices from the central admin console. i Installing the certificate is a requirement from Apple to ensure the integrity, authenticity and confidentiality of all communications between the Systems Management Server and the User s device. Enable the console s MDM feature: To be able to interact with your mobile devices from the console, you need to enable the MDM feature. To do this, import the free component Mobile Device Management directly from the Comstore. To do so, follow the steps below: Browse to Account, Settings to access the Apple certificate settings (Apple Push Certificate section) Download the certificate signing request (CSR), signed by Panda Security (*_Apple_ CSR.csr) Upload the CSR file to the Apple Push Certificate Portal To access the Apple Push Certificate Portal, you must have an Apple account. Any itunes account will be enough. However, if you want to generate new Apple credentials, go to click Create an Apple ID and follow the instructions on-screen.

22 5. Devices Go to and sign in with your Apple credentials. Click Create Certificate and follow the instructions on-screen. Load the CSR file you downloaded in the previous step. i As the Systems Management Agent is downloaded from the official app store for each mobile platform (Google Play or Apple Store), information about the Profile is not part of the downloaded package, as this would mean changing the content of the package in the store. This information is therefore kept in the.mdm file delivered in the . Associate the device with a Profile After the ios or Android Systems Management Agent has been installed on the client s device, the User must take the following steps to associate it with the selected Profile. There are two ways to associate a device with a Profile: Download the new Apple signed certificate (.PEM) to your computer Option 1: Capturing the QR code using the device s camera. On a PC with the Web console displaying the Profile to be associated with the User s mobile device, click the QR code to enlarge it. Go back to the Systems Management Console. Browse to the Apple signed certificate (.PEM) downloaded from the Apple Push Certificate Portal, and upload it. Once uploaded, the following message will appear in the console. Sending the download URL via Due to security restrictions, clients can only receive an containing the link to download directly from the Apple Store or Google Play and a.mdm file containing the Profile information associated to the device. Then, the User must touch the wheel icon on their device to launch the camera and capture the QR code on the screen

23 5. Devices After reading the code, the Systems Management Agent will display the message Connected on the User s device, and appear on the Systems Management Console. Option 2: Importing into the agent the.mdm file attached to the . On mobile phones without camera it is possible to open the.mdm file from the message by simply touching the file. After loading the.mdm file, the Systems Management Agent will display the message Connected on the User s device, and appear on the Systems Management Console. This tab displays all the non-administered devices found on clients networks where at least one Windows Agent is installed. As the list that is generated may be quite long, the Search field can be used to locate specific devices. Once a device has been located, click Manage printers and the device will appear in the list of the Profile to which it belongs, just as with other administered devices.! MDM file import is only supported from the device s native client. ADMINISTRATION OF DEVICES NOT SUPPORTED BY THE AGENT By using the SNMP protocol, Systems Management can allow visibility of devices on which the Agent can t be installed. SNMP devices can be divided into two large groups: printers, and the rest of the devices: routers, switches, scanners, switchboards, etc. The procedure and requirements differ depending on the group to which a device belongs. Administration of network printers To add this type of device, simply locate it using the device discovery function in the Audit tab. i Each printer-type device added to the Console uses a license from the total number of licenses contracted by the client. See Chapter 12: Assets Audit for more details on the discovery of devices.

24 5. Devices ADMINISTRATION OF OTHER SNMP DEVICES Devices that are not printers and which don t support the installation of the Agent can be managed through a Agent designated in the console as an SNMP monitor. In the list of managed devices displayed in Profiles, Devices, select the computer that will act as the SNMP Monitor in the network by clicking Add as SNMP monitor from the icon bar. i Although not strictly necessary, it is advisable for administrators to familiarize themselves with the basic concepts of SNMP (OID, MIB, NMS, etc.) as well as having an MIB browser to be able to browse the OIDs structure of the device. Mibble is an MIB browser available free from the website.. Which parameters can be monitored in devices managed via SNMP? Most SNMP-compatible devices publish, in their MIB, a lot of detailed status information that allows you to monitor many functionality parameters, for example: Internal resource usage (memory, internal storage, CPU, etc.) Bandwidth consumption. Internal device temperature. Descriptive information about the device and the manufacturer (model, version, latest firmware update, etc.) Detection of specific errors with error codes. Changes to the devices configuration. Changes to the device status: ports enabled or disabled in a switch via STP, lines available on a switchboard, etc Any data published in the device MIB can be read and interpreted by Systems Management, though the manufacturers guide will determine which information can be of use. Similarly, it is important to know the units of measurement used in the published data and to be aware of the thresholds that determine whether a device is in danger of imminent failure and requires intervention from the maintenance department. It is important that the device is always on and that it belongs to the family of Windows operating systems, as the other platforms supported by Systems Management don t allow SNMP monitor functions. i It is advisable to designate one or more Windows servers as SNMP Monitors and check that communication through UDP port 161 between the SNMP Monitor and the monitored device is correct. Once the computer is selected, the installed Agent has to be configured with the devices to monitor and the conditions that will prompt Alerts and Tickets. Preparing the devices to monitor: Practically all devices connected to a network can be monitored via SNMP. To do this it is usually necessary to enable this protocol in the device settings and make a note of the Community it belongs to (usually Public by default). What steps are required to configure SNMP monitoring? Follow the steps below: Designate a device as a SNMP monitor in the Systems Management console: In some devices it will also be necessary to configure the SNMP protocol version to be used (v1/v2) and the IP address from which the device will receive SNMP requests. In this case the IP address will be the device designated as Systems Management Monitor.

25 5. Devices It is important to collect and keep this data as they will be required later when configuring the service. Once SNMP is enabled in the device to monitor, establish the OIDs that need to be monitored. SNMP-compatible devices periodically dump internal status data in the MIB structure. It will be necessary to consult the manufacturer s documentation to see which OID nodes of the MIB structure contain useful information and make a note of them. It is also possible to obtain these OID nodes by browsing the MIB structure with Mibble or similar. Configuring the Agent designated as the SNMP monitor: To access the SNMP settings, connect to the Agent designated as SNMP Monitor and click the icon indicated in the image below: The parameters to configure are: Device Name: Field identifying the device. IP Address: IP address of the monitored device. SNMP version: Version of the protocol used. Community: Community to which the SNMP device belongs. Once the monitor is configured and the changes are saved, you can start to define the SNMP Alerts. An SNMP Alert comprises a field of the MIB of the monitored device, a reference value that you can define, and a comparison criteria. To add an alert to an existing SNMP Monitor, click Add and complete the fields: OID: String of numbers separated by dots which is obtained from the manufacturer s MIB and identifies the monitored object. Description: Text describing the OID. Description (alert): Text describing the comparison criteria. Operator (alert): Comparison criteria to apply to the Value field to identify an alert situation. Value (alert): OID limit or reference value. Once all the fields are completed, click Save and after 60 seconds, or by clicking Refresh, the monitor will begin to operate. If the icon does not appear, check the connection to the Agent designated as SNMP Monitor in the Console and move the panel separator to the right in the Agent. From this screen you can configure SNMP Monitors and SNMP Alerts. Each SNMP Monitor controls one or more values on a single device, so it will be necessary to configure as many SNMP Monitors as there are devices to monitor on the network. When the Agent designated as SNMP Monitor begins to receive information from the SNMP devices, its status switches to Receiving responses and the Value field of each alert changes to green or red depending on whether the alert condition has been met or not. Every 60 seconds the agent launches an SNMP query to the IP, OID and Community items designated in each SNMP alert, collecting the value published in the MIB OID of the device. Using the criteria in the Operator field, this value is compared against the reference Value. If the comparison is successful, the Agent sends the data to the Server so there will be an alert in the Monitor tab and a Ticket with the collected values.

26 5. Devices Specific factors for monitoring devices via SNMP Even if devices are not approved, they will still be included in the inventory processes and it will be possible to access them via remote desktop. Unlike printer-type devices or those supported directly by the Agent, SNMP-managed devices are not integrated in the Console and therefore do not have visibility and cannot be grouped in Groups or Filters or managed using normal procedures (Audits, Monitors, Reports, etc.). In forthcoming versions there will be greater integration in order to offer the same functions as devices managed directly with the Agent. That s why the configuration of all settings for SNMP monitoring is carried out through the Systems Management Agent designated as the SNMP Monitor. Devices managed with the procedure described in this section do not consume licenses.!! Non-approved devices will still use up licenses. Non-approved devices will not receive Jobs nor deployed components. APPROVING DEVICES Service administrators can also ask for manual approval of devices when integrating a new one with the recently installed Agent. This process may be necessary to monitor which devices are added to the service, particularly in environments where the Agent is freely accessed from within the company (mapped drive or shared resource). To configure manual approval of devices go to the General menu, Account, Settings. When a device is waiting approval a message will appear in the corresponding Profile s list of devices. CONFIGURING A CONNECTION BROKER A Connection Broker is a Windows device with an Agent installed and which is responsible for performing a series of additional tasks aimed at minimizing traffic on clients networks, as well as supporting connectivity of the remote desktop on neighboring devices. By default on each network segment there will be an Agent that automatically takes the role of Connection Broker. It will be responsible for maintaining centralized communication with the Server and the administered devices in order to minimize bandwidth consumption. The Connection Broker also discovers devices on the same network segment, even if they are devices without an Agent installed, printers, routers or others. Once manual approval of devices is activated, they will appear under the Approve Devices option as the Agents are installed on the computers. The administrator will then be able to approve the devices to be included in the service. If you have problems starting a remote desktop session on a network segment, restart the computer acting as the Connection Broker and try again.

27 5. Devices Assigning the role of Connection Broker to a device Even though promoting a device to Connection Broker is an automatic process performed on the basis of the characteristics of each device (the time it is switched on, available bandwidth, CPU power, etc.), in some cases it may be advisable to promote a specific network device manually. Make sure you assign the role of Connection Broker to a server-type device on each network segment, to ensure it has sufficient resources and it is always in service.. Other Connection Broker Parameters If you want to change the Connection Broker settings, from the General menu, Account, Settings you can set the connection parameters:! With the exception of NetAssets Subnet Limit these parameters should only be altered with the express permission of the Panda Security Support dept. Any modification could result in the loss of connection with the Agents.. To do this, go to the settings of the Agent that you want to act as Connection Broker, right-click and select Settings, Preferences. Disabling the use of Connection Brokers Given that when an Agent is promoted to a Connection Broker it requires resources on the device CPU and on the client s local network which may not be available, it is possible to completely disable this feature from the General menu, Account, Settings in Custom Agent Settings or from Profile, Settings if you only want to disable this feature for a specific Profile.. Field Control Channel Address Control Channel Port1: Control Channel Port2 Web Service Address: Tunnel Server Address:: NetAssets Subnet Limit Description Use restricted to the Panda Security Support Dept. Use restricted to the Panda Security Support Dept Use restricted to the Panda Security Support Dept Use restricted to the Panda Security Support Dept Use restricted to the Panda Security Support Dept Restricts the device scanning range of the Connection Broker to the specified number ( ) within a network segment.

28 5. Devices VIEWING DEVICE INFORMATION Systems Management lets you centrally display in the Console the information compiled by each Agent. This information is available at the Device Level associated with each device, accessible from the General menu, Profiles, selecting the Profile the device belongs to and clicking the Device tab and then the device itself. The Device level displays the following general information. Depending on the type of device (server, workstation or smart phone / tablet) some entries may vary or not be available.. The information displayed is divided into five categories: General device information System information Administrator notes Activity information Performance information General device information Field Description Groups Version Power Rating Custom field Description An editable text description of the device. Initially it contains the device name. Groups to which the device belongs. Version of the installed agent. Depending on the type of device a default consumption rating will be assigned. See later in the chapter for details about how to manage the power consumption of the devices. This field lets you define descriptive labels for the devices. The difference between this and the Description field is that the Custom field is accessible from the scripts run on the devices, as it is a visual way of integrating the result of executing a script in the Console. See Chapter 11: Component execution for more details. System information Field Hostname UID Device Type Domain Last User Status Last Seen Last Audit Date Date Created Int IP Address: Ext IP Address Additional IP(s) Manufacturer Model Operating System Service Pack Architecture Serial Number Security Center i Description Device name Internal device identifier Type of device (workstation, laptop, tablet, smart phone, printer) Windows domain to which the device belongs Last user to log in to the device Status (Online, Offline) Date that the Server last accessed the device. Last time a software and hardware audit was performed. See Chapter 12: Assets Audit for more details. Date the device was created on the system. Local IP address of the device IP of the router or the device that connects the device to the Internet IP Alias 32 or 64-bit Protection status of the resources on the device. Some fields have a Google search field to provide information about the manufacturer, make or model of the device.

29 5. Devices Also from Device Level, you can get information about the device desktop or start a remote control session from the four icons displayed below. Performance The Console displays three line graphs showing usage of the CPU, the memory and the hard disk. It also indicates the time the device has been operating. Refresh Takes a new screenshot of the device desktop and displays it on screen. Disk (a line for each disk on the device). Memory New Screenshot Lets you download a screenshot of the device desktop. Connect to device Connects the local agent to the selected device. Remote takeover (RDP) Connects to the device s remote desktop via RDP Remote takeover (VNC) Connects to the device s remote desktop via VNC Administrator notes Here administrators can add reminders and comments as well as procedures for resolving recurring problems with the device to enable collaboration with other administrators. Activity log Displays the actions taken on the device. This is a summary of the information displayed in the Reports tab, selecting the Activity box. You can reach this screen directly by clicking the more link at the bottom of the list. CPU Time that the device was switched on that day.

30 5. Devices MANAGING THE RESOURCE CONSUMPTION OF THE DEVICES Systems Management lets you automate the monitoring of the resource consumption of the monitored devices. This requires an initial configuration, which although largely corresponds to the default settings, may require an adjustment. It is therefore advisable to adjust the real resource consumption values to reflect the reality in each country / company infrastructure. The complete cycle of resource consumption management is divided into three sections: Specification of the type of device Specification of the resource consumption of the type of device General consumption view configurations and can be changed for all administered Profiles through the General menu, Account, Settings, Power rating by assigning the watts consumed for all types of devices. They can also be redefined for a specific Profile in the Settings tab of each Profile. As electricity prices vary enormously from country to country, and even across regions, it is also possible to specify the cost per Kwh. General power rating view The consumption for each device can be activated by selecting the Cost in the list of Profile devices. Each section is described below: Type of device Systems Management distinguishes between five types of device. Desktop Laptop Server Smartphone Tablet The system automatically assigns the type of device that best describes each administered device, though if this is not accurate, the value can be changed in the corresponding Device Level in the Summary tab. Specifying the power rating for each type of device By default the system assigns specific power ratings for laptops, smart phones or servers. These average values are calculated according to typical hardware

31 WHAT ARE GROUPS AND FILTERS? 6 Filters and Groups Groups and Filters are resources for generating clusters of devices in a similar way to the Profile but more easily and dynamically. So, while creating a Profile is considered a static aspect of marking devices as belonging to a specific client account, Groups and Filters are designed to be easily modified in response to temporary characteristics or criteria of the devices. TYPES OF GROUPS AND FILTERS There are various types of Groups / Filters: Profile Device Groups / Profile Filters: created within a specific Profile, they can only contain devices that belong to the selected Profile. System Device Groups / System Filters: created at System Level, they can contain devices that belong to one, various or all Profiles System Profile Groups: created at System Level, they are Groups of Profiles. i Filters and Groups can be inter-profile device Groups; depending on where they are generated, they can include devices from one or various Profiles..

32 6. Filters and groups GROUPS Groups are groups of static devices. A device is manually assigned to a Group by direct allocation. FILTERS The Filters are dynamic groups of devices. Whether a device belongs to a certain Filter or not is determined automatically when the device in questions meets the criteria established for that specific Filter. A Device can belong to more than one Filter. Predefined filters Systems Management includes a set of predefined Filters that simplify the organization and location of devices registered in the service. Filter name All Devices Offline Devices All Desktop O/S Online Desktop O/S Offline Desktop O/S All Server O/S Online Server O/S Offline Server O/S MS Win 7 MS Win Vista MS Win Server 2003 Use Displays all the devices administered by Systems Management Displays all the offline devices administered by Systems Management Displays all the desktop devices administered by Systems Management Displays all the online desktop devices administered by Systems Management Displays all the offline desktop devices administered by Systems Management Displays all the server devices administered by Systems Management Displays all the online server devices administered by Systems Management Displays all the offline server devices administered by Systems Management Displays all the Microsoft Windows 7 devices administered by Systems Management Displays all the Microsoft Windows Vista devices administered by Systems Management Displays all the Microsoft Windows Server 2003 devices administered by Systems Management MS Win Server 2008 MS Win XP MS Win 8 MS Win Server 2012 Offline > 1 Week Apple ios Mac OSX Google Android All Mobiles Linux Filter composition Displays all the Microsoft Windows Server 2003 devices administered by Systems Management Displays all the Microsoft Windows XP devices administered by Systems Management Displays all the Microsoft Windows 8 devices administered by Systems Management Displays all the Microsoft Windows Server 2012 devices administered by Systems Management Displays all devices administered by Systems Management that haven t been accessed by the server for more than a week. Displays all devices with ios (tablets and smart phones) administered by Systems Management Displays all devices with Mac OS AX (tablets and smart phones) administered by Systems Management Displays all devices with Android (tablets and smart phones) administered by Systems Management Displays all smart phones administered by Systems Management Displays all devices running Linux. A Filter is made up of one or more Attributes which combine with each other through the logical operations AND / OR. A Device forms part of a Filter if it meets the criteria established in the Attributes of the Filter. The general layout of the Filter is divided into two blocks: Filter name: It is advisable for this to be a descriptive name that describes the characteristics of the Devices (e.g. Microsoft Exchange servers, Workstations with limited disk space, etc. ). Criteria: here you can select the Attributes that will be checked on each Device and their Value. For each Attribute several Values can be specified, which are taken into account in line with the specified AND / OR values. Similarly, several Attributes can be specified in the same Filter which also relate to each other in line with the AND / OR values.

33 6. Filters and groups The Criteria block is broken down into three parts: Attribute: specifies the characteristic of the device that will determine whether it is part of a Filter. The main Attributes are listed and classified below. Condition: establishes the way the Attribute of the device is compared with the reference Value set by the administrator. To specify different values for an Attribute you have to click the + to the right of the Value field. This deploys a new control and an AND / OR button that lets you choose the relation: two Values related with AND means that the device must have an attribute that complies with both fields. Two Values related with OR means that the device must have an attribute that complies with at least one of the fields. Value: the content of the Attribute. Depending on the Attribute the Value field can change to allow terms such as dates, text, etc. Below are the values available for each Criteria condition line: Field Condition Search Term String Integer Empty Not empty, Contains Does Not Contain, Starts with Does not start with, Finishes with Does not finish with Greater Greater than or equal to, Less Less than or equal to, Includes, Excludes String. Use % as a wildcard. Numeric. Finally, to apply more complex Filters that cn examine several Attributes it is possible to add more Criteria blocks by clicking the + below, and repeating the process described above: the new Criteria cn be related with the same AND / OR logic. Binary True / False Date Before After, Older than 30/60/90 days Date Interval Selección Is a member of, is not a member of Grupos disponibles

34 6. Filters and groups Below you can see the Attributes available to create a Criteria block: Attribute Windows updates (Yes/No) Display adapter Network adapted Additional IP address Antivirus (Yes / No) Architecture Attached device driver file Description Lets you filter devices with the Windows Update engine enabled or disabled. Lets you filter by brand name and model of the graphics card installed on the device. Lets you filter by brand name and model of the network adapter installed on the device. IP alias of the device. Lets you filter devices with or without an antivirus installed. Lets you filter devices with 32-bit or 64-bit architecture. Lets you apply the filter to the driver file field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. Attached device driver type CPU Disk size Disk free space Description Profile description IP address MAC address Disk description Managed devices Lets you apply the filter to the driver type field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. Lets you filter by the make and model of the CPU installed on the device. Lets you filter by the Description of the device. See Chapter 6: Devices for more details. Lets you filter by the Description field of the Profile to which the device belongs. Lets you filter by the description string of the internal drives on the device. Not used. Attached device driver manufacturer Attached device driver modified Attached device driver name Lets you apply the filter to the driver manufacturer field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. Lets you apply the filter to the driver modified field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. Lets you apply the filter to the driver name field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. OnDemand devices Domain OnDemand profiles Status Online/Offline Status Web port OK Status Suspended Not used. Lets you filter by domain the device belongs to on Microsoft networks. Not used. Not used. Attached device driver name/ version Attached device driver version Lets you apply the filter to the driver name/version field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. Lets you apply the filter to the driver version field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. External IP Address Manufacturer Favorite BIOS release date Lets you filter by the IP address with which the device connects to the Server Company that assembled the device Lets you filter devices marked as favourites. Attached device driver name Attached device driver port Lets you apply the filter to the driver name field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. Lets you apply the filter to the driver port field of external USB drives connected to the device. See Chapter 12: Assets Audit for more details. Last seen date Firewall (Yes/No) Patch title Memory Date when the device was last seen by the Server. Lets you filter devices with firewalls enabled or disabled. Lets you filter by name of the patches installed. Lets you filter by the amount of installed memory on the device.

35 6. Filters and groups Model Monitor / screen BIOS name Host name Profile name Serial number Software package Software package /version Custom field 1-6 Motherboard Profile device group Service Pack Operating system System device group Device type BIOS version Software version Agent version Last audit Last user Lets you filter by the name of the Profile to which the device belongs. Lets you filter by the device serial number. Lets you filter by the software packet installed on the device. Software packet and version installed. Lets you filter by the content of the specified custom field (from 1 to 6). See Chapter 6: Devices for more details. Lets you filter by the manufacturer, make and model of the motherboard on the device. Lets you filter by the name of the Profile group the Device belongs to. Lets you filter by the System group the Device belongs to. Lets you filter by the version of a software packet installed on the device. Date of the most recent de hardware / software Audit on the device. See Chapter 12: Assets Audit for more details. Lets you filter by the last user to log on to the device.

36 The distribution in the Systems Management Console of the managed devices in an MSP with multiple client accounts or in an IT department with various offices, drastically affects efficiency, as many procedures and actions can be configured to run on many devices. This can be alleviated through the right combination of Profiles, Groups, and Filters. 7 How to manage efficiently devices DIFFERENCES BETWEEN PROFILES, GROUPS AND FILTERS Below is a description of the benefits and limitations of the three grouping methods supported. Profiles Benefits They associate the same internet connection settings to all devices: avoid having to manually configure each device locally They link contact information for sending Reports, Alerts, Tickets, etc. They can access the Tab Bar and the Icon Bar, allowing execution of Actions and display Lists and Consolidated Reports that cover all of the Devices in the Profile conveniently and rapidly. Limitations A Device can only belong to one Profile It is not possible to nest a Profile within a Profile Groups and filters Benefits: Groups / Filters let you create subsets of devices within one or more Profiles A device can belong to various Groups / Filters. Limitations Groups / Filters have limited functionality as the Tab Bar is not accessible so it is not possible to generate consolidated lists. Access to Reports is limited; the Reports generated will only contain information about one device. i Groups / Filters are Profiles within Profiles (as many as you like) but have limited access to consolidated Reports and the Tab Bar.

37 7. How to manage efficiently devices GENERAL APPROACH AND DEVICE MANAGEMENT STRUCTURE QUICK VIEW OF DEVICE INFORMATION The following general rules are applied: Group Devices in Profiles to separate the devices of different client accounts: Profiles do not impose any inherent limitations on generating Consolidated Reports or lists and allow settings to be applied to all of the Devices belonging to a Profile. Create Profile Device Groups to Group devices by hardware / software / configuration / use: For example, configure Profile Device Groups to separate devices by department within a client account with similar features (software used, general requirements, printer access, etc.) or by Role (Servers/Workstations). Once the devices are organized correctly, it is important to be able to access the information rapidly at a glance. The Console displays lists of devices with information fields that can be configured by the administrator. To configure the information displayed in any list of devices, you have to click the icon indicated in the image below: Create Profile Filters to find computers with a common status within a Profile: Use Filters to quickly and automatically search abnormal conditions that do not fall within predetermined thresholds proactively (insufficient disk space, little physical memory installed, software not allowed, etc.) or to find devices with specific features.! It is not advisable to use Filters for static character Groups. This icon is accessible from any list of devices (Profiles, Groups or Filters). The options available are as follows: Create System Profile Groups to Group Profiles: If there are client accounts or offices with very similar characteristics and a variety of devices, you can Group them in the same System Profile Group to ease management. Associate Account Groups and Filters to technical Profiles: If an MSP or company is medium to large in size, a time will come when its technicians will become more specialized. In this case, there will be technicians who only manage certain types of devices, such as Exchange Servers or Windows XP Workstations. A System Group or Filter helps locate and Group these devices without having to go Profile by Profile to find them. To complete the scenario, it is recommendable to create and configure Roles and new User accounts, as described in Chapter 16: User account and roles. Field UID Profile Hostname Description IP Address Addit. IP s Ext IP Addr Last User Group Date Created Last Updated Description Internal device ID Name of the Profile to which the device belongs Name of the device Local IP address of the device IP Alias IP address of the router or device that connects the device to the Internet Last user to log on to the device. Date the device was created in the system. The last date the server accessed the device.

38 7. How to manage efficiently devices Last Audited Session Name Favourite Privacy Mode Agent Version Display Version Web Port OK Status Model Operating System Service Pack Serial Number Motherbooard CPU Memory MAC Address(es) Custom field Device Type Domain Disk Drive (total/free) Online Duration (hrs) Cost Architecture Display Adapters BIOS Name BIOS Release Date BIOS Version Date of the last software and hardware audit. See Chapter 12: Assets Audit for more details. Not in use Bookmarks the device as a shortcut on system dashboards. Privacy mode on the device. Short agent version Full agent version The device can connect to the Web service for downloading branding, components, updates, etc. Status (Online, Offline). Online indicates that the Agent can connect to the Control Channel to send keep alives. Make, model and speed of the CPU. Installed memory space. Content of the Custom Fields defined. See Chapter 11 Component execution for more details. Type of device (workstation, laptop, tablet, smart phone, printer). Windows domain that the device belongs to. Total space and free space of all drives installed on the device. Cost corresponding to the device in line with its consumption. See Chapter 5: Devices. 32 or 64-bit Make and model of the graphics card installed on the device. Make and model of the BIOS. Once the view has been configured, the column names can be used to establish the most convenient criteria to organize the fields.

39 CREATE AND CONFIGURE THE FIRST PROFILE First you must determine whether to create a new Profile or reuse one already in use, depending on the management criteria you are using. A new client account will generally correspond to a new Profile. 8 The first 8 steps to start using Systems Management Fill in the information accordingly and keep in mind that the description field may be used by the Filters you add and that refer to the content of this field. If the device in the Profile requires additional information about the HTTP proxy to access the internet, this information can be provided here or can be added later. After creating the Profile, it is recommendable to configure it through the Settings tab. This configuration will be incorporated in the Systems Management Agent installed on each managed device

40 8 The first 8 steps to start using Systems Management DEPLOY THE SYSTEMS MANAGEMENT AGENT The Agent installed on clients devices requires certain basic information in order to operate: The Profile to which it will belong. Minimum information required in order to connect to the Internet and connect to the Server. Automatic distribution to the rest of the network devices. Once the Agent is installed on each network segment and after sufficient time for each of the devices to be discovered, from the Audit tab, select Hardware to select the devices that will automatically receive an Agent.. The Profile to which the Agent belongs is set automatically if the downloading or sending of the link is done through the Profile. The internet connection data was specified in the previous step when creating the Profile or in Tab Bar, Settings, so that the Systems Management Agent downloaded will already contain this information. The Systems Management Agent can be downloaded in three ways: Sending the Systems Management Agent via Sending the download URL via Direct download LInstallation of the Agent on networks with many devices can be tedious if it is done on each device individually. The simplest way to perform remote installation is: For more details on installing the Systems Management agent, see Chapter 5: Devices. CHECK THE DEVICE LIST IN THE PROFILE AND BASIC FILTERING You can favorite the devices to access them more quickly later, arrange lists, quickly filter them according to the Role of the device and change the size of the list to display more or fewer items. Sending the Agent to the first network device. Normally, installation of the Agent only requires double-clicking the download packet, with no need for confirmation; it is completely silent. Once the Agent is installed it will connect to the Server and appear on the list of administered devices for the selected Profile.

41 8 The first 8 steps to start using Systems Management HARDWARE, SOFTWARE AND LICENSE AUDIT Tab Bar, Audit contains all of the audit details of the devices belonging to the Profile or if accessed at Device Level, it will display detailed information about the device. For more information about inventories, see Chapter 12: Assets audit. Configure when to apply patches to the device in the Profile, the steps to be taken once applied and other parameters by creating a Windows Update or Patch Management Policy from Tab Bar, Policies in the Profile. For more information about Patch Management, see Chapter 15: Patch management. For more information about creating Policies, see Chapter 9: Policies. PATCH MANAGEMENT. Approve patches that have not been installed on managed devices or Rollback those you want to uninstall in Tab Bar, Manage. CREATE MONITORS Deploy Monitoring mechanisms to network devices. From General Menu, System or from a specific Profile in Tab Bar, Policies, click Add System/Profile Policy. In Type select Monitoring.

42 8 The first 8 steps to start using Systems Management Add a Target (one or various Groups or Filters) and a Monitor. On adding a Monitor, a 4-step wizard appears where you can configure the necessary settings The components used directly by the partner / IT Manager must be downloaded from the ComStore. My Components shows the components already downloaded and available for use. ComStore shows the components available for download from the ComStore. In order to download a component, select one and click Buy. It will be immediately added to My Components. i All components in the ComStore are free. Depending on the component type, it can be run as a Job or in response to an Alert generated by a Monitor. In Tab Bar, Devices within the Profile, select the devices to which to apply the component and choose between Schedule a Job and Run a quick Job.. For more information about Monitoring, see Chapter 10: Monitoring. COMSTORE Extend the functionality of Systems Management and centrally install third-party software with the components published in the ComStore. For further details about developing components see Chapter 11: Component execution.

43 8 The first 8 steps to start using Systems Management ACCESS REMOTE MANAGED DEVICE RESOURCES Although many daily operations can be performed directly from the Systems Management Console, it may be necessary to directly access the device through the Systems Management Agent. This requires installing the agent on technicians devices so that they can provide remote support and login with their Username and password. Once logged in, locate the device to manage using its name by expanding the Profiles the technician can access with the credentials supplied or by listing the devices marked as favorites. The options that do not prevent the User from continuing to work on the system are: Remote screen capture: rapid viewing of error messages Windows Services Tab: remote access to stop, start and restart services without needing to access the remote desktop Screen Sharing Session: shared remote desktop. The User sees what the technician is doing on the device Command shell: remote DOS command line Agent deployment: deploy the Systems Management Agent across the LAN Task manager: remote access to the task manager without needing to access the remote desktop File transfer: send and receive files Registry editor: Remote access to the regedit tool without needing to access the remote desktop Quick Jobs: launch Jobs Event viewer: Remote access to the event viewer without needing to access the remote desktop Wake Up: allows a device that is switch on to send the rest of the devices in the same LAN segment a magic packet to switch them on remotely After locating the device, all of the remote access and remote control options will be accessible through both the icons and menus. The options that will prevent the User from using the device are: Windows RDP: remote desktop access via RDP, which will close the User s session Shut Down / Reboot: shut down or restart the Target device

44 WHAT ARE POLICIES? Any specific configuration or action that is repeated at regular intervals over time, on one or various devices managed through Systems Management. It is applied by pushing out a Policy to every Systems Management Agent installed. Policies are configuration containers made up of: 9 Policies Targets: Groups of devices to which the Policy will be applied Services: depending on the Policy Type, the Systems Management Agent will perform a specific series of actions on each device Policies can be created at the three levels available, depending on the number of devices and whether they belong to the same client or various: System Policy: define an action to apply to System Profile Groups, System Filters or System Device Groups Profile Policy: define an action to apply to Profile Groups or Profile Filters Device Policy: define an action to apply to a specific device HOW TO DEFINE A SYSTEM POLICY From General Menu, System by clicking Tab Bar, Policies. A window appears where you can enter the name of the Policy and if the Type is based on another Policy created earlier to ease generation.

45 9. Policies The next window requests the data needed to configure the Policy. Depending on the Policy type selected in this window, it will request one type of data or other. As this is a Policy created at Profile Level, only previously created Profile Device Groups and Profile Filters will be displayed. To disable a Policy in the Profile to which it applies, click On / Off under Enabled for this Profile. HOW TO DEFINE A DEVICE POLICY? From the Profiles Menu, select a specific Profile and then select a Device, in Tab Bar, Monitor and select Monitors. In this case, we have created an Agent Policy and therefore, the Agent Policy Options section will request the configuration details that will affect how the Systems Management Server and the User will interact with the Systems Management Agent installed on network devices. All types of Policies will require configuration of the Target, which will be a Group or Filter already defined. As this is a Policy created at System Level, only previously created System Device Groups, System Filters and System Profile Groups will be displayed. HOW TO DEFINE A PROFILE POLICY? From General Menu, Profiles, select a specific Profile then click Tab Bar, Policies. The remaining steps are the same as those for creating a System Policy or Profile Policy. As it is a Device Policy, the option to choose the Target does not appear: the Policy will only apply to the selected device. The Suspend Monitoring button disables all active Monitors on this device; the device will appear in the Systems Management Console as Suspended.! System Policies and Profile Policies are defined in Tab Bar, Policies but Device Policies are defined in Tab Bar, Monitor then click the Monitors combo box. The remaining steps are the same as those for creating a System Policy.

46 9. Policies POLICY TYPES There are 6 types of Policy: Monitoring This Policy allows you to add device resource Monitoring processes. Agent This Policy type specifies the appearance of the Systems Management Agent and the functionality shown to the User and to the Systems Management Server. i See Chapter 10: Monitoring for more details. Patch Management Patch Management is one of the methods available in Systems Management for downloading and installing software patches. Install Service Only: hide the tray icon so that the User cannot access the configuration windows. Active Privacy Mode: remote connection to the desktop of the User s device requires explicit acceptance by the User Disable Settings: the User cannot access the Systems Management Agent context menu Disable Audits: the selected devices will not send hardware/software audit data Disable Incoming Jobs: prevents Jobs being sent to the Systems Management Agent Disable Incoming Support: disables administrator access to the Systems Management Agent Disable Tickets Tab: disables the Tickets tab in the Agent Agent Browser Mode: allows the Systems Management Agent execution mode to be defined Disabled User: the Systems Management Agent will not display the Support window and therefore, prevents access in Administrator Mode Administrator: complete execution of the Systems Management Agent. i See Chapter 15: Patch Management for more details.

47 9. Policies Power This Policy allows configuration of the power saving settings on the devices that support them.. Mobile Device Management Mobile Device Management (MDM) lets you establish Policies for ios devices (tablets and smart phones). With this Policy you can restrict the use of such devices. i See Chapter 17: Mobile Device Management for more details. HOW TO DEPLOY A POLICY After a Policy has been created, a line will be added to the Policies screen. Windows Update Windows Update is a transposition of the options available on a WSUS server and allows the most common Patch Management options to be configured for Microsoft systems. To deploy the Policy, click Push changes. This will apply the Policy to all of the affected devices, triggering its execution. i See chapter 15: Patch Management for more details..

48 WHAT IS IT? Systems Management Partner Guide Monitoring is a Policy that detects failures on Users devices unattended. This allows the IT administrator to configure Monitors on Users devices that warn of abnormal situations and automatically launch Alerts or scripts to correct them, all without human intervention. 10 Monitoring COMPOSITION OF A MONITOR A Monitor consists of three configuration Groups: Monitor type: specifies its function Conditions: Monitor parameters that describe the conditions under which a response will be triggered Response: automatic actions that the Monitor can trigger. There are three types of response: Execute components Send s Generate Tickets(Chapter 14: Ticketing) MANUAL CREATION OF MONITOR From General Menu, System or from a specific Profile in Tab Bar, Policies, click Add System/Profile Policy.

49 10. Monitoring In type select Monitoring. Add a Target and a Monitor. Monitor Name Function Available in Online Status Monitor Check whether the device is online Windows, Mac CPU Monitor Control CPU usage Windows, Mac Memory Monitor Control memory usage Windows, Mac Component Monitor Launch a Monitor component from the ComStore or designed by the administrator Windows, Mac Process Monitor Control the status of a specific process Windows, Mac Service Monitor Control the status of a specific service Windows Event Log Monitor Supervise the event viewer Windows Software Monitor Security Center Monitor Supervise the software installed on or uninstalled from the device Control the operating system Security Center status Windows Windows Disk Usage Monitor Control hard disk usage Windows File/Folder Size Monitor Control the size of files and folders Windows i A Policy can have more than one associated Monitor. Step 2: Monitor Details Depending on its function, each Monitor needs slightly different settings, so this step will vary according to the type of Monitor previously selected. On adding a Monitor, a 4-step wizard appears where you can you can configure the necessary settings. Step 1: Monitor Type In this step, specify the Monitor that will be added to the Policy, according to the resources on the User s device to be monitored. In general, this step requires the following data: Trigger Details: complementary Monitor settings and conditions to be met to trigger a response Alert Details: you can select the priority of the Alert that will be generated (Critical, High, Moderate, Low, Information) Auto Resolution Details: you can specify the time required for an Alert to be considered automatically resolved

50 10. Monitoring Step 3: Response Details In this step, you can select the response that will be triggered when the limits defined in step 2 are reached. Assignee: assign the Ticketsgenerated by the Monitor to a technician Ticket Notification: send an with the data generated by the Monitor to the technician s address AUTOMATIC CREATION OF MONITORS With devices such as printers that don t support the installation of third-party software, the system itself generates Monitors automatically when you add these devices. So when you add a device such as a printer to the Systems Management Console, a new Monitor appears in the Policies tab. Run the following component: the drop-down list will show the components imported from the ComStore or developed by the administrator the following recipients: you can specify the recipients, subject, format and message of the s. The Default recipients checkbox sends the s to the accounts defined in Tab Bar, Settings in the Profile to which the Monitor created belongs and those defined at global level in General Menu, Account, Settings. Paso 4: Ticket Details. In this step, you can enable automatic generation of Tickets as the response generated by the Monitor on reaching the limits defined in step 2. This Monitor will let you know when printer supplies (toner, ink, etc.) drop below a certain configurable threshold.

51 WHY DEVELOP COMPONENTS? 11 Component execution Developing components allows the administrator to create new processes to run on Users devices and which add extra functionality to the Systems Management Platform. Although Systems Management offers a default component repository (ComStore) which extends its basic function, it might be necessary to develop specific components to perform very specific tasks on Users devices. Systems Management is therefore, presented as an expandable remote management and Monitoring platform, which very easily adapts to the specific needs of each client. WHAT ARE THE REQUIREMENTS FOR DEVELOPING COMPONENTS? Firstly, basic programming knowledge of one of the scripting languages supported: Language Included as standard in Provider Batch All versions of Windows Microsoft Visual Basic Script Windows 98 and later Windows NT 4.0 Option Pack and later Microsoft JavaScript (Jscript) Windows NT 4.0 Option Pack and later Windows 98 and later Microsoft Powershell Windows 7 Microsoft Python Mac OS X 10.3 (Panther) Python Software Foundation Ruby None Yukihiro Matsumoto Groovy None Pivotal & Groovy Community Unix (Linux, Mac OSX) Linux, Mac OSX Variable

52 11. Component execution Furthermore, the parser associated to the selected scripting language must be installed and running on the User s device.! i i Some parsers like Python or Groovy must be installed and therefore, the components programmed in these languages are not guaranteed to work on recently installed Windows computers. Before running a component developed in a language not support directly by the User s device, it is recommendable to run an automatic Job to distribute the parser. Software distribution is described in Chapter 11: Component execution. In Unix-type scripts, #/ bin/ bash is automatically added as the first line to specify the shell to be used to run the script. As with other types of script, the shell must be installed on the User s device in order to be run.. GENERAL ARCHITECTURE OF SYSTEMS MANAGEMENT COMPONENTS The components developed for Systems Management are divided into three types, according to their purpose, behavior and execution method: Applications: These components ease software deployment across the client s network. These will be described in Chapter 13: Centralized software deployment and installation. They are script are that are generally run just once and are associated to at least one external file, which will be the software to install. Monitors: The Monitor Profile Policies or System Policies are associated to a component that performs the Monitoring task. In general, there are three types of Monitor: Scripts: The run interval of an External or Custom component cannot be changed. To lengthen the run time of an External or Custom component, this must be done within the component, for example by storing timestamps with the last run date and checking this value whenever execution of the component is triggered. These are small programs developed in script language which run on the client s device. They can be run once through a Job or periodically according to the calendar specified in the Scheduler. In all cases, once the components are loaded on the Systems Management Server platform, they will be copied to and run on all devices necessary. Summary table: Component type Run from Run every Purpose Applications Monitors Scripts i Quick Job or Scheduled Job. Profile Policy or System Policy. Quick Job or Scheduled Job. On demand or when specified in the calendar. Centralized software deployment and installation. Software deployment is described in Chapter 13: Centralized software deployment and installation. 60 seconds (fixed). Device Monitoring On demand or when specified in the calendar. Run applications developed by the administrator. Monitors, Applications and Scripts have almost the same internal structure. The component type only specifies how it connects to the Systems Management Console. Therefore, when creating a Job, only Script or Application components will be listed and when creating a Monitor, only Monitor components created or imported from the ComStore will appear. Internal: accessible directly from the Systems Management Console on creating a Policy External: components published by Panda Security in the ComStore Custom: components developed by the IT administrator. External and Custom components are executed on the device every 60 seconds.

53 11. Component execution CREATE A MONITOR COMPONENT Component presentation and purpose Below are the details of the steps to create a Monitor and distribute it to the devices in a specific Profile. The purpose of the component is to easily and simply manage the quarantine of the security product Endpoint Protection. Quarantine stores suspicious files that could contain malware and also files detected as a virus. For this reason, the administrator needs to know how many items are in quarantine at all times. The example also shows how simple it is to adapt and integrate new Monitors for other software solutions. Below is a summary of the component features. Devices affected Script language Frequency of sending information Systems Management actions All Windows 7 devices in the Home Profile Visual Basic Script Every 10 minute notification is sent of whether the number of items in quarantine has increased An is sent to the administrator with the Monitoring results Automatic Alert generation One of the problems to tackle is that the Systems Management Agent will automatically execute the script every 60 seconds but only Reports information every 10 minutes. Necessary components To follow this example, a Endpoint Protection license is required and the Systems Management Agent must be installed on the device. However, as the items added to quarantine by Endpoint Protection are files in a specific folder on the device, this example can be used with any other folder on the system. Endpoint Protection is a complete cloud-based security solution, which is easy to use and leverages the power of Collective Intelligence to provide maximum protection against spam and known threats in real-time for desktops, servers, laptops and Exchange Server. The component is developed in Visual Basic Script and therefore, the Wscript.exe or Cscript.exe parser will need to be installed on the User s device. This parser comes as standard on all Windows operating systems. Communications protocol between the component and the Systems Management Server Almost all of the components will need information from the Systems Management Server and will return the result of their execution. All of the information exchanged between the Systems Management Server and the component will be performed through environment variables created on the device. These environment values are automatically created by the Systems Management Agent when a component is launched. However, it is normal for the script to create environment variables manually to send responses to the Systems Management Server, which it will gather and add to the Systems Management Console. In this case, three environment variables are required.. Variable name Address Purpose PCOP_PATH Read The script recovers the path where Endpoint Protection stores the quarantine on each User's device from the Systems Management Server Result Errorlevel Write Write Send data to the Systems Management Server every 10 minutes through the standard output Script error code. If it is 0, the Systems Management Server concludes that Monitoring is correct and does not collect the standard output data. If it is 1, the Systems Management Server concludes that Monitoring is incorrect, collects the standard output data (Result variable) and processes it

54 11. Component execution Management Platform The settings needed to execute the component on the client s device will be the path to the folder to Monitor. This path could be hardcoded in the script source code but in this example, the values that the administrator has entered in the Systems Management console will be used in order to add more flexibility to the component. The Errorlevel will inform the Systems Management Server whether it must process the script response (Result variable) or not: if the number of files in quarantine is the same or lower (emptying of quarantine), an Errorlevel 0 will be sent. However, if the number of files has increased, then 1 will be sent and certain information will be written in the standard output (Result variable). For the Systems Management server to correctly interpret the standard output and extract the content of the component s Result variable, the following format must be used: Line 1: <-Start Result-> Line 2: Result=(data to send) Line 3: <-End Result-> Step 1: load the Monitor component on the Systems Management Platform In General Menu, Components, Add Component.! If the script language chosen is Batch, the symbol ^ must be inserted in front of each < o > character. For example ^<-Start Result-^> Result will be the variable from which the Systems Management Server will extract the data to terminate execution of the component. The string on the right of = is the content that the Systems Management Server will store and process. Select the script type Monitors.. General functioning schema Step 1: load the Monitor component on the Systems Management Platform Select the scripting language to use, in this example VBScript. Step 2: deploy the Monitor through System Policies or Profile Policies Step 3: execute the component every 60 seconds Step 4: send information every 10 minutes and processing in the Systems

55 11. Component execution Set the maximum execution time of the component. After this time has elapsed, the Systems Management Agent will interrupt execution. i It is recommendable to develop very light components that are executed very quickly. Add the Target Windows 7 and a Component Monitor. Set the input and output variables, in this example PCOP_PATH will contain the path to the Endpoint Protection quarantine folder. Result will contain the script output. Select the recently created component and save. By clicking Save, the component will be added to the account repository. You can specify the Severity of the Alert that Systems Management must create when the Monitor returns an error condition and whether the Alert will be automatically resolved after a certain time or whether it will be resolved manually by the administrator (N/A). For the Systems Management Server to generate an when new items are detected in quarantine, define an response (Respond) with the recipient s address. The content of the Result response variable will be copied to the that will be sent to the administrator. Step 2: deploy the Monitor through System Policies or Profile Policies If you are developing a Monitor, a Monitoring Profile Policy or System Policy must be created.

56 11. Component execution After a Monitor has been created, a line will be added to the Policies screen. In lines 44-51, the number of items in the Monitored folder is written to the Registry of the device. As the script is run every 60 seconds and we want to make a comparison every 10 minutes, 10 entries are written in the registry with the value registered every 60 seconds. To deploy the Monitor, click Push changes. This will apply the Policy and the Monitor will be deployed to all of the affected devices, triggering its execution. The component is executed on the User s device atomically : the status between two successive executions of the same script is not stored. If the same script must be executed several times in order to generate a valid result, the intermediary status must be saved on the device and read every time the component is executed. Step 3: create environment variables and execute the component every 60 seconds Once the Monitor has been deployed to the devices, it will run every 60 seconds. To do this, it invokes the associated script parser, reads the necessary environment variables and writes the appropriate response. i The full source code of the script is included in Appendix A. In line 24, it reads the PCOP_PATH environment variable and obtains a FileSystemObject type object that points to the quarantine folder. i It is recommendable to use the registry to store the status between two or more executions of the component on a device, although temporary files can also be used. When the counter is equal to 9 (10 entries in the Registry, 10 minutes) the initial value will be compared with the final (line 57). If it is higher in lines 59, 60 and 61, the difference will be sent and the script will terminate with Errorlevel 1.. When the final cycle has ended, all of the entries will be deleted from the Registry (lines 64-66) and the last entry will be copied as the first to continue the process. Lines 25 to 30 control whether the environment variable is defined. If the variable were not defined in the Systems Management Console, an error in the Result variable is returned and execution terminates with Errorlevel 1 (line 34)..

57 11. Component execution Step 4: send standard output every 10 minutes and processing in the Systems Management platform If the script ends execution with Errorlevel 0, the response is not considered by the Systems Management Server. If it ends with Errorlevel 1, the Systems Management Server will read the standard input in search of the Result variable between the strings <-Start Result-> and <-End Result->. With this information, the actions configured in the Monitor definition will be performed. How to use global variables If new scripts are developed frequently, it is highly probably that you will want common data in all of them, such as paths to specific folders on the User s hard disk, the letters of shared drives on servers or even common credentials to execute certain tasks. Labels and custom fields Step 2 in the example specified which tasks the Systems Management Server must trigger when the component result is error ; in this case, an Reporting the change of status of the device was sent to the administrator. This approach is correct in the case of a device that meets an error or exception condition and the administrator wants to be informed of this without needing to check the Systems Management Console every so often. However, it might be necessary to simply view the status of device without considering the error conditions. To do this, the data of interest must be published in the Systems Management Console. In this case, the component uses the Custom fields in the Console that are in the Tab bar, Summary at Device Level for each device and in the list of devices, add the necessary column as explained in Chapter 5: Devices A possible solution is to add all of the data needed to each script, so that if the data changes, every script developed will have to be updated manually and redistributed to the devices. The most convenient option however, is to define global variables at Profile or System level that can be used directly by the scripts. In General Menu, System, Settings or Profile Menu, Settings, you can define variables and their content, which will be directly accessible from the scripts that you design when they are executed on Users devices. In the case of storing sensitive data, such as Usernames and passwords, you can select the mask checkbox to replace the content of the variable with asterisks in the Systems Management Console. The Custom Field 1 tag and subsequent (up to 5) can be renamed globally for all devices managed by the partner, regardless of the Profile to which they belong or it can be defined at a specific Profile level: In System Level in General Menu, Account, Settings. At Profile Level in Tab Bar, Settings. When distributing the script, the Systems Management Server will send the content of the variable to the Systems Management Agent, which will create environment variables on the User s device, which will be easily accessible to the scripts you have designed.

58 11. Component execution The content of the Custom Fields take on the branches of the registry of each device, specified below: HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage\Custom1 HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage\Custom2 HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage\Custom3 HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage\Custom4 HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage\Custom5 The configuration screen is only different from the one in Monitors as regards the information collection area: you cannot define output variables but instead, you can search for strings in the Standard output (stdout) or Error output (stderr) to enable Warning conditions in the Systems Management Console. Each branch specified can contain a string of up to 255 characters. A component can freely write in the specified branches, so that the Systems Management Agent will read them on launching an automatic audit (every 24 hours) or manual audit (on-demand) and will send the information to the Systems Management Server, which will display it in the Systems Management Console. Furthermore, the Systems Management Agent will delete this information from the Registry of the device once it has been read and sent to the Systems Management Server. To use a Script component, firstly, mark it as favorite in the component list. CREATE A SCRIPT TYPE COMPONENT It will then appear in the Quick Jobs and Jobs lists. A Script component is created in exactly the same way as a Monitor component. First of all, select Scripts on creating the component. Click OK and the component will be executed immediately.

59 12 Assets Audit Systems Management helps you catalog all your hardware and software assets and Monitors the appearance of any new devices and the software installed on them by monitoring the paid licenses that the company has acquired. To access these functions, click the Tab Bar, Audit to show the audit panel. i The data in the Audit tab is refreshed automatically every 24 hours. It can also be refreshed on demand at any time by clicking the binoculars icon in the Actions Bar. The Audit tab is available at the three levels (System, Profile and Device) displaying more detailed or generic information depending on the level selected. It also offers three types of Audits, by selecting the corresponding radio button: Hardware: Devices on the client s network, installed hardware, etc. Software: Software on the devices with the Systems Management Agent installed. Licensing: Details of the software licenses used.

60 12. Assets audit HARDWARE AUDIT AT PROFILE LEVEL If you select the Hardware radio button, the Systems Management Console displays all the information about the managed hardware discovered on the client s network, divided into three different sections: Managed devices You can configure the columns displayed in the list which include the option Last seen by. This field indicates the Windows computer with a Systems Management Agent that last detected the device on the network. i Only Windows computers with a Systems Management Agent installed can detect other unmanaged devices on the network. This contains a list of the devices installed and organized by make or model. i A Windows device with the Systems Management Agent installed will automatically look for unmanaged devices on the subnet up to a maximum size of class B (65,535 computers). The information displayed in the list of discovered devices is updated during every automatic audit (every 24 hours) or whenever there is a manual audit request. Methods for discovering unmanaged devices by the Systems Management Agent include: By clicking Model you can see a list of the devices grouped according to make or model. Discovered devices This contains a list of the devices on the network and not managed by Systems Management Ping (ECHO Request) ARP resolutions NetBIOS requests Opening socket on UDP port 161 Network printers One special case of a discovered unmanaged device is that of printers. Using SNMP, a managed device with the Systems Management Agent installed can detect the presence of network printers on the same subnet. Printers are represented by a special icon and if you click them they become managed devices, as explained in Chapter 5: Devices, in the Management of devices not supported by the Systems Management Agent section.! Each printer that is added to the Systems Management Console, as an additional device, will use a license from the total number of licenses the customer has contracted.

61 12. Assets audit AUDITS AT DEVICE LEVEL The Device Level audits are the most detailed, displaying all relevant information about the selected Device. Much of the Device information displayed in the Audit tab is also displayed in the Summary tab. There is also detailed information about the hardware installed: Storage: information about the size of the drives, free space and description. Network adaptors: name of the network adaptor and MAC address. Attached devices: information about USB devices connected to the device. Unmanaged Devices In the Unmanaged Devices section you can enter information about unmanaged devices to complete the inventory of managed assets. SOFTWARE AUDIT AT PROFILE LEVEL Select the Software radio button in the Systems Management Console to display all the information about the software installed on devices on clients networks organized by program name and version. Change log At Device level there is no information available about the licenses used by the selected Device, instead the combo box has a new entry, Change log, which displays the changes to hardware and software that have been made on the computer and the date these changes were made. This helps administrators diagnose problems on Devices as they can be correlated with changes made on the device. Click on the program name to see the list of devices that have it installed and perform actions on them as a group, such as version upgrades or run scripts to uninstall software packages determined as unnecessary by the company.

62 13 Centralized software deployment and installation OBJECTIVE OF CENTRALIZED SOFTWARE INSTALLATION The Systems Management Server can automatically deploy software files and packages to all the managed devices across the network. This allows the administrator to guarantee that all of the devices managed have the software or documents Users need to work without having to go to each device individually or connect via remote access. Automatic software deployment will help the administrator to keep software vulnerability-free (Java, Adobe, etc.), thereby, significantly reducing the risk of infection and loss of confidential data. CENTRALIZED SOFTWARE INSTALLATION REQUIREMENTS Software deployment and installation is a process that is executed through Application components. Like the Monitor and Script components, described in Chapter 11: Component execution, Application components consist of a small script, which in this case simply guides the installation process, and a series of files and/or programs to install. A separate component must be created for each group of files or programs to install on the user s device.

63 13. Centralized software deployment and installatione PACKAGE DEPLOYMENT AND INSTALLATION PROCEDURE The general procedure consists of 4 steps: 1. Identify the devices on which to install the software The procedure for finding the devices that do not have the files or programs installed will vary depending on whether the Systems Management Server can perform an audit of the programs installed on the device or not. If the software to install appears on the list of programs installed kept by the operating system, it will also appear in Systems Management software audits and therefore, a Filter can be created to filter the devices that already have the software installed. If the software does not have an installer and therefore, does not appear on the list of programs installed or if it is a one-off document, configuration files, etc., the Systems Management Server cannot filter devices that already have these files installed and the installation script will have to make the appropriate checks manually. 2. Generate a software installation component The steps are the same as those described in Chapter 11: Component execution to create Script or Monitor components. Error: deployment execution was not completed. The script returns the code Errorlevel 1.. Error-Warning: deployment execution was not completed. The script returns the code Errorlevel 1 and a string through the Standard Output or Standard Error, which will be interpreted by the Systems Management Console. DEPLOYMENT EXAMPLES To illustrate software distribution, below are four examples:: 1. Deploy documents through script language 2. Deploy documents without script language 3. Deploy self-install software 4. Deploy software without an installer The procedures described here and the third-party tools and script languages used are examples and could very. Systems Management is designed to be flexible and adapt to the tools with which the administrator feels most comfortable. 3. Launch a Job to push the installation component to the Agents on the affected devices You can launch a Scheduled Job for a specific date on which the User is not working with the device, in order to minimize the impact on performance. 4. Collect the deployment result in order to identify possible errors Once the process is complete, an error code and/or message can be collected, which will display the deployment result in the Systems Management Console. There are four final statuses Success: deployment execution was completed without errors. The script returns the code Errorlevel 0. Success - Warning: deployment execution was completed with some unimportant errors. The script returns the code Errorlevel 0 and a string through the Standard Output or Standard Error, which will be interpreted by the Systems Management Console. Deploy documents through script language The objective of this example is to deploy three Word documents to a folder in the root directory of the User s device. To do this, the following steps are followed: 1. Identify the devices on which to install the software As in this case, the Systems Management Server does not have visibility of the status of the hard disk on the User s device at system file level, the installation script will be deployed to all of the devices in the Profile and the script (lines 19-24) will check if the folder containing the documents exists or not.

64 13. Centralized software deployment and installatione If the folder does not exist, it is created (line 28), the documents are moved to it (lines 30-32) and a message is sent through the Standard Output (line 37). 2. Generate a software installation component In the Component screen: Application it is important to specify: The component is Favorite so that it appears on the component lists (star icon in the top left) The component category (Applications) and name The script language used (Install command) Add the documents to deploy in the Files section An Applications component will be added, to which the documents to deploy and the script that will create the folder and move the three documents on each device will be added: In Post-Conditions, you can specify text strings that the Systems Management Console will interpret as Warnings.

65 13. Centralized software deployment and installatione The example specifies that if the Standard Output (Resource:stdout) contains (Qualifier:is found in) the string Deploy unsuccessful, the result of executing the script will be considered Warning. 3. Launch a Job to push the software to the Agents on the affected devices Error: an error occurs when copying the files. Ends with an Errorlevel 1 (line 35) Success - Warning: the folder already exists so the files are not copied. Ends with Errorlevel 0 (line 23) and the string Deploy unsuccessful is generated, which the Systems Management Server will interpret as Warning, as configured in the Post- Conditions area in step 3. Click Quick Job or Job after selecting the devices from the Profile to which to deploy the documents. i At System Level, you can select complete Profiles to which to apply software deployment. After the Job has been launched, it will appear in General Menu, Scheduled Jobs, Active Jobs. En la Barra de Pestañas, Completed Jobs podremos ver el resultado del despliegue, a Rojo si terminó con Error, Naranja si hubo un Warning o a Verde si fue Successful. 4 Collect the deployment result in order to identify possible errors Las condiciones de salida definidas en el script de ejemplo son 3: Success: the files are copied to the Target folder without any errors (lines 30-32). Ends with an Errorlevel 0 (line 38). In Tab Bar, Completed Jobs, you can see the deployment result, in Red if it ended with Error, Orange if there was a Warning or Green if it were Successful. The Stdout and Stderr icons show a copy of the Standard Output and Standard Error generated by the script. Furthermore, this tab contains an Icon Bar that allows several actions to be triggered: The Actions area Groups the icons that allow you to relaunch the Job, reload the page to update the Job status or download the Standard Output and Error to a file. The Views Filter allows you to Filter the Jobs by status.

66 13. Centralized software deployment and installatione Deploy documents without script language The installation script can be greatly simplified if previous checks are not required or if warnings do not need to be generated in the Systems Management Console. This example deploys the 3 documents from the previous example but in this case, instead of generating the folder structure from the script, a self-extracting.exe package is created which contains the compressed documents and the folder structure considered necessary. The.EXE package can be generated using many tools. This example uses WinRar. Step 3: configure the executable file as Silent. To do this, enable Hide All in Advanced -> SFX Options -> Modes -> Silent Mode. i To download a free version of WinRar, go to This example generates a self-extracting.exe file with the following characteristics: Functioning in Silent mode The folder with the content will be automatically created in C:\ If the folder already exists, its content will be over overwritten without warning Step 4: in the General tab, specify the path to extract, where the folder will be created.! It is essential to generate a self-extracting file that functions in Silent mode, i.e., it does not display dialog boxes or windows and does not require User intervention. Steps for generating a silent self-extracting installation file: Step 1: prepare the folder with the documents to deploy. Create the root folder ACME Documents in the example and place all of the files, folders and sub-folder to be deployed inside. Step 2: generate the executable file. With the WinRar program open, drag the recently created folder ACME Documents and select the option Create SFX archive and Create solid archive.. Paso 5: specify that all files will be overwritten if they already exist without asking the User.

67 13. Centralized software deployment and installatione Once the ACME Documents.exe package has been generated, create the Application component to deploy it. Self-install software deployment In this example, the Microsoft Framework.NET 4.0 dotnetfx40_full_x86_x64.exe package will be deployed to the devices on which it is not already installed. To do this, and as Microsoft Framework.NET 4.0 is a program that appears in the program list kept by the device s operating system, we will use a Filter to identify those on which it is not installed. The installation package is a self-extracting.exe that admits the parameters /q / norestart to execute in silent mode and prevent the device from restarting, so no additional special preparation is required. 1. Identify the devices on which to install the software To filter the devices on which the software is already installed, you need to know which identification string corresponds to the package already installed. This data can be obtained from Tab Bar, Audit, Software on a device on which the package is already installed. In the Component screen: Application it is important to specify: The component is Favorite so that it appears on the component lists (star icon in the top left) The component category (Applications) and name The script language used (Install command), in this case Batch Add the package to install ACME Documents.exe The script will simply execute the self-extracting package, which will create the folder in the C:\ drive along with the internal structure, overwriting any previous content.

68 13. Centralized software deployment and installatione This data is used to create a Profile Filter or a System Filter with the following settings: Field: software package to inspect the software installed on the device. Search Item: here you can enter the string that identifies the software to install. Condition: Does not contain to select the devices that do not contain the content specified in Search Item in the Software package field. In the Component screen: Application it is important to specify:: The component is Favorite so that it appears on the component lists (star icon in the top left) The component category (Applications) and name The script language used (Install command), in this case Batch Add the package to install dotnetfx40_full_x86_x64.exe The script only has one relevant line, which is the one that executes the installation package with the parameters necessary for a silent installation. 3. Launch a Job to push the software to the Agents on the affected devices Firstly, select the previously prepared Filter and then execute a Job with the application created. 2. Generate a software installation component It is extremely easy to create an installation component. 4. Collect the result in order to identify possible errors A good way of checking the installation result is to check the previously prepared device Filter to see if the number of devices on which the deployed software is not installed is lower. All of the devices that continue to appear in the Filter will have returned some kind of error.! The device audit data containing the hardware and software installed is sent to the Systems Management Server by the Systems Management Agent every 24 hours, so the recently installed software list will not be updated until this time has elapsed. However, you can force a manual update using the Request device audit action in the Action Bar.

69 13. Centralized software deployment and installatione Deploy software without an installer Many programs consist of a single executable file without an associated installer that generates the necessary structure in the Start menu, the desktop shortcuts or the corresponding entries in Add or Remove Programs. These types of programs can be deployed by following the document or self-extracting package example. However, doing it in this way prevents the Systems Management Server from generating a reliable audit of programs installed, as they will not appear in the list of programs installed kept by the device s operating system. 3. Add the files and programs to install and the shortcuts to create. This is done in the Files and Folders tab. For this reason, third-party tools after often used that generate a single MSI package with all of the programs to add, creating the necessary groups in the Start menu and the shortcuts on the User s desktop in order to simplify execution. To do this, this example will use the program Advanced Installer, the free version of which allows you to easily generate MSI installers.! To download the free version of Advanced Installer, go to download.html Follow these steps to generate the installer: 1. Select the Simple template (free) 2. In Products Details, enter the basic details of the installer: Product Name, Product Version and Company Name.

70 13. Centralized software deployment and installatione 4. Finally, execute Build and the MSI package will be generated in the selected folder. SAVE BANDWIDTH IN SOFTWARE DEPLOYMENT The Systems Management Agent installed on each device checks if the Systems Management Server for downloads every 60 seconds and if there are any available, it is run individually for every Systems Management Agent. In this way, for a 50 Megabyte installation package and a network of 50 devices, the download result will be 2.4 Gigabytes. To minimize the total download volume, one of the network devices can be promoted to the Role of repository / cache. By doing this, only this device will download from the Systems Management Server and then deploy the package to all of the affected network devices. Once the installation package has been generated, the steps for creating an installation component and deploying it are the same as in previous examples, except for the script in Batch, whose installation command will vary slightly. To promote a device to the Role of repository / cache, access the device at Device Level in the Systems Management Console and click the Add/Remove as local cache icon in the Action Bar. The MSIEXEC utility is invoked using the /qn parameter to launch a silent installation. The component is marked as Favorite so that it appears on the component lists (star icon in the top left) The component category (Applications) and name The script language used (Install command), in this case Batch Add the package to install My Software.msi The allocated device will then download and deploy the components and installation package to the devices in the local network, speeding up deployment and minimizing bandwidth usage.

71 WHAT IS THE TICKETING SYSTEM? 14 Ticketing The increase in the number of devices to manage and the growing number of technicians assigned to resolving problems will sooner or later require the implementation of a system that allows each case handled by the IT department to be documented and coordinated. Ticketing systems are used to track each incident from the moment it is created until it is closed, recording all of the intermediates statuses through which it evolves. Therefore, it is possible to assign a case to a specific technician and reassign it to another one if the original technician is not available or the task requires very specific knowledge, storing all of the documentation and progress made up until then and minimizing interruptions to the end User with repeat requirements for information about the same problem. Secondly, forcing documentation of incidents allows the procedure to be reused in the future and fine-tuned, minimizing the response time for open cases. Finally, a Ticketing system allows you to identify the workload of the IT department, filtering the Tickets open at a given time and assigning more resources if necessary.

72 14. Ticketing DESCRIPTION OF A TICKET Each Ticket contains a series of fields that describe it: Creator: Ticket creator. It can be a device, if the Ticket were created from the Systems Management Agent by a User or system account, if it were created by a Monitor and assigned to a technician Profile: Group of devices to which the Ticket belongs Date Created: creation date of the Ticket Status: There are four statuses: New: recently created Ticket with the description of the problem and assigned to a technician. No Job has been done yet. In progress: the technician assigned from the IT department is managing the incident Waiting: resolution of the incident has been identified by external causes (lack of information, confirm changes by the Users or others) Closed: the incident has been resolved and closed Severity: severity of the Ticket. If it were generated by a Monitor, the severity assigned to it will be copied. Assigned to: technician assigned to resolve the incident. Summary: summary of the incident. Content: description of the incident Comments: in this field, both the technician and User can add entries that complete and update the incident. CREATE A TICKET Tickets are created in three ways: Manually by the User from the Systems Management Agent: If the User notices that the device is not working correctly and wants to leave a written record of the symptoms. To register a Ticket manually, the User must open the Systems Management Agent by right-clicking its icon, select Open and click Tickets, Open a New Ticket tab. After creating the Ticket, new comments can be added and it can be closed. i Tickets created from the Agent are automatically assigned to the user account configured in the General menu, Account, Settings, End-user Ticket Assignee, or from the Profile in Settings i It is recommendable to use the Comments field frequently, documenting changes to the incident and the actions performed, by both the technicians from the IT department and the User through the tests performed and other data of interest. The aim is to reuse this information to simplify similar incidents in the future.

73 14. Ticketing Automatically from a Monitor that detects a condition defined as an anomaly on a User s device When defining a Monitor Policy, in the Ticket Details tab. In this case, you can specify the severity of the Ticket and its content and assign it to a technician to be resolved or reassigned. In this case, you can choose the technician assigned and if an notifying that the Ticket has been created will be generated. TICKET MANAGEMENT Tickets that have already been created are managed from Tab Bar, Support at Profile, System or Device level. i Tickets created at lower levels will be displayed at higher levels. For example, if Tickets are created at Device Level, they will appear at the Profile Level to which this device belongs. Manually by the IT department from the Systems Management console: these are usually reminders or task that officially join the department s queue From Profile Level or System Level in Tab Bar, Support, by clicking Create Support Ticket. With the icons in the Action Bar, you can filter the Ticket list (Open Tickets, My Tickets, All Tickets) or edit their status with the pen icon. To change the severity, status and the technician to whom it is assigned, click the Ticket number.! Tickets created at System Level do not have a Profile assigned and are not displayed in any Profile created in the Systems Management account.

74 WHAT IS PATCH MANAGEMENT? Patch Management is a series of resources for centralized deployment and installation of patches and software updates. 15 Patch Management Patch Management not only eases daily updating of the software on your devices but also allows you to perform audits, quickly and easily displaying devices that are not updated or with known vulnerabilities. With Patch Management, the administrator can strengthen network security and minimize software failures, guaranteeing that all devices are updated with the latest patches published.! Patch Management uses the Windows Update API on all Microsoft Windows devices supported by Systems Management.! Patch Management supports Microsoft Windows systems. WHAT PATCHES CAN I DEPLOY / APPLY? All the patches and updates published by Microsoft through Windows Update can be centrally managed through Systems Management. Microsoft publishes updates for all Windows operating systems currently supported and for the software it develops: Microsoft Office Exchange 2003 SQL Server Windows Live Windows Defender Visual Studio Zune Software Virtual PC Virtual Server CAPICOM Microsoft Lync Silverlight Windows Media Player Other...

75 15. Patch Management PATCH DEPLOYMENT AND INSTALLATION Systems Management includes three complementary patch management methods. Each of them has different functions to adapt to all possible needs and/or scenarios. Access the manual patch management method It is accessed through Tab Bar, Manage in the three levels available. Although three methods are complementary, some of the functions are shared by all of them. If you are going to use various patch management methods at the same time, be particularly careful not to define processes that overlap, as the end result could vary depending on the order defined, thereby achieving unpredictable results.! The procedures described here can collide with other procedures defined by third-party software, such as Windows Update Policies defined in a GPO. It is recommendable to disable the Policies of third-party manufacturers that interfere with those defined in Systems Management. Method 1: Manual patch management General description. Manual patch publication allows you to select the patches to install one by one, according to the criteria applied by the administrator. This method allows maximum granularity, as all of the patches installed on each device and the patches pending installation are displayed at all times. The actions available are: Approve patch: by selecting the patches and clicking the green circle icon. After approving a series of patches they will be pending installation. Approved patches are installed manually at the time specified in Tab Bar, Manage at System Level. The Grouping levels supported by this method are the three existing levels: System Level, Profile Level and Device Level. Therefore, you can select patches for a specific device (Device Level), for a specific Group (Profile Level) or for all devices registered on Systems Management (System Level).

76 15. Patch Management i Only the time that approved patches will be manually installed can be defined at System Level. All of the devices managed through Systems Management will update the approved patches pending at the configured time. In order to simplify searches, detailed information is available on expanding each category and an Icon Bar is available to filter the patch lists. Hide patch: by selecting the patches and clicking the blue circle icon to hide the patches available lists Quick patch: by selecting the patches and clicking the green circle icon with an arrow, the patches will be installed immediately, without waiting for the time defined in the Manage (System Level) settings Reset patch: by clicking the white circle icon, the patches selected will be cleared View patches All of the patches published by Microsoft over time are grouped in three drop-down lists, depending on their status with respect to the managed device. The Search Bar allows you to choose the patches displayed according to the following criteria: Severity: the severity defined by Microsoft: Critical, Important, Moderate, Low, Unspecified. i Microsoft only specifies the severity of security patches (Security Updates). The rest of the patches generally have Unspecified severity. the three status are: Missing patches: patches that have not yet been installed on the devices belonging to the selected level. At levels above Device, the number of devices on which each specific patch is not installed is also shown Installed Patches: patches that have already been installed at the selected level. At levels above Device, the number of devices on which each specific patch is installed is also shown. Hidden Patches: patches that the administrator has decided to hide because they do not need to be applied and a reminder is not needed. Reboot required? If the device must be rebooted after applying the patch User input required? If User input is required to apply the patch Category: allows you to search for the patches that apply to a specific software program Systems Management provides the following information for each entry:

77 15. Patch Management Check: to select the patch Action icon: patches with actions pending will appear with the circle icon in green Title: full name of the patch provided by Windows Update Severity: importance of the patch provided by Windows Update (only for Security Updates) Size: size of the patch to download, provided by Windows Update Reboot: if rebooting is required after installing the patch User input: if User input is required to install the patch or not (dialog boxes to accept EULAs and others) A screen appears where you can centrally configure the behavior of Windows Update on all of the devices affected by the Policy created. Manual patch management method usage scenarios When the administrator requires very accurate supervision of the patches applied on the devices managed Método II: Windows Update Policy General description Windows Update polices permit centralized configuration of the Windows Update features integrated in the Windows devices on the network. As it is a Policy, the Grouping levels supported by this method are System Level and Profile Level. Access Windows Update Policy method To access this method, create a Windows Update Policy at Profile Level or System Level. Windows Update Policies are configured in the same way as Windows Update resources on each individual Windows device. Windows Update classifies the patches it receives into three categories: Importantes Recomendados Opcionales Only Important and Recommended patches can be automatically installed. The rest of the patches will be installed manually from the User s device or from Systems Management using other Patch Management methods.

78 15. Patch Management i! All of the settings in this Policy are a transposition of the features of Windows Update on Windows devices. All of the actions specified therefore, refer to the devices and not the Systems Management Agent or the Systems Management console. Although the Policy settings are the same for all devices, the behavior of Windows Update on each device can very slightly between the different operating system versions. Below are some of the Policy options:: Add Target: lets you add Filters or Groups that delimit the scope of application of the Policy Patch Policy: specifies the general behavior of Windows Update on each device with respect to the patches classified as Important by Microsoft: Automatically download and install Manual download and selection by the User Notify without downloading Disable Windows Update Install new updates: specifies when the patches will be installed Give me recommended updates the same way I receive important updates: apply the Policy selected in Patch Policy for both Important and Recommended patches Allow all Users to install updates on the computer: allow the User to manually install the patches Give me updates for Microsoft products and check for new optional Microsoft software when updating Windows: check for Optional patches, generally patches for other Microsoft products Show me detailed notifications when new Microsoft software is available: detailed notifications are shown to the User when new Microsoft software is available No auto-restart with logged on Users for scheduled automatic updates installations: if this option is selected, the patches are applied and the User is notified of the need to reboot. If it is not enabled, the patch will be installed and the User will be notified that the device will reboot in 5 minutes Re-prompt for restart with scheduled installations: define the time before Windows Update prompts the User to restart the device if patches are installed that require this Delay restart for scheduled installations: define the time that the system will wait to restart after installing patches. If nothing is specified, the default value will be used: 15 minutes WSUS: allow an alternative local or remote Windows Server Update Services server to be used in order to minimize downloading of individual patches by each network devices Enable Client-side Targeting: if a WSUS server is used with Client-side Targeting enabled, the Groups and devices they contain will be manually defined in the WSUS server. In this parameter of the Policy, you can specify the Groups to which the device to which the Policy applies belongs separated by a semi-colon! If some or all of the devices affected by the Windows Update Policy do not coincide with the devices defined in the WSUS Groups, the Policy will not be applied to these devices. Windows Update Policy method usage scenarios When the administrator needs a guarantee that all important patches are automatically installed on all network devices, without the User obstructing the process When the administrator does not require control of each patch installed and can delegate the installation decision to Microsoft according to its classification of patches as Important or Recommended When patches classified as optional do not need to be installed automatically

79 15. Patch Management Metodo III: Patch Management Policy General description Patch Management Policies permit automatic installation of patches, in a similar way to the Windows Update Policies. The main difference lies in how the patches to install are grouped. Whereas the Manual method allows you to choose each patch to apply and the Windows Update Policy allows you to apply patches by level (Important, Recommended or Optional), the Patch Management Policy allows you to select the patches to be applied by Grouping them in a more flexible manner: by name, description, size, type and other. As it is a Policy, the Grouping levels supported by this method are System Level and Profile Level. Access Patch Management Policy method To access this method, create a Patch Management Policy at Profile Level or System Level. A screen appears where you can centrally configure the behavior of Patch Management for all of the devices affected by the Policy created. Below are some of the less obvious Policy options: Add Target: lets you add Filters or Groups that delimit the scope of application of the Policy Window: allows you to define a patch installation window. During the installation window, the patch downloads can be deployed so as not to collapse the client s data line by selecting the Randomize the start time to smooth network load checkbox Install criteria: lets you select the patches to install on the device. There are three options: Install all patches: Install all patches released. Filter patches by the following criteria: lets you set a Filter with one or more criteria. To establish criteria: Choose a Term associated to each patch. Choose the Condition. This field varies according to the selected Term. Choose the search term. This field will vary depending on the type of Term chosen. You can create complex criteria through the interaction of several Terms and the logical operations AND / OR. You can also define different values for each Term defined with AND / OR operations. Install individual patches: this lets you define specific patches using filter tools similar to those described earlier in the manual process.

80 15. Patch Management Tiempo de configuración Patch Management Policy method usage scenarios When the administrator needs higher granularity than that provided by the Windows Update Policy method When the administrator needs to install all patches without exception, automatically and centrally Method comparative table Method Patch selection granularity Automation Configuration time Manual management Windows Update Policy Patch Management High Select patch by patch Low Patch selection according to Important and Recommended Groups Moderate Patch selection via configurable multiple criteria Low Requires manual and constant approval of patches High The Groups of patches to install are configured once High After creating the Filters, the patches will be automatically installed as Microsoft releases them High Manual revision of all patches published and selection Low Choose whether important and optional patches are installed Moderate Define the Filters to select the patches to install Selection criteria The selection criteria (All devices, Servers, Workstations) define a Filter for all of the devices in the Profile (Manage at Profile Level) or all of the devices managed (Manage at System Level). Pie chart After defining the Filter criteria, the pie chart will show: The number of devices with non-critical updates not installed (blue) The number of devices with critical updates not installed (orange) The number of devices completely updated (green) List of vulnerable devices AUDITS The Manage tab at Profile Level or System Level shows at a glance, the status of the entire network managed as regards patch application. Clicking any of the two sections of the pie chart updates the vulnerable devices list. The vulnerable devices list shows information about the most vulnerable devices (critical updates or non-critical updates not applied). It also offers several shortcuts to resolve this situation: Hostname: enter Device Level for this specific device in order to see exactly which patches have not been applied and approve those necessary Quick Patch: instantly apply the patches specified by the selected criteria: critical or non-critical, depending on whether you have clicked the blue or orange section of the pie chart.

81 WHAT IS A USER ACCOUNT? 16 User accounts and Roles A User account is a collection of information, including credentials for accessing the Systems Management Console and the Systems Management Agent, needed to manage network devices. User accounts are only used by IT administrators who want to use the services offered by Systems Management. In general, each IT administrator has a single User account. i The users of the devices do not need any type of User account as they do not access the Systems Management Console and the Systems Management Agent installed on their devices is configured in Monitor Mode by default.! Unlike the rest of the manual where the User is the person who uses the device managed by an administrator with the help of Systems Management, in this chapter, User can refer to a User account or access account for the Systems Management Console. WHAT IS A ROLE? A Role is a specific permission configuration for accessing the Systems Management Console, which is applied to one or more User accounts. This authorizes a specific administrator to view or modify certain Systems Management Console resources, depending on the Role to which the User account used to access Systems Management belongs. One or more User accounts can belong to one or more Roles. i Roles only affect the access level of IT administrators to Systems Management Console resources to manage network devices. They do affect other device Users.

82 16. User accounts and roles WHY ARE ROLES NECESSARY? In a small IT department, all technicians access the Systems Management Console as administrators with no restrictions. However, in a medium or large IT department or in partners with many clients, access to devices could need to be segmented according to three criteria: The number of devices to manage. In medium / large networks or networks belonging to offices of the same company or to different clients of the same partner, it could be necessary to deploy and assign devices to technicians. By doing this, the devices of an office managed by a certain technician will not be visible to the technicians who managed the devices of other offices. There could also be restricted access to the sensitive data of specific clients, which requires precise control of the technicians who can handle the devices that contain it. The purpose of the device to manage Depending on the function of a device, an expert technician in this field can be assigned. For example, a group of specialized technicians could be assigned to the database server of one or all of the clients managed by the partner and in the same way, other services like mail servers might not be visible to this group. THE ACCOUNTADMIN ROL A Systems Management user license comes with a default control Role, called accountadmin. The default administration account belongs to this Role and it allows absolutely every action available on the Systems Management Console to be performed. Accountadmin is also the only Role that can create new Roles and Users and modify existing Roles. The accountadmin Role cannot be deleted from the Systems Management Server and any User account can belong to this Role after it has been assigned through the Systems Management Console.! All of the procedures described in this chapter require an account that belongs to the accountadmin Role. ACCESS USER ACCOUNT AND ROLE CONFIGURATION In General Menu, Account, there are two entries associated to managing Roles and User accounts: Users: create new User accounts and define whether they belong to one or various Roles Roles: create and modify new settings for accessing Systems Management resources Technical knowledge Depending on the knowledge of the technicians or their role in the IT department, they might only need access to monitoring / validation (read-only) or more advanced access, such as modification of device configurations. The three criteria can overlap, creating a very powerful configuration matrix that is easy to define and maintain, which allows you to perfectly restrict the Systems Management Console functions accessible to each technician according to their profile and responsibilities. i The Users and Roles tabs are only accessible if the User belongs to the special accountadmin Role.

83 16. User accounts and roles CREATE AND CONFIGURE USER ACCOUNTS In General Menu Account, Users, you can perform all of the necessary actions related to creating and modifying User accounts. Add new User account: click Add User to add a new User, set a password, specify the Role or Roles to which it belongs and define the associated security level (from 1 to 5) A User account can belong to one Role or more. In the case of the latter, the Systems Management Console will display a drop-down list through which you can choose the Role with which the User account will operate. i The security level associated to a User allows you to restrict access to the components developed or imported from the ComStore with a higher security level. CREATE AND CONFIGURE ROLES In General Menu Account, Users, you can perform all of the necessary actions related to creating and modifying Roles. Edit a User account: clicking the Username displays a form with all of the account details. Delete or disable User accounts: select the Users by selecting the associated checkboxes and click the prohibited and cross icons on the Action Bar Assign total control permissions: click On/OFF in Account Admin Add new Role: click Add Role to add a new Role. You will be prompted to enter the name and whether you want to use a blank configuration / template as a base or if the new Role will be based on a previous Role Edit a Role: clicking the Role name or the pencil icon displays a form with all of its settings Delete Role: the X icon deletes the selected Role. i If User accounts are assigned to a Role when it is deleted, you will be prompted to assign a new Role to these Accounts.

84 16. User accounts and roles CONFIGURE ROLES The configuration of a Role is divided into 4 sections: Device visibility: enables or restricts access to device Groups Permissions: enable or restrict access to the Systems Management Console features Agent Browser Tools: enable or restrict access to the Systems Management Agent features Membership: specify the User accounts that belong to the Role configured Device Visibility With this configuration Group, you can specify the network devices that will be visible to the Systems Management Console Users who belong to a certain Role. You can allow access to the four static Groups available in Systems Management: -Profiles -Profile Device Groups -System Device Groups -System Profile Groups Permissions Permissions defines the access level for each of the main tabs in the Systems Management Console: -System -Profiles -Components -ComStore -Jobs -Reports -Account There are three access levels: -Disabled -View -Manage Clicking ON allows you to define each category separately. The content of each category in the Permissions section is a transposition of the options displayed in the Systems Management Console plus the access level, which can be set for each option. i You can allow access to dynamic Groups such as Filters. By clicking General Menu, Profiles for example, you can check the equivalent tabs in the Systems Management Console. Each of them allows you to define whether the device Groups of the specified type and created previously by an administrator will be accessible in a certain Role or not. Clicking ON displays a configuration panel. A Group listed in the Include textbox will be visible to all of the User accounts that belong to this Role. Similarly, if the Group is listed in the Exclude textbox, this device Group will not be visible in the Systems Management Console.

85 16. User accounts and roles Agent Browser Tools This configuration Group allows you to specify access to the remote administration tools in the Systems Management Agent. Horizontal Roles In general, a company with several offices and an independent IT team in each one will want a total control Role limited to the devices in each office. In this way, the devices managed by office A will not be visible to office B and vice versa. In a company with several office, the following configuration will be needed in each office: Profile or System Group that Groups the office s devices Role that allows access to the devices in the Profile and denies access to the rest An account for each technician, assigned to the Role that covers the designated office The same schema can be used by a partner who wants to segregate clients and assign specific technicians to them.! Any change made in Agent Browser Tools requires the Systems Management Agent to be restarted. Vertical Roles For devices largely aimed at specific tasks, such as print, database, mail servers, etc., you can create Roles that restrict access to this type of device. i These restrictions apply to the local Systems Management Console of the Systems Management Agent, on logging on to manage remote devices (Administrator Mode). Membership Allows you to configure the User accounts that belong to the Role configured. HOW MANY DIFFERENT ROLES ARE NEEDED? You can generate as many Roles as necessary, bearing in mind that the objective of a Role is to restrict administrator access to the devices or Systems Management Console resources in order to provide higher security and protection against human error. However, this higher security comes with lower flexibility when reusing technical staff among various clients or tasks, so that the exact number of Roles on a system will be the result of the weighting of two variables: flexibility vs. security. This will allow a company or partner with many offices or clients with mail servers to Group them and assign a Group of technicians to manage them, whilst the rest of the technicians with a more general Profile manage User devices. The following general configuration will be required: A System Group that Groups all mail servers, regardless of the Profile / client/ office to which they belong A Role A that allows access to the devices in the System Group and denies access to the rest of the devices A Role B that denies access to the devices in the System Group and allows access to the rest of the devices A Role A User account for every technician performing maintenance on the company or partner s mail servers A Role B User account for every technician performing maintenance on the company or partner s User devices

86 16. User accounts and roles Resource access Roles In accordance with the Profile or level of experience of each technician, the IT department manager can share the work among the members of the department. This allows you to create Groups of technicians with complementary responsibilities: Monitoring and Report generation technicians: with full access to Tab Bar, Reports and read-only access to the rest of the Systems Management Console Script development and software deployment technicians: with access to General Menu, components and ComStore Support technicians: with access to Tab Bar, Support and to the resources on the User s device through the Systems Management Agent You can also restrict access to certain components in the ComStore or developed by the IT department that perform sensitive operations on the User s devices, assigning higher security levels than those set in the User account.

87 17 Mobile Device Management Systems Management includes MDM (Mobile Device Management) tools that enable you to manage the mobile devices on your company s IT network easily and centrally. With Systems Management you ll be able to respond to the challenges posed by the growing presence of mobile devices in the workplace from the same console that you use to manage the rest of your IT infrastructure. WHICH PLATFORMS ARE SUPPORTED? Systems Management supports ios and Android tablets and smartphones. More specifically, the solution supports iphone and ipad tablets using ios 6 or later. Here is a list of the supported models: iphone 3G (*) iphone 4 (*) iphone 4S (*) iphone 5 iphone 5C iphone 5S ipad 2 (*) ipad (3º generación) (*) ipad (4º generación) ipad Mini (*) Requires upgrade to ios 6 or later to be compatible with Systems Management

88 17. Mobile device management Systems Management supports Android devices running version (Gingerbread) and later. This is the vast majority of Android devices currently in use, except for a negligible percentage of terminals that still use Froyo (2.2.x). MOBILE DEVICE MANAGEMENT POLICIEST In order to manage and control the use of mobile devices, Systems Management offers a set of policies that let you configure ios based smart phones and tablets to ensure that from the outset users have devices that are ready for use in corporate environment and can be integrated in the company s infrastructure. i i See Chapter 9: Policies for more details. Only one Mobile Device Management policy can be activated at any given moment. Mandatory and option policies At the time of the creation of the policy, administrators have to establish whether the policy is mandatory or not. This way, in the policy creation screen you can choose between Allow users to remove this policy if users will be able to manually disable the policy from the mobile device itself or Require password to remove this policy if you want to make disabling the policy subject to entering the password set by the administrator. DIAGRAMA CORRESPONDIENTE A SEPTIEMBRE DEL 2014 Version Codename API Distribution 2.2 Froyo 8 0.7% Gingerbread % Ice Cream Sandwich % 4.1.x Jelly Bean % 4.2.x % % 4.4 KitKat % Types of Mobile Device Management policies There are four types of MDM policies available, each of these affects a series of features and settings on the mobile device.l. Passcode: characteristics of the passwords entered by the user in the mobile device, locking the device, etc. Restriction: management of access to device resources Vpn: VPN settings Wifi: WiFi connection settings

89 17. Mobile device management Passcode Allow Siri Allows use of Siri Campo Descripción Allow Siri while locked Permits use of Siri when the device is locked. Passcode strenght Lets you define the minimum strength for users passwords. Allow Passbook notifications while locked Permits the use of passbook while the device is locked Minimun passcode lenght Allow in-app purchases Enables users to purchase in-app purchases Minimum Number Of Complex Characters Lets you set a minimum number of non-alphanumeric characters for valid passwords. Force users to enter itunes Store password for all purchases Prompts iiunes password for every download. Maximum Passcode Age Auto Lock Passcode History Maximum Number Of Failed Attempts Lets you set the maximum valid period for a password. The device keeps a history of passwords used by users to prevent them from being re-used when choosing a new password. Allow multiplayer gaming Allow adding Game Center friends Show Control Center in lock screen Show Notification Center in lock screen Show Today view in lock screen Allows multi-player gaming. Allows users to add game center friends. Allows users to access the control center when the device is locked. Displays the Notifications Center when the device is locked. Displays the "Today View", of the Notifications Center when the device is locked. Allow documents from managed apps in unmanaged apps Allows users to share and use the data from a corporate app to a personal app which is not distributed by the corporate. Restriction Allow documents from unmanaged apps in managed apps Allows users to share and use the data from a personal app to a corporate app which is distributed by the corporate. Campo Allow use of camera Allow installing apps Allow screen capture Allow voice dialing Allow FaceTime Allow automatic sync when roaming Descripción Cameras are completely disabled and the icons are removed from the home screen. Users cannot take photos, video or use Face Time. Using this option App store can be disabled and the App store icon will be removed from the home screen. So users will not be able to install or update any Apps using App store of itunes. Allows users to capture a screenshot of the display. Permit users to use voice dialing. Allows users to receive or make Face Time video calls. Devices while roaming will sync only when an account is accessed by the user. Allow use of itunes Store Allow use of Safari Enable Safari autofill Force Safari fraud warning Enable Safari javascript Block Safari popups Allow icloud backup Allow icloud document sync Allow icloud Keychain sync Allow photo stream Allow shared stream Allow diagnostic data to be sent to Apple Allows users to use Safari Enables the auto-fill option Allows force fraud warning Allows java script Enables pop up Enables data backup Allows document sync Allows automatic synchronization with icloud of user names, passwords, credit card numbers, etc. Enables streaming photos Enables Stream Sharing Enables diagnostic data to be informed to apple

90 17. Mobile device management Allow user to accept untrusted TLS certificates Force encrypted backup Allow automatic updates to certificate trust configuration Force limited ad tracking Allow fingerprint for unlock Allow explicit music and podcasts Rating Apps Rating Movies Rating TV Shows Show imessage Allow app removal Allow Game Center Allow Bookstore Allow Bookstore erotica Allow UI configuration profile installation Allow modifying account configuration (ios 7) Allow AirDrop Allow changes to cellular data usage for apps Allow user-generated content in Siri Allow modifying Find My Friends configuration Allow host pairing Allows the use of untrusted TLS certificates. Forces encryption of the data during backup process Allows trust certificates to be updated automatically Allows user to restrict Ad tracking and marketing on the Device Allowing user to unlock the Device using finger prints Allows music and podcasts Allows using Apps based on the specified ratings. Allows viewing movies based on the specified ratings Allows viewing TV Shows based on the specified ratings Allowing the users to use imessage feature Allows uninstallation of apps Permit the usage of Game Center Enable ibooks store usage Enable users to download media which is tagged as erotica Allow users to modify the accounts configuration like adding or removing mail accounts, modifying icloud configuration, imessage configuration etc Allowing users to share documents using AirDrop Allow users to restrict usage of cellular data for specific apps Allowing Siri to query content from the web (Wikipedia, Bing and Twitter) Allow users to modify the Configuration of "Find my Friends" Allow device to be paired with any device, if this is disabled device will be paired only with configurator host VPN Campo Connection Name Connection Type Server Shared Secret User Authentication Account Proxy Type WiFi Campo SSID Security Password Proxy Type Descripción Name of the VPN connection VPN type (L2TP, PPTP, IPSec) VPN server IP address Secret shared between server and client. Authentication method: password or public/ private key User account for authenticating the connection Configures proxies to be used with this VPN connection Descripción Sets the Service Set IDentifier Type of WiFi security WiFi password TOOLS FOR REMOTELY MANAGING MOBILE DEVICES Configures proxies to be used with this Wifi connection This section describes the tools available from the Systems Management Console, how they work and the benefits they provide. The Systems Management Console functions regarding mobile devices are only available at Device Level for the relevant device. After you select the device in the console, the Action Bar and the Tab Bar will change automatically, displaying the new actions available.

91 17. Mobile device management Password Policy This feature works in conjunction with the Device Lock feature as it forces the owner of the device to set a password (PIN). When enabled, the administrator will be able to lock the device if stolen, prompting the thief for that PIN when the device is powered on. This feature launches a remote request to the User to set the PIN, it doesn t allow the administrator to set it from the console.. Device Wipe Performs a remote factory reset of the device. This feature prevents data theft in the event of device loss, theft, or malfunction.! Please be aware that this will remove any User data (programs, specific configurations, modifications) stored on the device. The device is returned to its factory settings.. Geolocation Shows the device s location on a map. The device s coordinates are obtained in different ways depending on the available resources on the device. Accuracy varies greatly from one system to another. The technologies used are (in order of accuracy): GPS (Global Positioning Sistema) WPS (Wifi Position Sistema) GeoIP Lock Device GeoIP may Report a location completely different from where the device actually is. Turns the device s screen off until a security PIN (if there is one) is entered. This is particularly useful if the device is stolen. Unlock Device Audits Audits work in the same way as on Windows devices, and are fully integrated in the Systems Management Console. This feature allows Filters to be set on mobile devices based on the programs installed, for example. The Systems Management Agent collects all hardware and software information from the device on which it is installed, and notifies any changes to the Systems Management Server, which displays them on the Audit tab. The Hardware section displays the following information about mobile devices: Operating system and version Model ICCID (Integrated Circuit Card ID, a unique number that identifies SIM cards) SIM card operator SIM card phone number Storage (internal memory and SD card memory) Network adapters installed (usually Wi-Fi) The Software section shows all packages installed on the device. The Changelog section Reports all hardware and software changes made to the device. Reports The Reports adapt to the type of device. The Reports tab behaves in the same way as for Windows and Mac devices. Unlocks a locked device (resets the security PIN should the User forget it).

92 Administrators have several tools to improve the security of access to the service, including: 18 Security and control over access to the Systems Management service Two-factor authentication Password policies Console IP Address Restriction Agent IP Address Restriction TWO-FACTOR AUTHENTICATION Two-factor authentication makes it necessary to use a second device in the process of verifying the credentials of an administrator entered in the login screen of the Console. So in addition to entering the credentials, the administrator must also enter a personal code generated automatically every minute on his or her phone. i Two-Factor Authentication only affects access to the Systems Management Console and is therefore aimed only at network administrators. Neither network administrators nor Users that access other devices through the Systems Management Agent are affected by these settings.. Essential requirements Mobile device that supports the token generating application. The free app Google Authenticator or other compatible app installed on the mobile device. Settings Below we describe the steps necessary to activate Two-Factor Authentication in the account of the administrator that has logged into the Systems Management Console:

93 18. Security and control over access to the Systems Management service After scanning the QR code, the application starts generating tokens every 30 seconds. You have to generate a Token and enter it in the corresponding space in the login screen for the Console to fully activate Two-factor Authentication. From then on, the administrator will only be able to Access their account if they enter the credentials correctly along with a valid token. Installing Google Authenticator To install Google Authenticator on an Android compatible Mobile device, follow the steps below: You will see a QR Code on the screen and a space to enter the Token. This Token is generated by Google Authenticator. If you don t have an authentication application that can read a QR Code, you can select the checkbox so the system sends a QR Code to the administrators address specified in the same file. Download the app from Google Play. Once the app has started, click Begin Setup Press Scan a barcode to scan the QR code displayed in the Systems Management Console The app will start to generate tokens automatically. Each token is valid for 30 seconds. Install Google Authenticator from Google Play on the mobile device of the administrator accessing the Systems Management Console (see Installing Google Authenticator later in this section. Press Begin setup and Scan barcode displayed by the Systems Management Console. If there is no bar code scanner installed, the app will suggest installing the free program ZXing Barcode Scanner.

94 18. Security and control over access to the Systems Management service Enabling Two Factor Authenticator for all accounts Once Two-Factor Authentication is activated for the administrator account, it is possible to force it to be used for the other administrator accounts created in the Systems Management Console. To do this click General menu, Account, Settings, Require Two Factor Authentication. PASSWORD POLICY In order to reinforce security regarding access to the Console, administrators can establish a Password policy which means that all passwords will have to meet certain requirements. To configure the Password policy, go to the General menu, Accounts, Settings and there you can set values in the following fields: To force use of Two-Factor Authentication for the other accounts, the account used for configuration must already have Two-Factor Authentication enabled. Whenever a User without Two-Factor Authentication configured accesses the Systems Management Console, they will see a warning message and they won t be able to use the console. Disable Two-Factor Authentication from the login screen From the login screen you can disable Two-Factor authentication. To do this you have to enter the username and password correctly, and you will see the screen asking for the Token. At the bottom there s a link to Disable TOTP. Click the link and the Server will send an SMS with a code that is valid for 10 minutes to the phone number that is configured in the system. When you enter the code the Two-Factor Authentication service will be disabled. Password expiration: sets the maximum duration of the password (30, 60, 90 days or never expires) Unique passwords: the system stores a list of passwords for each account so administrators cannot reuse them when a password is changed. The password history will have a value of 0 (never) to 6 entries. SYSTEMS MANAGEMENT CONSOLE IP ADDRESS RESTRICTION To restrict access to the Console to a set of known IP addresses, in the General Menu, Account, Settings, you can enable the option PSM console IP Address Restriction, and also in the Restricted IP List you can set the list of IPs from which it will be possible to access the Console. AGENT IP ADDRESS RESTRICTION To restrict access of Agents to the service, in the General Menu, Account, Settings you can enable Agent IP Address Restriction also specifying in the Restricted IP List a list of IPs from which Agents can access the Server.

95 Appendix A: Source code Chapter 10 *********************************************************************** Quarantine_Monitor v0.99b 06/03/2013 By Oscar Lopez / Panda Security Target: It monitors changes on PCOP quarantine folder Input: PCOP_PATH environment variable Output: stdout Result=n new items detected in PCOP quarantine, n is the added file number in the monitored folder *********************************************************************** dim WshShell,WshSysEnv dim objfso,objfolder,colfiles dim icountpast,icountnow dim bhit Dim n Set WshShell = WScript.CreateObject( WScript.Shell ) Set objfso = CreateObject( Scripting.FileSistemaObject ) access to environment variable and quarantine path On error resume Next Set WshSysEnv = WshShell.Environment( PROCESS ) Set objfolder = objfso.getfolder(wshsysenv( PCOP_PATH )) if err.number <> 0 then SM didn t send the environment variable err.clear WScript.Echo <-Start Result-> WScript.Echo Result=PCOP_ PATH variable not defined on SM console or path not found WScript.Echo <-End Result-> Set WshShell = nothing end if Set WshSysEnv = nothing Set objfolder = nothing WScript.Quit(1) On error goto 0 it gets the collection that contains the folter files set colfiles = objfolder.files On error resume Next access to the registry. 10 incremental entries will be created, one per minute. n=0 While Err.Number=0 And n < 10 icountpast= cint(wshshell.regread( HKLM\Software\Panda Security\Monitor & n)) If err.number<>0 then WshShell.RegWrite HKLM\Software\Panda Security\Monitor & n, colfiles. count, REG_SZ Wend Else End If Err.Clear n=n+1 If n=9 Then icountpast= cint(wshshell.regread( HKLM\Software\Panda Security\Monitor0 )) icountnow= cint(wshshell.regread( HKLM\Software\Panda Security\Monitor9 )) if icountpast < icountnow then there is more items in the folder, it updates the registriy and sends an alert WScript.Echo <-Start Result-> WScript. Echo Result= & icountnow - icountpast & new items in PCOP quarantine WScript.Echo <-End Result->

96 Appendix A: Source code bhit=true end if For n=0 To 9 WshShell.RegDelete( HKLM\Software\Panda Security\Monitor & n) Next WshShell.RegWrite HKLM\Software\Panda Security\Monitor0, colfiles.count, REG_SZ end if On error goto 0 finale Set colfiles = nothing set objfolder = nothing set WshShell = nothing set WshSysEnv = nothing set objfso = nothing if bhit then WScript.Quit (1) else WScript.Quit (0) end if Chapter 11 Option Explicit *********************************************************************** Deploy_documents v0.99b 12/03/2013 By Oscar Lopez / Panda Security Target: It creates a folder int the user s desktop and copy on it the documents to deploy Entrada: files to copy Salida: error code or OK *********************************************************************** Dim CONST_PATH Dim objfso,objfolder,colfiles Maybe you want to use a global variable for this constant? CONST_PATH= C:\ACME Documents On Error Resume Next Set objfso=createobject( Scripting.FileSistemaObject ) Set objfolder = objfso.getfolder(const_path) If Err.Number=0 Then the folder already exists, the files won t be copied WScript.Echo Deploy unsuccessful: The folder already exists WScript.Quit (0) End If the folder will be created in the user s desktop Err.Clear Set objfolder = objfso.createfolder(const_path) the documents will be moved to the folder objfso.movefile doc1.docx, objfolder.path & \doc1.docx objfso.movefile doc2.docx, objfolder.path & \doc2.docx objfso.movefile doc3.docx, objfolder.path & \doc3.docx If Err.Number<>0 Then WScript.Echo Deploy unsuccessful: & Err.Description WScript.Quit (1) Else WScript.Echo Deploy successful: All files were copied WScript.Quit (0) End If On Error Goto 0 WScript.Quit (0)

97 Appendix B: Compatible Platforms For Windows Windows XP y Vista (32-bit & 64-bit editions) Windows Server 2003 y 2003 R2 (32-bit & 64-bit editions) Windows Server 2008 (32-bit & 64-bit editions) Windows 7 y 8 (32-bit & 64-bit editions) Windows Server 2008 R2 y 2012 (64-bit editions) (*) Windows Installer 3.1 y.net Framework 2.0 requerido For Apple Macintosh Apple OS X 10.6 (Snow Leopard) Apple OS X 10.7 (Lion) Apple OS X 10.8 (Mountain Lion) Apple OS X 10.9 (Mavericks) Apple OS X (Yosemite) For Linux Redhat 5.x y superiores. Fedora 19.x y superiores CentOS 5.x y superiores Debian 5.x y superiores Ubuntu 11 y superiores For smartphones and tablets ios 6 y superiores Android Browsers compatible: Internet Explorer 7 Chrome FireFox Opera Safari

98 Partner Guide Systems Management Neither the documents nor the programs that you can access may be copied, reproduced, translated or transferred to any electronic or legible media without prior written permission from Panda Security, C/ Gran Vía Don Diego López de Haro 4, Bilbao (Bizkaia), SPAIN Registered trademarks. Windows Vista and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and other countries. All other product names could be registered trademarks of their respective companies. Panda Security All rights reserved.