IT Management Suite

 View Only
  • 1.  Selective ITMS Agent status (make disabled on 1st machine boot)

    Posted Oct 29, 2020 10:42 AM
    Hi Experts! 

    I am trying to figure out how to deploy the end client agent on all discovered machines connected to our subnets automatically. 
    But on some devices, I wish the agent to be disabled after deployment. (agent not activated and service down)

    Is there such a way to achieve such task?

    Is there a way to automatically tell the ITMS console that every hostname of a devices that is named "ABCDE" will get this task accordingly? (maybe by groups, or by other identifier?) 


    they reason I want to do this, is to have the option to use the ITMS agent if / when needed, but still dont let it interfere with any activity on my machines (not even report back to the NS server).

    Any suggestions?

    tnx,

    Hagai


  • 2.  RE: Selective ITMS Agent status (make disabled on 1st machine boot)

    Broadcom Employee
    Posted Oct 29, 2020 11:21 AM
    That is a tricky thing because if you have the agent in a disabled state we obviously cannot communicate with it to turn it on when it is needed.

    I think your best option is going to be something outside of the product.  So, install the agent then use something like Sysinternals PsService (part of PsTools), Group Policy, Powershell, etc. to disable it.  

    You would then need to use a similar process to enable it when needed.  

    Keep in mind that the platform does have purging settings so if the agents do not communicate in the defined time range they will be deleted causing a delay when they check in to get into all the correct filters and targets again.

    ------------------------------
    Systems Engineer
    Broadcom
    ------------------------------



  • 3.  RE: Selective ITMS Agent status (make disabled on 1st machine boot)

    Posted Oct 29, 2020 11:52 AM
    hi Doug, thank you for your reply.

    I have a similar option for the re-enablement.
    but since i want the automated adding of each machine to the arsenal of the ITMS (Since i dont want to miss any machine), i wish the agent installation will be done from the network discovery on the ITMS, and then maybe add selective machines into a certain group / policy that will disable the agent.

    later on, when needed, i will have the option and way to re-enable them as your mentioned above.

    by they way, regarding the purge. ok, i understand the after a certain time period they will be deleted, but even after 1 year, if a machine has an agent, and server is active, it will get reconnected to it , right?  (let's say i have a critical security update, and i wish to push all devices immediately, i will be able to do so if necessary, correct)?


    Thanks,

    Hagai


  • 4.  RE: Selective ITMS Agent status (make disabled on 1st machine boot)

    Broadcom Employee
    Posted Oct 30, 2020 04:22 AM
    There is an option agent installer - "donotstart". Could be what you need - the option tells installed do not start the service after the installation,
    All three installers aexnsc.exe, aexnschhtp.exe and aexnschttps.exe support it.


  • 5.  RE: Selective ITMS Agent status (make disabled on 1st machine boot)

    Posted Oct 30, 2020 08:23 AM
    I was not aware of the donotstart flag, is that also supported by sub-agents?

    I have a VBS script that installs the core agent and sub-agents and also have the desire to prevent the machine from talking to the NS during the initial install.  The reason for me is because I'm installing the agent during the OOBE process of the Windows build shortly after the machine is renamed to its final name.  Since the machine has not rebooted yet, the SMA uses the old name when creating the CEM certificate instead of new computer name.  By preventing the agent from working until after reboot, this problem is solved.  The way I accomplish this is by writing fake entries in the HOSTS file for the NS and gateways during the install and sub-agent installs.  When all is installed, I stop the agent service and remove the HOSTS entries.  On next boot, the agent starts as normal and registers with CEM with the proper name.

    ------------------------------
    Kelly Services
    ------------------------------



  • 6.  RE: Selective ITMS Agent status (make disabled on 1st machine boot)

    Broadcom Employee
    Posted Nov 02, 2020 02:41 AM
    >>I was not aware of the donotstart flag, is that also supported by sub-agents?
    Unfortunately no, most oft the sub-agents are MSI files and their installers will try stopping the agent and then starting it back. I think there is no way now to simplify your VBS script.
    You can see all the switches supported by the agent installer by running aexnsc.exe /?

    regards,
    sergei