May
24
2012

Options for Deploying the K1000 Agent

Posted on May 24, 2012 by Christopher Blake

Most of you know that deploying the agent from the appliance is a great way to get the agent deployed. Have you ever had a need for an alternate method of deployment though? We’ve got several options that can get you well on your way, such as Group Policy, Login Script, Remote execution, and imaging.

Let’s take a look at each. But first things first… some minor modifications to the agent file for v5.3 can simplify the whole process regardless of which method(s) you choose. We want to make sure the agents will communicate with your server once installed, so we need to give the installer the hostname of your K1000.

The 5.3 Agent is very easy to configure for custom K1000 host names. For these steps we will assume that your K1000 is called kboxhostname.company.com.

  1. In a file manager browse to \\kboxhostname\clientdrop\agent_provisioning\windows_platform This is the writeable fileshare. If necessary, see documentation on how to enable this share.
  2. Copy the msi file to a network share or other location that is used for distribution of software packages.
  3. Rename the ampagent-5.x.xxxxx-x86.msi to include your host name. e.g. ampagent-5.3.44367-x86_hostname.company.com.msi

Group Policy is the favored method for most of our customers right after provisioning directly from the appliance. An Active Directory Group Policy can help you get the machines that miss their scheduled deployment, or in cases where you aren’t able to configure the pre-requisite for agent provisioning from the appliance (File/Print Sharing, UAC, Simple File Sharing).

To publish or assign a computer program, you must create a distribution point on the publishing server:

    1. Log on to the server computer as an administrator.
    2. Create a shared network folder where you will put the Microsoft Windows Installer package (.msi file) that you want to distribute.
    3. Set permissions on the share to allow access to the distribution package.
    4. Copy the MSI you previously renamed to this location.

Next we want to create the GPO. The recommended methos is to use the Group Policy Management Console (GPMC) Snap-in from MMC.

    1. Start the Group Policy Management Console. To do this, click Start, point to Administrative Tools, and then click Group Policy Management Console
    2. In the tree, expand your forest; locate your domain and find the Group Policy Objects section
    3. In the right-hand pane where the Group Policy Objects are listed, right-click and choose New
    4. Enter the Name as KBOX Agent.
    5. Click and Drag the newly created object onto the OU you want to deploy it to. In this case we are using an OU called TestForGPOInstall.

Next we need to assign the GPO to some computers:

    1. Find your group policy object called KBOX Agent. Right-click on it and choose Edit . The Group Policy Object Editor will open.
    2. Under Computer Configuration, expand Software Settings.
    3. Right-click Software installation, point to New, and then click Package.
    4. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\fileserver\share\ampagent-5.3.44367-x86_kboxhostname.company.com.msi
    5. Important: Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.
    6. Click Open.
    7. Click Assigned, and then click OK. The package is listed in the right pane of the Group Policy window.
    8. Close the Group Policy snap-in.

For older versions of the agent and variations on methodology check out the full article.

Login Scriptsare used by many companies to check conditions on workstations when each user logs in and remediate anything that might not be quite right. Many companies have moved away from this method in favor of alternate tools because of logon delays and maintenance issues related to complex scripts. Here’s an example batch script that can be assigned to your users to check for the client and install it if missing:

REM ***BEGIN BATCH***
REM ...Other parts of your login script here

:K1000AGENT
:CHECKEXISTINGINSTALL
if exist C:\Program Files (x86)\Dell\KACE\AMPAgent.exe GOTO :NEXT
if exist C:\Program Files\Dell\KACE\AMPAgent.exe GOTO :NEXT
if exist C:\Program Files\KACE\KBOX\kbscriptrunner.exe GOTO :NEXT
\\fileserver\share\ampagent-5.3.44367-x86_kboxhostname.company.com.msi

:NEXT
REM The rest of your Login Scripts here...

 

Remote Execution of processes is a tool that can often help in certain situations where other methods such as GPO or Login Script are not an option. Utilities like PSEXEC from Microsoft SysInternals let you execute programs on remote systems. PsExec’s most powerful uses include launching interactive command-prompts on remote systems and launching installers or other utilities such as IPConfig that otherwise can’t run remotely. Note: some anti-virus scanners report that one or more of the tools are infected with a “remote admin” virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications. These tools are generally considered dangerous, but are very useful if needed. Here’s an example How-to for the agent:

    1. Download PsExec (http://download.sysinternals.com/Files/PsTools.zip)
    2. Create a text file containing the hostnames you need to execute against with each PC listed on it’s own line. I’ll refer to it as hostsfilename.txt below.
    3. Copy both to c:\pstools
    4. Make sure the local Administrator account is enabled. In Windows 7 the default is for this account to be disabled. You can use domain credentials if preferred to run the remote program, but you’ll need local administrator access to your own machine to launch PsExec.
    5. From an administrative command prompt launch it with
c:\pstools\psexec.exe @hostsfilename.txt -i -s "\\fileserver\share\ampagent-5.3.44367-x86_kboxhostname.company.com.msi" -u administrativeusername

or, Alternatively, you could launch against all domain computers with

c:\pstools\psexec.exe \\* -i -s "\\fileserver\share\ampagent-5.3.44367-x86_kboxhostname.company.com.msi" -u administrativeusername

Other uses and command combinations are certainly available; See the vendor-provided documentation for PsExec or other remote execution tools that you might be using for more options of course.

Imaging is commonly used to ensure the agent is part of the mix from day one. While we discourage including the agent in the image we do provide an installer switch to allow you to more safely include the agent. We recommend installing the agent as a post-installation task after the OS is provisioned regardless of which systems deployment technology you are using. This is quite easily done using the K2000 Systems Deployment Appliance by adding a Post-Installation task of the Type “K1000 Agent”; simply follow the steps on the screen to upload your latest agent to the K2000 and give the proper command line.

In the case where you’d like to install before sysprep and capturing your image you’d want to use the following command to do the install:

msiexec /qn /i ampagent-5.3.xxxxx-x86.msi HOST=kboxhostname.company.com.msi CLONEPREP=1

or

msiexec /qn /i ampagent-5.3.xxxxx-x86_kboxhostname.company.com.msi CLONEPREP=1

Check the K1000 Administrative Gude and the Kace Knowledge Base for more articles and documentation on K1000 Client deployment. Happy Provisioning!

Posted in Uncategorized | Tagged , | Leave a comment
May
24
2012

Using SSL with your K1000 Appliance

Posted on May 24, 2012 by Christopher Blake

Millions of businesses use SSL (Secure Sockets Layer) to secure their websites, as well as other types of traffic, and allow their customer’s to place trust in them.   The use of an SSL certificate on a website is usually indicated by the changing URL from http:// to https://.  

You may ask, “why would I need SSL on my K1000?”   In most cases with the K1000 Appliance customers are seeking to provide support to end-users outside of the primary network.  Allowing users to utilize the Help Desk and submit tickets through the “User Portal” or be able to manage machines that do not connect to your Network via VPN can be a huge benefit to both end users as well as IT staff.   

The primary reason why SSL is used is to keep sensitive information that is sent across the public networks (such as the Internet) encrypted and private so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can potentially see sensitive information such as usernames and passwords if it is not encrypted with an SSL certificate. 

The first step is requesting a Digital Certificate from a Certificate Authority (CA).  A certificate authority is an entity which issues digital certificates to organization’s or people after validating them.  Certificate Authorities have to keep detailed records of what has been issued and the information used to issue it.  Some of the many top qualified CA’s are VeriSign , Thawte, Comodo, and GeoTrust .  Different Certificates can have different costs and there are  multiple types of Certificates.   You can see examples in the links above.

Before setting SSL please note the following recommendations:

  • Backup your database files and copy them off of the K1000 appliance.
  • We highly recommend that you keep port 80 enabled and that you enable SSH on the security settings. In the event something goes awry support will need these options enabled in order to assist; if they are not enabled you might have to reimage your appliance as it will not be accessable.
  • Your webserver name must be the FQDN of your certificate. See this article on setting your webserver name (http://www.kace.com/support/resources/kb/article/Setting-your-KACE-K1000-appliance-Web-Server-Name-Server-Configuration)
  • When you enable 443 all of your K1000 Agents are going to switch to using SSL. Therefore, we recommend you plan to implement your certificate after hours so you can disconnect your K1000 appliance from the main network and test before you put it back on the network.  
  • If you are using a self-signed certificate for testing or a secondary vendor for your certificate then please note that your clients will have to have the certificate installed. So you will need to install the certificate on those PCs. This is usually done by group policy see here: http://technet.microsoft.com/en-us/library/cc770315.aspx). SSL settings should only be adjusted after you have properly deployed the K1000 agents on your Network in non-SSL mode.
  • We remind you that you may contact support@kace.com to discuss your implementation plan before you proceed to make sure everything can go smoothly.

Steps:

  1. Make sure that you are using your fully qualified domain name and it is properly setup in the Network settings.  (See link above for instructions).
  2. Next go to K1000 settings > Security Settings make sure SSH is enabled and Port 80 access is enabled.  Open the SSL Wizard and fill out the Certificate Signing Request (CSR) for the Certificate Authority (CA) to verify your company information. Fill them out according to legal documentation for the Country/State/City you reside in. Set CSR Options.
  3. Once the CSR Options have been selected you will see the CSR which you will need to submit to your CA. This information includes enough information about the K1000 and company for the vendor to generate something that matches your signing request and private key.  How this submission is done varies between CA’s.  Typically: Paste your request into a text editor and save as a .csr under file format of UNIX.  Upload file to whatever web form is required from your CA on their Website.  Generally you will get your certificate within 1-2 business days.   If they ask for OS you want Apache X509.
  4. Below the signing request is the private key that this web server will use, it’s the private key so don’t give it to anyone! It is included in case you want to deploy the certificate to another web server and for information only.
  5. Now that you have created a private key and a CSR you have two options.  By far the most recommended option is for you to send your CSR to a reputable certificate supplier.  The other option is to create a Self Signed Certificate.  Just a reminder, this is a certificate that will not be accepted by any of the K1000 Agents until the certificate is added into the trusted certificate database on every machine with an agent on it.  Refer to the group policy link above for instructions on that deployment.
  6. The last step is to upload your certificate.  That is done under K1000 Settings > Security Tab. Enable SSL and you can Browse and Attach your private key and certificate.

Posted in Uncategorized | Leave a comment
May
23
2012

K2000: Modifying the Registry of a System Image

Posted on May 23, 2012 by Christopher Blake

windows 7 logoSo you’ve captured an image but you later realized that you need to change the Windows security settings, add logon commands, the agent is installed but you need to delete the KUID before pushing it out, or add a path to a newer printer driver. There’s a million tiny things we forget and then wish we could easily update them. Most of these settings involve changing registry keys and you may think you are out of luck.

The good news: You can make these adjustments without having to Sysprep and recapture! The registry is technically ‘just’ a file that gets loaded during the startup of Windows. Therefore, you can modify the registry contained in the image by downloading the hive file, manipulating it on another computer’s registry editor, and then replacing it within the image on the K2000 appliance.

Let’s take a look at the overall process:

First, we’ll need to get the registry hive from your image.

  1. Go to Deployments > System Images and open your image.
  2. Click on Browse Files, the file system of the image appears in a new window.
  3. Navigate to the directory that contains the registry hive, for example C:\Windows\System32\Config.
  4. There are four hive files: SAM, SECURITY, SOFTWARE and SYSTEM. Click the name of the hive you want to modify and Save the file to your local system. The file tends to be around 22-30 MB.

TIP: Sometimes when you click System32, the K2000 script that loads the file listing takes too long and times out. System32 is a large directory, this timeout is not uncommon. Because you only need to access the config directory, you do not need to continue to run the script if prompted.

Now that you have the registry file on your computer, you’ll need to load it within your local machine’s registry, make the changes you want, and export it. Here’s the general steps for that:

  1. Open your computer’s registry editor.
  2. In the File menu, click Load Hive, and locate file you downloaded.
  3. You’re prompted for a key name. The registry from your image will be loaded under the name you enter. You might name it something like “TEMP-SYSTEMIMAGE-ImageName”.
  4. Make your changes to the registry that loads under this key.
  5. When you’re finished, right-click on the name of the key where the registry was loaded (TEMP-SYSTEMIMAGE-ImageName) and select Export.
  6. Change the Save as type to Registry Hive Files, enter a name (it does not have to match the downloaded file because the K2000 will use the same name when you replace it in the image), and click Save.

Now it’s time to inject that file back into the K2000 System Image:

  1. From the K2000 image, choose Browse Files.
  2. Locate the registry file you modified, hover over the file name and click the icon with the green arrows.
  3. The replace dialog opens, click Browse, select the modified hive file that you saved on your local machine, and then click Submit.

You’re not quite finished yet! After making a change in Browse Files window you MUST Commit the change.

  1. Close Browse Files and click the Commit button.
  2. Do not leave the page or scroll down and click Save; either of these actions will revert the change.

Posted in Uncategorized | Tagged , , , , , , | Leave a comment
May
14
2012

What you should be doing to keep data safe, but probably are not doing. Yet.

Posted on May 14, 2012 by Anne Haggar

At a recent KACE webinar on security, we asked the attendees to answer a question about security.  We found out they are not feeling entirely secure as only 16% said they feel confident about the security measures they have in place for their organizations.  This is not surprising, considering that attacks are on the rise and increasing in the level of sophistication.

So what can you do to easily step up the security on your systems, particularly those that travel with important company information on them?  If you are already a KACE Kustomer, you can provide encryption protection with Dell Data Protection|Encryption (DDPE) using your KACE console.  Dell KACE and DDPE now work together to complement and reinforce systems management best practices and strong data protection.  The solutions work side-by-side to more easily enable you to manage the configuration of systems and applications, and protect the data on those systems.  Equally importantly they reduce the work of both enforcing policies and proving compliance by simplifying the deployment, configuration and auditing of systems and their security.  This allows you to save significant time over doing manual processes, and helps to ensure policies are enforced and the organization is in compliance.  Using a single set of tools, you can easily provide and demonstrate encryption across an organization, helping to ensure that devices are protected and the organization is compliant.

If you are not yet familar with DDPE, it delivers endpoint encryption to organizations with Dell and non-Dell notebooks, desktops, workstations and external media devices that enforces policies and provides auditing capabilities.

Are you interested in learning how you can provide this extra security for your organization?  Please make plans to attend a live webinar event on May 24 at 10am, PT entitled:  New levels of security: The power to do more with Encrytion.  To register, click here.

 

 

Posted in Uncategorized | Tagged , , , , , | Leave a comment
Apr
27
2012

Freeze and forget with Faronics and KACE

Posted on April 27, 2012 by Anne Haggar

Poliroid snapshots We discovered that KACE customers are also Faronics Deep Freeze customers. In fact, some of our customers were trying to get Deep Freeze and the Dell KACE K1000 to work together in some smart ways. So we pulled together a team from Deep Freeze and KACE to determine how we can best build some integration between our products to provide some additional benefits and provide some relief to you hard working IT professionals.

For those of you who may not know about Deep Freeze, it provides the ultimate workstation protection by creating a “frozen” snapshot of a workstation’s configuration and settings. Deep Freeze is invaluable in institutions where both employees and students need full access to their workstations/laptops and need to have the confidence that their computers are up and running at all times.

Dell KACE customers who are looking to strengthen PC security and reduce technical support costs can use Faronics Deep Freeze to ensure that you will never again have to repair a computer damaged by a user’s accidental or malicious activity by including Deep Freeze as part of the Dell KACE K2000 imaging process. Any changes that a user makes to a protected machine will be eliminated upon reboot. The result is a computer that remains in the same perfect working condition it was setup in — days, months, and even years later! Another option is to use the K1000 to automatically “thaw” Deep Freeze computers and securely make changes REMOTELY from a central console such as updating software and performing critical patches and then have them now restart to the new “frozen” baseline.

This integration between the two companies provides enhanced security and lets you automate some of the time-consuming tasks that are necessary to keep systems safe.

If you would like to see a live demonstration, there is a webinar on May 3rd, 2012 at 10:00am PT. To register, go here. If you can’t make the live webinar, it will be recorded and available in our resources center on our website.

Posted in Uncategorized | Tagged , , , , , | Leave a comment