Adjust the LANDESK Mac SDCache Purge Schedule

In my previous post, I discussed how you could push down a script to a Mac to clean up the LANDESK SDCache folder, potentially recovering precious hard drive space.

This script process described previously, while quick and efficient, is more of a band-aid and doesn’t necessarily address the problem of binaries being kept too long on the Mac – especially those with super small hard drives.

While having an SDCache folder full of binaries can be helpful, especially on bandwidth constrained networks as other clients can pull directly from that local Mac as opposed to the source file share, you may find you just need to shorten the number of days some of your Macs keep files within the SDCache folder to save yourself the headaches from the help desk calls complaining that their machine is out of hard drive space.

The XML file that controls the schedule for the SDCache purge is located in the /Library/Application Support/LANDesk/scheduler folder and is titled ldcron-sdclean.xml.

scheduler

If you crack that file open with a text editor, you’ll notice it contains the same command line text we used to purge the SDCache folder manually.

find /Library/Application\ Support/LANDesk/sdcache/* -mtime +45 -exec rm -rf {} \;

All you need to do is copy off the ldcron-sdclean.xml file from one of your machines or download an example from my GitHub repository, and adjust the -mtime +45 to align with your needs.  Setting a value of +10 will tell LANDESK to purge any file within the SDCache folder older than 10 days, +3 would purge any file older than 3 days and so on.  So set the appropriate value, using your favorite text editor, and then save the updated file to one of your file repository shares.

Now we need to create a Mac package to deploy out the updated ldcron-sdclean.xml file to all of the Macs that need to be updated.  I’ve written a script, again available on my GitHub page, titled changeSDCachePurgeTime.sh that will do exactly that. Basically, it uses the LANDESK sdclient tool to download the XML file and place it into the /Library/Application Support/LANDesk/scheduler folder.

In order for you to use the script, you just need to change the fileToCopy variable path to match the location you saved your ldcron-sdclean.xml file to.  Other than that, it should be totally ready to go.

#!/bin/sh

# changeSDCachePurgeTime
# Created by Bennett Norton on 9/21/16.
# This script will copy the updated SDCache XML to the target machine with the updated sdcache time purge


#Script Variables
#change the IP address to match your http package share hosting the updated ldcron-sdclean.xml file
fileToCopy="http://192.168.29.13/SoftwareDist/MacPackages/ldcron-sdclean.xml"
destinationLocation="/Library/Application Support/LANDesk/scheduler"


#sdclient downloads the license key and the kav addkey applies the key
/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$fileToCopy" -destdir "$destinationLocation"

If you decide to write your own script, just make sure you set the execute permissions on the file prior to copying it to your file share.

sudo chmod +x /path/to/script.sh

Now you’re ready to create your Mac package and deploy.  The directions to so do are below.

Creating LANDESK Management Suite Mac Packages

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Creating a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

Problem totally solved, right?

Well, not quite.  If at any time in the future you redeploy the LANDESK Mac agent, the ldcron-scheduler.xml file will be overwritten with the default +45 day value.  You could always write a custom definition, if you’re a LANDESK Patch customer, and watch for that value and remediate if detected.  However, that may be more work than its worth to you, if you only have a couple of machines you’re concerned about.  So just be cognizant that an agent deployment will reset the value and redeploy your package if need be.

 

Recover Hard Drive Space by Purging the LANDESK SDCache Folder

Whenever a Mac is told to perform a software distribution or patch task, the LANDESK agent will download the binaries for that task and store them in the sdcache folder found under /Library/Application Support/LANDesk. By default, the LANDESK agent will purge any file older than 45 days, so in most scenarios, there is little need to pay attention to what is in that folder.

full-sdcache

However, if you find that your Mac is short on hard drive space, perhaps due to the GB’s worth of patch binaries that were placed on it after having recently updated to the 64-bit version of Microsoft Office, you might find the little purgeSDCache.sh script available on my GitHub site or pasted below a beneficial tool to have in ready in your arsenal of LANDESK packages.

#!/bin/sh

# purgeSDCache.sh
# Created by Bennett Norton on 9/16/16.
# This script will delete all non-standard files/folders from the LANDESK sdcache folder
# Change the path variables


#Script Variables
#change these variables to match your token and desired destination paths
landeskPath="/Library/Application Support/LANDesk/sdcache"


#Check to see if destination path exists and if it does, delete the files older than x number of days old
#The +10 after the -mtime switch tells the command to delete everything older than 10 days. You can adjust that number.
if [ -d "$landeskPath" ]; then
 echo "LANDESK Agent present, deleting and recreating the sdcache folder. "
 find "$landeskPath"/* -mtime +10 -exec rm -rf {} \;
fi

So what does this script do?  It is quite simple really, the script does a search inside the SDCache folder and deletes any and all files older than “10 days.” You can easily adjust age of the files to keep and there is no reason you can’t set that value to 0 days and essentially purge everything.  Just adjust the number after the -mtime switch to whatever suites you.

Now you just have to create the package and deploy to the machines that are short on hard drive space.  Just remember to set the execute permissions on your script prior to copying it to your file share.  You do that by opening Terminal and running the command below:

sudo chmod +x /path/to/script.sh

Creating LANDESK Management Suite Mac Packages

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Creating a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

Update the License For LANDESK AV 10 on macOS Sierra

I recently updated to LANDESK Management Suite 2016 SU5 so I could receive the needed AV support for macOS Sierra.

When my Mac agent updated, it automatically updated LANDESK AV from version 8 to version 10, which was nice.  It was after this update that the LANDESK AV window popped on my Mac client letting me know my license key was about to expire.

licenseexpiressoon

To remedy this, I obtained my updated license key and updated my core server with the new AV license following this how-to guide.

By design, forcing a security scan on the client should cause the machine to pull the updated license file from the core.  However, my machine was being stubborn and would not pull the newly applied license.  Rather than troubleshoot the process, I figured it would be quicker to write a script to download it and apply it.  I figured having a package to push out would be more efficient in the long run if I had more than one machine that wouldn’t update its license file.

The entire script is very short.  There are two variables, one for the source file location and the second for the copy to destination location.  There are also two actions, one to download the file and the second to tell AV agent to update its license.  I’ve uploaded my script to GitHub; you can download it here. For ease of discussion, the entire script is available below.

#!/bin/sh

# LDAVLicenseInstall
# Created by Bennett Norton on 9/21/16.
# This script will download the latest LANDESK AV license key and apply it


#Script Variables
#change the IP address to match your core server IP address
fileToCopy="http://192.168.29.13/ldlogon/avclient/install/key/ldav.key"
destinationLocation="/Library/Application Support/LANDesk/sdcache"


#sdclient downloads the license key and the kav addkey applies the key
/Library/Application\ Support/LANDesk/bin/sdclient -noinstall -package "$fileToCopy" -destdir "$destinationLocation"
kav addkey "$destinationLocation"/ldav.key

The only thing you need to do in your version of the script is to update the fileToCopy path with the appropriate IP address.   You shouldn’t need to adjust anything else.  SDClient is downloading the key from the ldlogon/avclient/install/key folder; which should be the same for everyone.  You can change the destination location if desired, I’ve put it into the standard sdcache folder so it’ll get purged in 45 days.

fileToCopy="http://192.168.29.13/ldlogon/avclient/install/key/ldav.key"

Again, as mentioned in previous posts, save this file as a .sh file and set the execute permission on it by running the command below.

sudo chmod +x /path/to/script.sh

Once you’ve set the execute permissions, copy the script to your package repository and create a LANDESK Software Distribution package to deploy.

Creating LANDESK Management Suite Mac Packages

  1. Open the LANDESK Console
  2. Navigate to the top menu bar, select Tools > Distribution > Distribution Packages.
  3. In the lower left menu tree, highlight My Packages or Public Packages from within the Distribution Packages window
  4. On the Distribution menu bar, press the New Package button and select New Macintosh Package.
  5. Give the package a name
  6. Provide a description as well as any metadata information desired
  7. Set the primary file to the script file you previously transferred to your package share
  8. Fill out the Metadata details if desired, specifically supplying a logo so it shows up properly in the portal
  9. Save the package

Creating a Scheduled Mac Software Distribution Task

  1. Right click on the Mac software distribution package created and select Create Scheduled Task
  2. From the network view, select and drag the desired machine(s), user(s) or query(ies) and drop them onto the task
  3. Now, right click on the task and select properties
  4. Set the desired Task type under Task Settings as to whether you want a push, a policy or a hybrid of the two types in a policy-supported push
  5. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  6. Change the Reboot Settings or Distribution and Patch settings if desired
  7. Set the schedule task settings with the appropriate start time

mac-protected

Prevent Users from Installing macOS Sierra using LANDESK Security Suite 2016

On September 20, 2016 Apple will release its next generation operating system, macOS Sierra.  While Apple may think it’s great that the Siri enabled Mac do “even more for us, so we can do more with our Mac”, as an organization, we may not be quite ready to introduce macOS Sierra into our environments.  If you you’re looking at your calendar trying to figure out if you’re going to be able finish validating your AV and your critical business applications are fully functioning with macOS Sierra, you can use LANDESK Security Suite to temporarily block the installer from running.  Going this route will give you the extra days/weeks you need to finish validating the OS without having to worry about who is going to install the update and be calling you tomorrow wondering why their VPN won’t work.

The process to block an application in LANDESK Security Suite is quite easy and should only take you a couple of minutes to setup your policy and get it deployed.

    1. Launch the LANDESK Console
    2. Go to Tools > Security and Compliance > Patch and complianceblocked-apps-menu
    3. From the menu bar, select the first button that may be titled All Types, but could be Antivirus, Blocked applications, Custom definition, Driver, LANDESK update, Security threat, Software update, Spyware or Vulnerability. Select Blocked applications if not already selected.
    4. Expand out the Blocked applications (all items) menu tree
    5. Right click on the Block folder and Add Fileadd-file-blocked-apps
    6. Insert “Install macOS Sierra.app” or whatever the final name of the OS installer is. Currently, the developer beta is “Install macOS Sierra Developer Beta.app”
    7. Check the box at the bottom that says Mac and uncheck the Windows box.blocked-apps-properties-panel
    8. If you don’t want to block the installer globally, click on the Block Status tab at the tab and select which Scopes the restriction should be applied to.block-status-tab
    9. Click OK.

Now that you have the blocked app definition created, you need to make sure the LANDESK security scanner has been enabled for blocked app scanning.  To validate this or to set this, go through the steps below:

  1. Go to Tools > Security and Compliance > Agent Settings
  2. From the All Agent Settings menu tree, click on Distribution and Patchdist-and-patch-settings
  3. Open the Distribution and Patch setting assigned to your Macs. If you have more than one, edit each one respectively.
  4. Go to the Scan Options section under Patch-only settings and make sure the Blocked applications checkbox is checked.blocked-apps-settings-copy
  5. Click Save

At this point, your machines will automatically receive the change and begin blocking the macOS installer the next time a security scan is initiated. If you created an entirely new Distribution and Patch setting, different from the one currently applied to the Mac, you’ll need to create a Change Agent Settings task.

  1. While still in the Agent Settings window, click on the Calendar/Clock icon, it’s the second one in the menu bar and then select Change Settings.change-settings
  2. Give your task an appropriate name, I named mine “Blocked Apps Agent Settings”
  3. Find Distribution and Patch from the list on the right hand side of the panel and click on the corresponding Keep agent’s current settings.
  4. Find your newly created Distribution and Patch setting and select it.change-settings-drop-down
  5. Now set your desired Task Settings (policy, push, policy supported push) and desired portal settings (required, recommended,optional). I used a policy-supported push and required.
  6. Add in your Targets
  7. Schedule your Change Settings task

That’s it.  Now, whenever someone attempts to launch the macOS Installer they’re going to get a nice Application Denied prompt like the one below.

application-denied

SSH LANDESK Agent Installer Script

The other day I was working with a customer in which the LANDESK Console was unable to successfully push an agent to a Mac device; despite having SSH access when using Terminal.

As a result, I wrote a script that was used to deploy the agent without leveraging the LANDESK console.  I figured the script could be useful for other new customers that may already have Apple Remote Desktop or some other software distribution tool in place and could use this script to deploy the LANDESK agent in their environment.

The entire script can be downloaded from on GitHub inside the Custom SSH Agent Install folder.

The script is quite simple.  The first section establishes the variables.  Replace the path for your core with the appropriate IP address and change the name of the agent to match your unique name.  Remember to properly handles spaces if need be.  And that should it be all you need to change in this script.  Everything else should work in your environment as written.

#!/bin/bash 
## replace "http://192.168.29.13/ldlogon/mac/" with your core server FQDN or IP
## replace "BaseMacAgentnoav.dmg" with your agent name, remembering to appropriately handle spaces in the name if applicable.
CORE=http://192.168.29.13/ldlogon/mac/
AGENTNAME=BaseMacAgentnoav.dmg

The subsequent section checks to see if the LANDESK folder already exists on the Mac.  If it does, the script will exit out.  This will ensure you’re not re-installing an agent on a machine that is under management.

detect if the agent is already installed
if [ -d "/Library/Application Support/LANDESK" ]; then
 echo 'The LANDESK Agent is Installed'
 exit 1
 
 else echo 'The LANDESK Agent Needs to be Installed'

If the LANDESK folder path does not exist, we will use curl to download the agent from the defined variables above.

 ## download the agent
 curl -o $AGENTNAME $CORE/$AGENTNAME

Once the agent DMG is downloaded, we need to mount it and kick off the installer.

## mount the dmg
 hdiutil attach $AGENTNAME

## install the agent
 sudo -S installer -pkg /Volumes/LDMSClient/ldmsagent.pkg -target /

With the agent installed, we’ll detach the volulme, remove the agent, and close out our if statement that determined if the folder path existed or not.

 ## delete the files downloaded
 hdiutil detach /volumes/LDMSClient
 rm $AGENTNAME
 exit 0
fi

There you have it, hopefully that will assist you in getting the LANDESK agent installed remotely, without having to use the LANDESK console.