LANDESK Mac Management Part 4: Patching OS X and 3rd Party Applications

In part 4 of this LANDESK Mac Management series, we’ll demonstrate how you can patch the Mac OS, walking through the reboot process as well as patching 3rd party application titles on the machine; which typically don’t require a reboot to take place.

UEMB260 – Define and Maintain a Desired State Configuration on your Macs Using Custom Scripts and LANDESK Patch

Slides: https://appleintheenterprise.files.wordpress.com/2016/05/desired-state-management-os-x-interchange-16.pptx

GitHub: https://github.com/northice/LDMS-Scripts

 

 

Provide Remote Assistance to Your Off-Network OS X Users

It’s forecasted that 202 million laptops will be sold in 2016, compared to 127 million desktops.  As we all know, laptops are mobile and often off of the corporate network.  Not only does that mean the device should have proper encryption to protect the private data, it also means that standard administrative tasks such as patching a machine, distributing software and having access to the device to perform a remote control session can be much more problematic – or even down right impossible with the current management tools.

For LANDESK Management Suite customers, however, off-network access is completely feasible. An administrator can essentially follow the exact same workflow to patch, distribute software or perform a remote control session when properly configured with a LANDESK Cloud Service Appliance.  No VPN is necessary and no end-user interaction is required!

If you need to know how to install a Cloud Service Appliance in your environment, see Best Known Method for Configuring LANDESK Cloud Service Appliance (former Management Gateway) version 4.2 and newer

Better yet, in LANDESK Management Suite 2016, the certificate approval process has been significantly simplified by switching the certificate approval process to the core server. Essentially every agent install will create certificate for the Cloud Service Appliance and present itself to the LANDESK Core Server.  The administrator just needs to approve or block the per device certificate on the LANDESK core to grant or deny that device off-network access.  For more detail around this process, see this LANDESK Community article.

Once the certificate is approved on the core server for the device, an administrator can deploy patches and software distribution via a policy delivery method and perform an on-demand remote control session to the device off the network.  The client will also continue to send in it’s scheduled inventory and security scans assuming it has internet connectivity.

How to Perform a Remote Control Session to an Off-Network OS X Device

  1. Launch the LANDESK Management Suite Console
  2. Expand the Network View and find Devices > All Devices
  3. Find your desired machine from the list or use the search bar at top
  4. Right click on your OS X device and select ‘HTML remote control’ and the machine’s default browser should launch
    • If nothing happens and you don’t see a browser launch, it means the machine is not connected to the CSA and may either be powered off or without internet connectivity.
    • To verify, you can go to the remote control page on the CSA by using the URL: https://cloudserviceappliancename/rc. Not only this an alternative way to remote control a machine, but it will show you a list of all available clients that have an active internet connection.
  5. Enter your LANDESK username, password and the domain associated with the user that has access to perform a remote control session. If you’re using a local account, you can leave the domain blank.
  6. Note: Not only does the user need to be a remote control operator, but the machine must be enabled for remote control as well. Furthermore, the machine may be setup with user permissions that would require someone physically present on the device to grant access.

How to Deploy Software to an Off-network OS X Device

 When a LANDESK agent is deployed to a client device, is creates a scheduled task to call back into the core server to see what policies it has been targeted for.  For machines that are going to be off-network you may want to set policy check in to be every 2 hours. There is obviously a trade-off between over burdening the core server with requests and knowing a machine only checks in once a week, so find what the right balance is for your environment.

  1. Open the Distribution Packages tool within the LANDESK console
  2. Right click on the Mac software distribution package to deploy and select Create Scheduled Task
  3. Right click on the scheduled task that was generated and select properties
  4. Add your desired targets to the Targets menu
  5. Set the Task type under Task Settings as a policy
  6. If you’re targeting a group of machines that may have some of them on the network and some off, you may want to use a policy-supported push
  7. Set the radio button in the Portal Settings to either Recommended or Optional if you desire to put the package into Workspaces.  If you’d like to automatically deploy the app, select Run automatically
  8. Change the Reboot Settings or Distribution and Patch settings if desired
  9. Set the schedule task settings with the appropriate start time

How to Deploy Patches to an Off-network OS X Device

  1. Open the Patch and Compliance tool within the LANDESK console
  2. Ensure your desired content is in the Scan folder
  3. Right click on the definition and select Repair
  4. From the Add targets select on the Repair settings task panel, select Add all affected computers
  5. Set the Task type under Task Settings as a policy
  6. If you’re targeting a group of machines that may have some of them on the network and some off, you may want to use a policy-supported push
  7. Ensure the Display in portal option for the portal settings panel is set to Run automatically (unless you want your users to update their own apps, in which case you can select Recommended or Optional)
  8. Schedule the task to start when desired from the Schedule task panel
  9. Save the task