2.6.5 Agentless management

JP1/IT Desktop Management can perform management without an agent having to be installed on the computers (agentless computers). This means that a computer used in research or a server used for business purposes, for example, on which management software cannot be installed for practical reasons, can still be managed under JP1/IT Desktop Management in the same way as a user computer.

To use agentless management, configure computers discovered during a network search as managed computers.

Important note: Configuring a computer for agentless management has security implications. Fully consider the effects before deciding to use agentless management.

Agentless management can be performed using Windows administrative shares or SNMP. The two methods are described below.

Agentless management using Windows administrative shares

Non-resident executable programs are sent periodically to agentless computers via login to Windows administrative shares. The distributed programs collect device information using WMI.

Information is acquired at the following times:

When a network search is executed
At the update interval specified in the Agentless Management view
When you select Update Device Details from the Action menu in the Device list in the Device module.

Tip

You can also collect device information by selecting Update Device Details from the pop-up menu that appears when you right-click a computer name.

Important note: Administrative shares cannot be used in Windows XP Home Edition (Service Pack 2 or 3).

Important note: Agentless management is based on executable programs for acquiring device information, sent from the management server to the managed computers. The Windows security settings block this operation by default. You must therefore lower the security level setting to allow the executable programs to be distributed. Consider how this will affect your system before deciding to change the security level.

Agentless management using SNMP

In this method, device information is collected periodically by SNMP, using authentication via the standard SNMP communication protocol. The information is collected at the same times as for agentless management based on Windows administrative shares.

Setup must be performed on the computers to use Windows administrative shares or SNMP. For details, see 4.2.7 Prerequisites for agentless management.

In agentless management, the functionality available from the management server differs in some respects from the functionality available when using installed agents. For details about the differences, see (1) Functional differences between agent/agentless management.

Organization of this subsection

(1) Functional differences between agent/agentless management
(2) Prerequisites for agentless management
(3) Configuring authentication information for agentless devices
(4) Acquiring information from agentless devices
(5) Mechanism for acquiring device information from agentless devices

(1) Functional differences between agent/agentless management

There are some differences in management server capabilities depending on whether the managed computers have an agent installed or are agentless. In the case of computers with an installed agent, other differences arise depending on whether the computers are managed online or offline.

The following table describes functional differences by configuration type:

Function		Managed computers
		Agent installed		Agentless
		Online management	Offline management	Agentless
Acquisition of device information^#1		Y	Y	D
Security diagnostics	Assign security policies	Y	Y	Y
Security diagnostics	Evaluate security	Y	Y	D^#2
Actions at security policy violation	Automatic security measures	Y	N	N
	Restrict printing	Y	N	N
	Disable data export	Y	N	N
	Disable software startup	Y	N	N
	Acquire operation logs	Y	N	N
	Send warning messages	Y	N	N
	Power on/off	Y	N	N
Management of asset information	Manage hardware	Y	Y^#3	D
	Manage software licenses	Y	Y	D
	Manage software	Y	Y	Y
	Manage contracts	Y	Y	Y
Management of software and file distribution	Distribute software	Y	N	N
	Distribute files	Y	N	N
	Uninstall software	Y	N	N
Remote control of devices	Remote control of computers	Y	N	D^#4
	Connection requests from computers	Y	N	N
	File transfer	Y	N	N
	Chat	Y	N	N
Management of device network connections	Enable network access control	Y	N	N
Management of device network connections	Control network connections	Y	N	Y
Report creation		Y	Y	D

Legend: Y: Supported. D: Depends on the collectable device information. N: Not supported.

#1: The device information that can be collected depends on whether the computers have installed agents or are agentless. See the following for details on the information collected from each type of computer.

#2: Use the Windows Administrative Share feature to evaluate the security of agentless computers. Screensaver security cannot be determined on a per-account basis when using agentless management.

#3: USB devices cannot be registered.

#4: RFB protocol must be used for remote control.

To Page Top

(2) Prerequisites for agentless management

When using agentless management, setup must be completed on both the management server and user computer to collect device information. The range of information that can be acquired depends on the authentication method. The range of information that can be acquired depends on the authentication method. A limited range of information may result in unknown security states and missing data in reports, causing risks to system operation. Select the best authentication method for your security needs.

Setup to collect most of the available device information is easy if you are using Active Directory to manage the computers in your organization. If you are thinking of using agentless management, first make sure that your computers are managed in Active Directory.

Important note: Agentless management is not supported in a NAT environment.

Important note: Do not delete the discovery range or authentication information for any agentless managed device discovered in a network search. Likewise, do not delete the Active Directory setting for any agentless managed device discovered by an Active Directory search. Deleting this setting information prevents device information from being collected. If you mistakenly delete the discovery range, authentication information, or Active Directory setting, add them and then re-execute the network search or Active Directory search to discover the devices.

Important note: In a DHCP environment, if a device's IP address changes, moving outside the discovery range, no information will be collected about that device.

Security management (collecting most of the available device information)

On the user's computer, the following conditions must all be satisfied:

Windows Firewall is disabled.^#
Simple file sharing is disabled.
File and Printer Sharing is enabled.
Windows Administrative Share (ADMIN$) is enabled.
Access to the Interprocess Communications share (IPC$) is enabled.

#: With Windows Firewall enabled, the condition is still satisfied if TCP port 445 is open for traffic.

In addition, authentication information that allows you to log on to managed computers via Windows Administrative Share must be configured on the management server for network searches. However, if you are using Windows 7, Windows Vista, or Windows Server 2008, set up the managed computers to allow logon without UAC authentication.

The following table describes the setup required to acquire device information when Windows Administrative Share is enabled:

OS	Setting
Windows 8	Disable UAC or enable the Administrator account.^# Enable File and Printer Sharing in the Network and Sharing Center window.
Windows 7
Windows Vista	Disable UAC or enable the Administrator account. Enable File sharing in the Network and Sharing Center window.
Windows XP	Disable simple file sharing. Add file shares.
Windows Server 2012	Enable File sharing or File and Printer Sharing in the Network and Sharing Center window.
Windows Server 2008
Windows Server 2003	Setup unnecessary (enabled by default).
Windows 2000	Add file shares.
OS other than Windows	Not supported (cannot be configured for agentless management)
Network device	Not supported (cannot be configured for agentless management)

#: If you are using Windows 8 (no edition), perform this setup by executing the net user command at the command prompt. You cannot enable the Administrator account from the Windows Control Panel.

If these conditions are satisfied, you can acquire most of the available device information. The information collected hardly differs from that collected via agents installed on the managed computers.

Device management (collecting some device information)

Using Active Directory

The following conditions must both be satisfied:

Windows Firewall is disabled on the user's computer.^#
Device information can be collected on the management server by searching Active Directory.

#: With Windows Firewall enabled, the condition is still satisfied if connection is allowed through the port specified in the Active Directory view under General in the Settings module.

Using SNMP

The following condition must be satisfied:

SNMP can be used.
The community name can be authenticated.

The following table describes the setup required to acquire device information using SNMP:

OS	Setting
Windows 8	Install an SNMP agent. Set up the SNMP agent.
Windows 7
Windows Vista
Windows XP
Windows Server 2012
Windows Server 2008
Windows Server 2003
Windows 2000
OS other than Windows
Network device

If these conditions are satisfied, you can acquire some device information such as the device type and computer name. Devices can be managed using this method when security management is unnecessary.

Checking device presence on the network

Check for device presence on the network using ICMP.

The following table describes the setup required to acquire device information using ICMP:

OS	Setting
Windows 8	Allow incoming ICMP echo requests.^#
Windows 7
Windows Vista
Windows XP
Windows Server 2012
Windows Server 2008
Windows Server 2003
Windows 2000
OS other than Windows
Network device

#: In Windows XP or later, you must configure the Windows Firewall to allow ICMP traffic or disable Windows Firewall.

Related Topics:

To Page Top

(3) Configuring authentication information for agentless devices

In the case of agentless devices, information is acquired using a combination of the discovery range and authentication information set for network searches. The acquisition process uses the authentication information set for the discovery range that contains the devices' IP addresses.

The authentication information used for agentless devices can be also set after completion of a discovery.

To set authentication information for an agentless device:

Open the Device module.
Select a group under Device Information in the menu area.
Select an agentless device in the information area.
From the Action menu, select Set Credentials.
Set authentication information in the displayed dialog box.
Click the OK button.

The authentication information to be used for the selected agentless device is now set.

Tip: You can also set authentication information in the IP Address Range view accessed from Configurations in the Settings module.

To Page Top

(4) Acquiring information from agentless devices

The following methods are available for acquiring device information from agentless devices subject to security management:

Administrative shares: Device information is acquired using authentication to Windows administrative shares. Almost the same level of information is collected as when using installed agents.
SNMP: Device information is acquired using SNMP authentication. Only a portion of the device information can be collected.
ARP: Device information is acquired from ARP. Only a portion of the available device information can be collected.
ICMP: Device presence is verified using ICMP (PING). Only IP address information can be collected.

Information is acquired from managed agentless devices using administrative shares or SNMP. ARP and ICMP are used only for data acquisition during network searches.

Whether acquisition is based on administrative shares or SNMP depends on the discovery range and authentication information set in the discovery settings. Information is collected from an agentless device using the authentication information set for the discovery range in which the device's IP address falls. No information is collected if the IP address is outside the discovery range, or if no authentication information has been set, or if authentication fails.

For agentless devices, the available collection methods differ according to the device type, as shown in the table below:

Collection method	Device type
Collection method	Windows computer	OS other than Windows	Network device
Administrative shares	Y	N	N
SNMP	Y	Y	Y
ARP	Y	Y	Y
ICMP	Y	Y	Y

Legend: Y: Can be used. N: Cannot be used.

Timing of device information acquisition

Device information is collected from agentless devices at the following times:

When a network search is executed
When you select Update Device Details from the Action menu in the Device list in the Device module.

To change the collection interval, set the update interval in the Agentless Management view under Agent in the Settings module. The default update interval is one hour.

By selecting Update Device Details in the Device module, you can collect device information at any time you wish.

Device information is not acquired during intensive discovery.

Related Topics:

(5) Mechanism for acquiring device information from agentless devices
(3) Configuring authentication information for agentless devices

To Page Top

(5) Mechanism for acquiring device information from agentless devices

To acquire device information from an agentless computer using authentication to administrative shares, executable programs are sent to the computer.

Three executable programs are sent:

jpngmain.exe
jpnmspushlauncher.exe
jpnmspushservice.exe

These three executable programs generate administrative share files for reporting the collected device information on the computer. The files are then relayed to the management server and device information about the agentless computer is updated.

The executable programs are distributed only at the first run and when the executable programs are upgraded. They are not deleted automatically. If the management server is upgraded or if any of the executable program files are deleted, the executable programs are resent.

Important note: Never delete these executable programs. Deleting them might stop the agentless management functionality from working properly. Anti-virus products installed on a computer can result in an executable program being mistakenly detected as a virus and failing to execute correctly. In such cases, install a management agent

Tip: If login to a Windows administrative share is successful, approximately 2.5 MB of executable code is sent to each computer.

To Page Top