Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/IT Desktop Management 2 Overview and System Design Guide

2.6.5 Agentless management

JP1/IT Desktop Management 2 can perform management without an agent having to be installed on the computers (agentless computers). This means that a computer used in research or a server used for business purposes, for example, on which management software cannot be installed for practical reasons, can still be managed under JP1/IT Desktop Management 2 in the same way as a user computer.

To use agentless management, configure computers discovered during a network search as managed computers.

Important note

Configuring a computer for agentless management has security implications. Fully consider the effects before deciding to use agentless management.

Agentless management can be performed using Windows administrative shares, SNMP, or Active Directory. The three methods are described below:

Agentless management using Windows administrative shares

Non-resident executable programs are sent periodically to agentless computers via login to Windows administrative shares. The distributed programs collect device information using WMI.

Information is acquired at the following times:

  • When a network search is executed

  • At the update interval specified in the Agentless Management view

  • When you select Update Device Details from the Action menu in the Device list in the Device module.

    Tip

    You can also collect device information by selecting Update Device Details from the pop-up menu that appears when you right-click a computer name.

Important note

Agentless management is based on executable programs for acquiring device information, sent from the management server to the managed computers. The Windows security settings block this operation by default. You must therefore lower the security level setting to allow the executable programs to be distributed. Consider how this will affect your system before deciding to change the security level.

Agentless management using SNMP

In this method, device information is collected periodically by SNMP, using authentication via the standard SNMP communication protocol. The information is collected at the same times as for agentless management based on Windows administrative shares.

Agentless management using Active Directory

In this method, device information is collected for devices managed by Active Directory.

Information is acquired at the following times:

  • When a network search is executed

  • When you select Update Device Details from the Action menu in the Device list in the Device module

Important note

Agentless management using Active Directory collects information on the domain controller. If the domain controller and managed devices are out of sync, the collected information might differ from the information of the managed devices.

Setup must be performed on the computers to use Windows administrative shares, SNMP, or Active Directory. For details, see 4.2.7 Prerequisites for agentless management.

In agentless management, the functionality available from the management server differs in some respects from the functionality available when using installed agents. For details about the differences, see (1) Functional differences between agent/agentless management.

Important note

To perform agentless security management, use Windows administrative shares.

Organization of this subsection

(1) Functional differences between agent/agentless management

There are some differences in management server capabilities depending on whether the managed computers have an agent installed or are agentless. In the case of computers with an installed agent, other differences arise depending on whether the computers are managed online or offline.

The following table describes functional differences by configuration type:

Function

Managed computers

Agent installed

Agentless

Online management

Offline management

Acquisition of device information#1

Y

Y

D

Security diagnostics

Assign security policies

Y

Y

Y

Evaluate security

Y

Y

D#2

Actions at security policy violation

Automatic security measures

Y

N

N

Restrict printing

Y

N

N

Disable data export

Y

N

N

Disable software startup

Y

N

N

Acquire operation logs

Y

N

N

Send warning messages

Y

N

N

Power on/off

Y

N

N

Management of asset information

Manage hardware

Y

Y#3

D

Manage software licenses

Y

Y

D

Manage software

Y

Y

Y

Manage contracts

Y

Y

Y

Distribution of software and files

Distribute software

Y

Y#4

N

Distribute files

Y

Y#4

N

Uninstall software

Y

N

N

Remote control of devices

Remote control of computers

Y

N

D#5

Connection requests from computers

Y

N

N

File transfer

Y

N

N

Chat

Y

N

N

Management of device network connections

Enable network access control

Y

N

N

Control network connections

Y

N

Y

Report creation

Y

Y

D

Legend: Y: Supported. D: Depends on the collectable device information. N: Not supported.

#1: The device information that can be collected depends on whether the computers have installed agents or are agentless. See the following for details on the information collected from each type of computer.

#2: Use the Windows Administrative Share feature to evaluate the security of agentless computers. Screensaver security cannot be determined on a per-account basis when using agentless management.

#3: USB devices cannot be registered.

#4: Only distribution using Remote Installation Manager can be performed. ITDM-compatible distribution cannot be performed.

#5: RFB protocol must be used for remote control.

To Page Top

(2) Prerequisites for agentless management

When using agentless management, setup must be completed on both the management server and user computer to collect device information. The range of information that can be acquired depends on the authentication method. The range of information that can be acquired depends on the authentication method. A limited range of information may result in unknown security states and missing data in reports, causing risks to system operation. Select the best authentication method for your security needs.

Setup to collect most of the available device information is easy if you are using Active Directory to manage the computers in your organization. If you are thinking of using agentless management, first make sure that your computers are managed in Active Directory.

For differences between the types of device information that can be collected, see 2.6.2 Collecting device information.

Important note

Agentless management is not supported in a NAT environment.

Important note

Do not delete the discovery range or authentication information for any agentless managed device discovered in a network search. Likewise, do not delete the Active Directory setting for any agentless managed device discovered by an Active Directory search. Deleting this setting information prevents device information from being collected. If you mistakenly delete the discovery range, authentication information, or Active Directory setting, add them and then re-execute the network search or Active Directory search to discover the devices.

Important note

In a DHCP environment, if a device's IP address changes, moving outside the discovery range, no information will be collected about that device.

When using Windows administrative shares to perform agentless management

All the following conditions must be satisfied:

#1: Even if Windows Firewall is enabled, the condition is still satisfied if TCP (port 445) is open for traffic.

#2: The authentication information for logging in to the target computer by using Windows administrative shares must satisfy either of the following conditions:

How to enable Windows administrative shares differs depending on the OS on the user's computer. The following settings are required to enable Windows administrative shares:

OS

Setting

Windows 8.1

  • Disable UAC or enable the Administrator account.#1

  • Enable File and Printer Sharing in the Network and Sharing Center window.

Windows 8

Windows 7

Windows Vista

  • Disable UAC or enable the Administrator account.

  • Enable File sharing in the Network and Sharing Center window.

Windows XP#2

  • Disable simple file sharing.

  • Add file shares.

Windows Server 2012

Enable File sharing or File and Printer Sharing in the Network and Sharing Center window.

Windows Server 2008

Windows Server 2003

Setup unnecessary (enabled by default).

Windows 2000

Add file shares.

Computer other than Windows

Not supported (cannot be configured).

Network device

Not supported (cannot be configured).

#1: If you are using Windows 8.1 or Windows 8 (no edition), perform this setup by executing the net user command at the command prompt. You cannot enable the Administrator account from the Windows Control Panel.

#2: In Windows XP Home Edition (Service Pack 2 and 3), Windows administrative shares cannot be used.

If these conditions are satisfied, you can acquire most of the available device information. The information collected hardly differs from that collected via agents installed on the managed computers.

When using SNMP to perform agentless management

The following conditions must be satisfied:

The following table describes the setup required to acquire device information using SNMP:

OS

Setting

Windows 8.1

  • Install an SNMP agent.

  • Set up the SNMP agent.

Windows 8

Windows 7

Windows Vista

Windows XP

Windows Server 2012

Windows Server 2008

Windows Server 2003

Windows 2000

Computer other than Windows

Network device

When using Active Directory to perform agentless management

Both the following conditions must be satisfied:

#: If Windows firewall is enabled, the condition is still satisfied if connection via a port number specified in Active Directory settings view accessed from General view in the Settings module is open for traffic.

When using ICMP to perform agentless management

ICMP must be available for use.

The following table describes the setup required to acquire device information using ICMP:

OS

Setting

Windows 8.1

Allow incoming ICMP echo requests.#

Windows 8

Windows 7

Windows Vista

Windows XP

Windows Server 2012

Windows Server 2008

Windows Server 2003

Windows 2000

Computer other than Windows

Network device

#: In Windows XP or later, you must configure the Windows Firewall to allow ICMP traffic or disable Windows Firewall.

Related Topics:

To Page Top

(3) Configuring authentication information for agentless devices

In the case of agentless devices, information is acquired using a combination of the discovery range and authentication information set for network searches. The acquisition process uses the authentication information set for the discovery range that contains the devices' IP addresses.

The authentication information used for agentless devices can be also set after completion of a discovery.

To set authentication information for an agentless device:

  1. Open the Device module.

  2. Select a group under Device Information in the menu area.

  3. Select an agentless device in the information area.

  4. From the Action menu, select Set Credentials.

  5. Set authentication information in the displayed dialog box.

  6. Click the OK button.

The authentication information to be used for the selected agentless device is now set.

Tip

You can also set authentication information in the IP Address Range view accessed from Configurations in the Settings module.

To Page Top

(4) Acquiring information from agentless devices

The following methods are available for acquiring device information from agentless devices.

Administrative shares

Device information is acquired using authentication to Windows administrative shares. Almost the same level of information is collected as when using installed agents.

SNMP

Device information is acquired using SNMP authentication. Only a portion of the device information can be collected.

Active Directory

Device information is acquired with reference to the device information managed by Active Directory. Only a part of device information (that can be acquired by Active Directory) can be collected.

ARP

Device information is acquired from ARP. Only a portion of the available device information can be collected.

ICMP

Device presence is verified using ICMP (PING). Only IP address information can be collected.

Information is acquired from managed agentless devices using administrative shares or SNMP. ARP and ICMP are used only for devices on which administrative shares or SNMP authentication have failed. ARP and ICMP are never used for devices on which administrative shares or SNMP authentication have succeeded.

Whether acquisition is based on administrative shares or SNMP depends on the discovery range and authentication information set in the discovery settings. Information is collected from an agentless device using the authentication information set for the discovery range in which the device's IP address falls. No information is collected if the IP address is outside the discovery range, or if no authentication information has been set, or if authentication fails.

For agentless devices, the available collection methods differ according to the device type, as shown in the table below:

Collection method

Device type

Windows computer

OS other than Windows

Network device

Administrative shares

Y

N

N

SNMP

Y

Y

Y

Active Directory

Y

N

N

ARP

Y

Y

Y

ICMP

Y

Y

Y

Legend: Y: Can be used. N: Cannot be used.

Timing of device information acquisition

Device information is collected from agentless devices at the following times:

To change the collection interval, set the update interval in the Agentless Management view under Agent in the Settings module. The default update interval is one hour.

By selecting Update Device Details in the Device module, you can collect device information at any time you wish.

Device information is not acquired during intensive discovery.

Important note

If Active Directory is used, the device information is collected when a search for a device registered in Active Directory is performed.

Related Topics:

To Page Top

(5) Mechanism for acquiring device information from agentless devices

To acquire device information from an agentless computer using authentication to administrative shares, executable programs are sent to the computer.

Three executable programs are sent:

These three executable programs generate administrative share files for reporting the collected device information on the computer. The files are then relayed to the management server and device information about the agentless computer is updated.

The executable programs are distributed only at the first run and when the executable programs are upgraded. They are not deleted automatically. If the management server is upgraded or if any of the executable program files are deleted, the executable programs are resent.

Important note

Never delete these executable programs. Deleting them might stop the agentless management functionality from working properly. Anti-virus products installed on a computer can result in an executable program being mistakenly detected as a virus and failing to execute correctly. In such cases, install a management agent

Tip

If login to a Windows administrative share is successful, approximately 2.5 MB of executable code is sent to each computer.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2015, Hitachi, Ltd.

Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.