2.6.5 Agentless management
JP1/IT Desktop Management 2 can perform management without an agent having to be installed on the computers (agentless computers). This means that a computer used in research or a server used for business purposes, for example, on which management software cannot be installed for practical reasons, can still be managed under JP1/IT Desktop Management 2 in the same way as a user computer.
To use agentless management, configure computers discovered during a network search as managed computers.
- Important note
-
Configuring a computer for agentless management has security implications. Fully consider the effects before deciding to use agentless management.
Agentless management can be performed using Windows administrative shares, SNMP, or Active Directory. The three methods are described below:
- Agentless management using Windows administrative shares
-
Non-resident executable programs are sent periodically to agentless computers via login to Windows administrative shares. The distributed programs collect device information using WMI.
Information is acquired at the following times:
-
When a network search is executed
-
At the update interval specified in the Agentless Management view
-
When you select Update Device Details from the Action menu in the Device list in the Device module.
- Tip
-
You can also collect device information by selecting Update Device Details from the pop-up menu that appears when you right-click a computer name.
- Important note
-
Agentless management is based on executable programs for acquiring device information, sent from the management server to the managed computers. The Windows security settings block this operation by default. You must therefore lower the security level setting to allow the executable programs to be distributed. Consider how this will affect your system before deciding to change the security level.
-
- Agentless management using SNMP
-
In this method, device information is collected periodically by SNMP, using authentication via the standard SNMP communication protocol. The information is collected at the same times as for agentless management based on Windows administrative shares.
- Agentless management using Active Directory
-
In this method, device information is collected for devices managed by Active Directory.
Information is acquired at the following times:
-
When a network search is executed
-
When you select Update Device Details from the Action menu in the Device list in the Device module
- Important note
-
Agentless management using Active Directory collects information on the domain controller. If the domain controller and managed devices are out of sync, the collected information might differ from the information of the managed devices.
-
Setup must be performed on the computers to use Windows administrative shares, SNMP, or Active Directory. For details, see 4.2.7 Prerequisites for agentless management.
In agentless management, the functionality available from the management server differs in some respects from the functionality available when using installed agents. For details about the differences, see (1) Functional differences between agent/agentless management.
- Important note
-
To perform agentless security management, use Windows administrative shares.
- Organization of this subsection
(1) Functional differences between agent/agentless management
There are some differences in management server capabilities depending on whether the managed computers have an agent installed or are agentless. In the case of computers with an installed agent, other differences arise depending on whether the computers are managed online or offline.
The following table describes functional differences by configuration type:
Function |
Managed computers |
|||
---|---|---|---|---|
Agent installed |
Agentless |
|||
Online management |
Offline management |
|||
Acquisition of device information#1 |
Y |
Y |
D |
|
Security diagnostics |
Assign security policies |
Y |
Y |
Y |
Evaluate security |
Y |
Y |
D#2 |
|
Actions at security policy violation |
Automatic security measures |
Y |
N |
N |
Restrict printing |
Y |
N |
N |
|
Disable data export |
Y |
N |
N |
|
Disable software startup |
Y |
N |
N |
|
Acquire operation logs |
Y |
N |
N |
|
Send warning messages |
Y |
N |
N |
|
Power on/off |
Y |
N |
N |
|
Management of asset information |
Manage hardware |
Y |
Y#3 |
D |
Manage software licenses |
Y |
Y |
D |
|
Manage software |
Y |
Y |
Y |
|
Manage contracts |
Y |
Y |
Y |
|
Distribution of software and files |
Distribute software |
Y |
Y#4 |
N |
Distribute files |
Y |
Y#4 |
N |
|
Uninstall software |
Y |
N |
N |
|
Remote control of devices |
Remote control of computers |
Y |
N |
D#5 |
Connection requests from computers |
Y |
N |
N |
|
File transfer |
Y |
N |
N |
|
Chat |
Y |
N |
N |
|
Management of device network connections |
Enable network access control |
Y |
N |
N |
Control network connections |
Y |
N |
Y |
|
Report creation |
Y |
Y |
D |
Legend: Y: Supported. D: Depends on the collectable device information. N: Not supported.
#1: The device information that can be collected depends on whether the computers have installed agents or are agentless. See the following for details on the information collected from each type of computer.
#2: Use the Windows Administrative Share feature to evaluate the security of agentless computers. Screensaver security cannot be determined on a per-account basis when using agentless management.
#3: USB devices cannot be registered.
#4: Only distribution using Remote Installation Manager can be performed. ITDM-compatible distribution cannot be performed.
#5: RFB protocol must be used for remote control.
(2) Prerequisites for agentless management
When using agentless management, setup must be completed on both the management server and user computer to collect device information. The range of information that can be acquired depends on the authentication method. The range of information that can be acquired depends on the authentication method. A limited range of information may result in unknown security states and missing data in reports, causing risks to system operation. Select the best authentication method for your security needs.
Setup to collect most of the available device information is easy if you are using Active Directory to manage the computers in your organization. If you are thinking of using agentless management, first make sure that your computers are managed in Active Directory.
For differences between the types of device information that can be collected, see 2.6.2 Collecting device information.
- Important note
-
Agentless management is not supported in a NAT environment.
- Important note
-
Do not delete the discovery range or authentication information for any agentless managed device discovered in a network search. Likewise, do not delete the Active Directory setting for any agentless managed device discovered by an Active Directory search. Deleting this setting information prevents device information from being collected. If you mistakenly delete the discovery range, authentication information, or Active Directory setting, add them and then re-execute the network search or Active Directory search to discover the devices.
- Important note
-
In a DHCP environment, if a device's IP address changes, moving outside the discovery range, no information will be collected about that device.
When using Windows administrative shares to perform agentless management
All the following conditions must be satisfied:
-
Windows firewall is disabled on the user's computer#1.
-
Simple file sharing is disabled on the user's computer.
-
File and Printer Sharing is enabled on the user's computer.
-
Windows Administrative Share (ADMIN$) is enabled on the user's computer.
-
Access to the Interprocess Communications share (IPC$) is enabled on the user's computer.
-
The information used for logging in to the target computer by using Windows administrative shares is set on the management server as authentication information for network searches.#2
#1: Even if Windows Firewall is enabled, the condition is still satisfied if TCP (port 445) is open for traffic.
#2: The authentication information for logging in to the target computer by using Windows administrative shares must satisfy either of the following conditions:
-
The built-in Administrator account and password of the user's computer is used.
-
The UAC function is disabled on the user's computer.
How to enable Windows administrative shares differs depending on the OS on the user's computer. The following settings are required to enable Windows administrative shares:
OS |
Setting |
---|---|
Windows 8.1 |
|
Windows 8 |
|
Windows 7 |
|
Windows Vista |
|
Windows XP#2 |
|
Windows Server 2012 |
Enable File sharing or File and Printer Sharing in the Network and Sharing Center window. |
Windows Server 2008 |
|
Windows Server 2003 |
Setup unnecessary (enabled by default). |
Windows 2000 |
Add file shares. |
Computer other than Windows |
Not supported (cannot be configured). |
Network device |
Not supported (cannot be configured). |
#1: If you are using Windows 8.1 or Windows 8 (no edition), perform this setup by executing the net user command at the command prompt. You cannot enable the Administrator account from the Windows Control Panel.
#2: In Windows XP Home Edition (Service Pack 2 and 3), Windows administrative shares cannot be used.
If these conditions are satisfied, you can acquire most of the available device information. The information collected hardly differs from that collected via agents installed on the managed computers.
When using SNMP to perform agentless management
The following conditions must be satisfied:
-
SNMP can be used.
-
The community name can be authenticated.
The following table describes the setup required to acquire device information using SNMP:
OS |
Setting |
---|---|
Windows 8.1 |
|
Windows 8 |
|
Windows 7 |
|
Windows Vista |
|
Windows XP |
|
Windows Server 2012 |
|
Windows Server 2008 |
|
Windows Server 2003 |
|
Windows 2000 |
|
Computer other than Windows |
|
Network device |
When using Active Directory to perform agentless management
Both the following conditions must be satisfied:
-
Windows firewall is disabled on the user's computer.#
-
Using the Active Directory linkage feature, the management server can acquire device information managed by Active Directory.
#: If Windows firewall is enabled, the condition is still satisfied if connection via a port number specified in Active Directory settings view accessed from General view in the Settings module is open for traffic.
When using ICMP to perform agentless management
ICMP must be available for use.
The following table describes the setup required to acquire device information using ICMP:
OS |
Setting |
---|---|
Windows 8.1 |
Allow incoming ICMP echo requests.# |
Windows 8 |
|
Windows 7 |
|
Windows Vista |
|
Windows XP |
|
Windows Server 2012 |
|
Windows Server 2008 |
|
Windows Server 2003 |
|
Windows 2000 |
|
Computer other than Windows |
|
Network device |
#: In Windows XP or later, you must configure the Windows Firewall to allow ICMP traffic or disable Windows Firewall.
Related Topics:
(3) Configuring authentication information for agentless devices
In the case of agentless devices, information is acquired using a combination of the discovery range and authentication information set for network searches. The acquisition process uses the authentication information set for the discovery range that contains the devices' IP addresses.
The authentication information used for agentless devices can be also set after completion of a discovery.
To set authentication information for an agentless device:
-
Open the Device module.
-
Select a group under Device Information in the menu area.
-
Select an agentless device in the information area.
-
From the Action menu, select Set Credentials.
-
Set authentication information in the displayed dialog box.
-
Click the OK button.
The authentication information to be used for the selected agentless device is now set.
- Tip
-
You can also set authentication information in the IP Address Range view accessed from Configurations in the Settings module.
(4) Acquiring information from agentless devices
The following methods are available for acquiring device information from agentless devices.
- Administrative shares
-
Device information is acquired using authentication to Windows administrative shares. Almost the same level of information is collected as when using installed agents.
- SNMP
-
Device information is acquired using SNMP authentication. Only a portion of the device information can be collected.
- Active Directory
-
Device information is acquired with reference to the device information managed by Active Directory. Only a part of device information (that can be acquired by Active Directory) can be collected.
- ARP
-
Device information is acquired from ARP. Only a portion of the available device information can be collected.
- ICMP
-
Device presence is verified using ICMP (PING). Only IP address information can be collected.
Information is acquired from managed agentless devices using administrative shares or SNMP. ARP and ICMP are used only for devices on which administrative shares or SNMP authentication have failed. ARP and ICMP are never used for devices on which administrative shares or SNMP authentication have succeeded.
Whether acquisition is based on administrative shares or SNMP depends on the discovery range and authentication information set in the discovery settings. Information is collected from an agentless device using the authentication information set for the discovery range in which the device's IP address falls. No information is collected if the IP address is outside the discovery range, or if no authentication information has been set, or if authentication fails.
For agentless devices, the available collection methods differ according to the device type, as shown in the table below:
Collection method |
Device type |
||
---|---|---|---|
Windows computer |
OS other than Windows |
Network device |
|
Administrative shares |
Y |
N |
N |
SNMP |
Y |
Y |
Y |
Active Directory |
Y |
N |
N |
ARP |
Y |
Y |
Y |
ICMP |
Y |
Y |
Y |
Legend: Y: Can be used. N: Cannot be used.
Timing of device information acquisition
Device information is collected from agentless devices at the following times:
-
When a network search is executed
-
When you select Update Device Details from the Action menu in the Device list in the Device module.
To change the collection interval, set the update interval in the Agentless Management view under Agent in the Settings module. The default update interval is one hour.
By selecting Update Device Details in the Device module, you can collect device information at any time you wish.
Device information is not acquired during intensive discovery.
- Important note
-
If Active Directory is used, the device information is collected when a search for a device registered in Active Directory is performed.
Related Topics:
(5) Mechanism for acquiring device information from agentless devices
To acquire device information from an agentless computer using authentication to administrative shares, executable programs are sent to the computer.
Three executable programs are sent:
-
jpngmain.exe
-
jpnmspushlauncher.exe
-
jpnmspushservice.exe
These three executable programs generate administrative share files for reporting the collected device information on the computer. The files are then relayed to the management server and device information about the agentless computer is updated.
The executable programs are distributed only at the first run and when the executable programs are upgraded. They are not deleted automatically. If the management server is upgraded or if any of the executable program files are deleted, the executable programs are resent.
- Important note
-
Never delete these executable programs. Deleting them might stop the agentless management functionality from working properly. Anti-virus products installed on a computer can result in an executable program being mistakenly detected as a virus and failing to execute correctly. In such cases, install a management agent
- Tip
-
If login to a Windows administrative share is successful, approximately 2.5 MB of executable code is sent to each computer.