Distribution and patch settings

The Distribution and Patch agent settings dialog allows you to control how LANDESK Management Suite
installs packages, runs scans, and repairs files.

General settings

On the General settings page, enter a name that will be associated with the settings you specify on all of
the pages in this dialog. This name will appear in the Agent settings list in the console.

Network settings

Use this page to customize how distribution packages will impact your network traffic.

 Attempt peer download: Allow packages to download if they are already on a peer in the same
subnet. This will reduce network traffic. For example, if you have several satellite offices, you
could select one device at each office to receive the package over the network. Then, the other
devices at each office would get the package directly from the first device instead of
downloading it from the network.
 Attempt preferred server: Allow automatic redirection to the closest package shares. This will
reduce the load on the core server.
 Allow source: Download from the core server if the files aren't found on a peer or preferred
server. If the files are not in one of those locations and this option is not selected, the download
will fail.
 Use multicast: Uses targeted multicast to send files to multiple devices simultaneously. Enter a
value for the amount of time to wait on each subnet before the download begins.
 Bandwidth used from core or preferred server: Specify the percentage of bandwidth to use so
you don't overload the network. You can limit bandwidth by adjusting the maximum percentage
of network bandwidth to use for the distribution. The slider adjusts the priority of this specific
task over other network traffic. The higher the percentage slider is set, the greater the amount
of bandwidth being used by this task over any other traffic. WAN connections are usually slower,
so it is most often recommended to set this slider at a lower percentage.
 Bandwidth used peer-to-peer: Specify the percentage of bandwidth to use locally. This value is
typically higher than the bandwidth used from core or preferred server because of physical
proximity.
 Send detailed task status: Click to send information about the task to the core server. This
increases network traffic, so if you select this option to help troubleshoot a particular issue, you
may want to clear it once you resolve the issue.

Policy sync schedule

Use the Policy sync schedule page to specify when the client will check the core to see if there are
any packages available for download.
  Policy sync schedule
o Event-driven
 When user logs in: Click to run policy sync once a user has logged in.
 When IP address changes: Click to run policy sync when the IP address
changes.
 Max random delay: Specify an amount of time to delay the scan in
order to avoid downloading the package on all of the devices at the
same time, which could flood the network.
o Schedule-driven
 Use recurring schedule: Click to only download distribution packages during
a specified time frame. The default is to check once a day.
 Change settings...: Click to open the Local scheduler command dialog, where
you can create a different schedule.

Notification

Use the Notification page to specify what information to display to the user and what actions the user
can take.

 Notification options before installing/removing

o Automatically begin downloading: Begins the download of the distribution package without
notifying the user.
o Notify user before downloading: Notifies the user before a managed device initiates
download of the package. This option is particularly useful for mobile users if used with
deferral options to prevent a user from being forced to download a large application over a
slow connection.
o Automatically begin installing/removing: Begins the installation of the distribution package
without notifying the user.
o Notify user before installing/removing: Displays the installation or removal dialog before a
managed device initiates installation or removal of the package.
o Only notify user if processes must be stopped: Only displays a dialog if a process must be
stopped before the managed device initiates the installation or removal of the package.
o Kill processes that need to be stopped before starting the update: Click to shut down any
processes that must be stopped before installing the package.
o Prevent those same processes from running during the update: Click to ensure the
processes are not allowed to restart until after the package has finished installing. If
deferring until lock/logoff: Specify how long to wait before the package will install.
 Progress options
o Show progress: Select whether to never show the installation progress, to only show it
when installing or removing files, or to show it when installing or removing and when
scanning files.
 Allow user to cancel scan: If you choose to always show the progress to the
user, this option will be enabled. Click to give the user the ability to cancel
the scan.
 No response timeout options: These options are enabled if you allow the user to defer or cancel.
 o Wait for user response before repair, install or uninstall: If you allow the user to defer or
cancel, this option will be enabled. Click to force the agent to wait for a user response
before continuing. This may cause the task to timeout.
o After timeout, automatically: Click to automatically start, defer, or cancel the task after the
amount of time you specify.

User message

Use this page to create a custom message that the user will see if you select Notify user before
downloading or Notify user before installing/removing on the Notification page.

When you schedule a task, there is an option to override this message.

Distribution-only settings

Use this page to specify what to show the user and how long to defer an installation. These options are
dependent on the settings you select on the Notification page. You can also use the Distribution only
settings page to select the location for virtualized applications.

 Feedback
o Display full package interface: Click to show the user everything that the installation
displays. This option is for power users only.
o Show successful or failed status to end user: Click to only show the user the outcome of
the installation.
 Defer until next logon: Click to allow users to postpone the installation until the next time they
log on to the device.
o Defer for a specific amount of time: Specify the maximum amount of time the user can
defer the installation.
 Limit number of user deferrals: Click to enter a maximum number of times
the user can defer the installation.
 Select the location to store LANDESK virtualized applications
o Client Destination: Click to install the package in a new environment instead of installing
the package on the device.
 Enable LDAP group targeting: Click to target your distribution to the groups that you have set up
on your Microsoft domain instead of targeting devices and user names from LANDESK.
 Allow LDAP resolution via CSA: Click to target your distribution to objects in your Microsoft
Domain while going through the Cloud Service Appliance.

Offline

Use this page to specify what to do if a managed device can't contact the core server during a package
installation.

 Wait until the device can contact the managed core server: Click to stop the installation until the
device is able to contact the core server.
 Install the package(s) offline: Click to create a scheduled task that downloads the files onto the
device but doesn't install them.
Logged off user options

Use this page to specify whether to install if the user is logged off a device.

 Logged off user behavior

o Continue installation: Click to install the distribution package if the user is logged off.
o Fail installation: Click to not attempt the installation of the distribution package when the
user is logged off.
o Run at next logon: Click to not attempt the installation of the distribution package when
the user is logged off and to begin the package installation when the user logs on again.

Download options

Use the Download options page to specify whether a client should download the patch and then install
it or run the installation from the server.

 Run from source: Click to install the patch from the preferred server or the core. This option is
useful if the client machine does not have enough memory to download the patch.
 Download and execute: Click to download the patch to the client and then install it. This option
reduces the load on the server.

Patch-only settings

Use the Patch-only settings page to select reboot and alternate core options when scanning, repairing,
and downloading files.

 When no reboot is required

o Require end user input before closing: Select this option for the notification dialog to
remain visible until the user responds to it.
o Close after timeout: Select this option to close the notification dialog after a specified
countdown.
 Alternate core
o Communicate with alternate core server: Click to select a server to use if the default core
server is unavailable.
 When installing via CSA: Click an option in the drop-down list to specify how the scanner will
install via the portal Cloud Service Applicance (formerly known as Gateway). This is helpful if you
have people who are outside the network, such as employees who are on the road, who need to
communicate with the core.
o Download patches from core as usual: This will require an extra step and may cause delays
or network issues.
o Do not download patches. Fail the request: This will reschedule the download. Select this
option if bandwidth is an issue.
o Download patches from manufacturer. Fall back to core on failure: This will attempt to
download the patch directly from the manufacturer, such as Microsoft, before going
through the core server. This will use less bandwidth on your own network.
 o Download patches from manufacturer. Do not fall back on failure: This will attempt to
download the patch directly from the manufacturer, such as Microsoft. If it is unable to
download the patch, it will reschedule the download.
 CPU utilization when scanning: Set the slider to specify whether to allow low or high CPU
utilization during a scan.
 Scheduled task log: Specify which information the scanner sends to the core. For example, if you
are experiencing an issue, you may wish to send debug information to try to troubleshoot the
problem.

Do not disturb

Use this page to specify mission-critical processes so that a scan will not occur if those processes are
running. For example, to ensure that the scanner will not run during a presentation, you could apply the
filter so that a reboot could occur with PowerPoint open but not if PowerPoint was running full screen.

 Add defaults: Populates the list with the default processes.

 Add...: Opens the Specify process filter dialog box, where you can enter the name of the process
and specify whether to apply the filter any time the process is running or only when the process
is running full screen.
 Edit...: Opens the Specify process filter dialog box, where you can change the filter for a process
that is already in the list.
 Delete...: Removes a process from the list.
 Legacy Mac agent user interruption settings If you have upgraded your Mac client, all of the
settings on the Do not disturb page are supported. However, if you have not upgraded your Mac
client, you can use the following options:
o Hide scan progress dialog when a presentation is running: Click to keep the scan progress
dialog in the background so that it does not interrupt a presentation.
o Defer repairing when a presentation is running: Click to postpone any repairs until the
presentation is over.

Scan options

Use this page to specify whether the security scanner will scan by group or by type of vulnerability.

 Scan for
o Group: Select a custom, preconfigured group from the drop-down list.
 Immediately repair all detected items: Indicates that any security risk identified
by this particular group scan will be automatically remediated.
o Type: Specifies which content types you want to scan for with this scan task. You can select
only those content types for which you have a LANDESK Security Suite content
subscription. Also, the actual security definitions that are scanned for depends on the
contents of the Scan group in the Patch and Compliance window. In other words, if you
select vulnerabilities and security threats in this dialog box, only those vulnerabilities and
security threats currently residing in their respective Scan groups will be scanned for.
 Enable autofix: Indicates that the security scanner will automatically deploy and install the
necessary associated patch files for any vulnerabilities or custom definitions it detects on
 scanned devices. This option applies to security scan tasks only. In order for autofix to work, the
definition must also have autofix enabled.

Schedule

Use this page to specify the time frame during which the security scanner will run as a scheduled task.
After you select the settings, this page displays a summary of the schedule.

 Event-driven
o When user logs in: Click to scan and repair definitions once a user has logged in.
 Max random delay: Specify an amount of time to delay the scan in order to
avoid simultaneously scanning all of the devices, which could flood the network.
 Schedule-driven
o Use recurring schedule: Click to only scan and repair definitions during a specified time
frame.
o Change settings...: Opens the Local scheduler command dialog box where you can define
the parameters for the security scan. This dialog box is shared by several LANDESK
management tasks. Click the Help button for details.

Frequent scan

Use this page to enable the agent to check definitions in a specific group more frequently than usual.
This is helpful when you have a virus outbreak or other time-sensitive patch that needs to be distributed
as soon as possible. For example, you may want a client to scan every 30 minutes and at every login for
a specific group that may contain critical vulnerabilities. The frequent scan is optional.

 Enable high frequency scan and repair definitions for the following group: Enables the frequent
security scan features. Once you've checked this option, you need to select a custom group from
the drop-down list.

Immediately install (repair) all applicable items: Click to enable the agent to install a patch if it locates
one in the folder that you specify.

 Schedule
o Event-driven
 When user logs in: Click to scan and repair definitions once a user has logged in.
 Max random delay: Specify an amount of time to delay the scan in order to
avoid simultaneously scanning all of the devices, which could flood the
network.
o Schedule-driven
 Use recurring schedule: Click to only scan and repair definitions during a
specified time frame.
 Change settings...: Opens the Local scheduler command dialog box where you
can define the parameters for the security scan. This dialog box is shared by
several LANDESK management tasks. Click the Help button for details.
 Override settings: From the drop-down box, select the settings that you wish to override with
the settings that you specify in the Distribution and Patch dialog.
o Edit...: Click to open the Distribution and Patch settings dialog for that particular setting.
 o Configure: Click to open the Configure distribution and patch settings dialog. For more
information, click Help.

Pilot configuration

Use the Pilot configuration page to test security definitions on a small group before performing a wider
deployment on your entire network. For example, you may wish to install a new Microsoft patch on the
devices in only the IT group to make sure that it doesn't cause any issues before it goes out to everyone
in the organization. Using a pilot group is optional.

 Periodically scan and repair definitions in the following group: Enables the pilot security scan
features. Once you've checked this option, you need to select a custom group from the drop-
down list.

 Schedule
o Event-driven
 When user logs in: Click to scan and repair definitions once a user has logged in.
 Max random delay: Specify an amount of time to delay the scan in order
to avoid simultaneously scanning all of the devices, which could flood
the network.
 Schedule-driven
o Use recurring schedule: Click to only scan and repair definitions during a specified time
frame.
o Change settings...: Opens the Local scheduler command dialog box where you can define
the parameters for the security scan. This dialog box is shared by several LANDESK
management tasks. Click the Help button for details.

Install/remove options

Use the Install/remove options to specify what the agent should do once it determines the need for a
patch

Reboot is already pending: Click this option if you want to start a patch installation regardless of
whether the device has requested a reboot.