LANDesk Management Suite 8.1 - LANDeskÂ® Software Downloads ...

LANDesk® Management Suite 8

This document contains information, which is the proprietary property of LANDesk 

Software, Ltd. and its affiliates. This document is received in confidence and its 

contents cannot be disclosed or copied without the prior written consent of LANDesk 

Software Ltd., and its affiliated companies ("LANDesk"). 

Nothing in this document constitutes a guaranty, warranty, or license, express or 

implied. LANDesk disclaims all liability for all such guaranties, warranties, and 

licenses, including but not limited to: Fitness for a particular purpose; 

merchantability; non infringement of intellectual property or other rights of any third 

party or of LANDesk; indemnity; and all others. LANDesk products are not intended 

for use in medical, life saving, or life sustaining applications. The reader is advised 

that third parties can have intellectual property rights that can be relevant to this 

document and the technologies discussed herein, and is advised to seek the advice 

of competent legal counsel, without obligation of LANDesk. 

LANDesk retains the right to make changes to this document or related product 

specifications and descriptions at any time, without notice. LANDesk makes no 

warranty for the use of this document and assume no responsibility for any errors 

that can appear in the document nor does it make a commitment to update the 

information contained herein. 

Copyright © 2004, LANDesk Software Ltd., or its affiliated companies. All rights 

reserved. 

LANDesk is either a registered trademark or trademark of LANDesk Software, Ltd. or 

its controlled subsidiaries in the United States and/or other countries. 

*Other brands and names are the property of their respective owners.

Contents 

Introduction to LANDesk® Management Suite 8 ................................................. 9 

What's new in LANDesk Management Suite 8.................................................10 

What you can do with Management Suite 8 ...................................................12 

Where to go for more information ................................................................13 

Chapter 1: Using the LANDesk Management Suite console ..................................15 

Management Suite console overview ............................................................16 

Starting the Management Suite console ........................................................29 

Using role-based administration...................................................................31 

Configuring agent discovery ........................................................................41 

Viewing device properties ...........................................................................43 

Monitoring clients for network connectivity ....................................................45 

Activating the core server ...........................................................................46 

Configuring Management Suite services ........................................................50 

Chapter 2: Configuring clients.........................................................................59 

Client agent security and trusted certificates..................................................60 

Creating a client setup configuration.............................................................64 

Scheduling tasks .......................................................................................66 

Configuring local scheduler scripts................................................................70 

Using Unmanaged Device Discovery .............................................................72 

Using LANDesk Server Manager and LANDesk System Manager with LANDesk 

Management Suite .....................................................................................78 

Running the Client Setup wizard ..................................................................80 

Chapter 3: Using queries..............................................................................103 

Queries overview .....................................................................................104 

Using Directory Manager to query directories via LDAP..................................108 

More about the Lightweight Directory Access Protocol (LDAP).........................112 

Chapter 4: Managing inventory and reports ....................................................115 

Inventory scanning overview .....................................................................116 

Viewing inventory data .............................................................................118 

Tracking inventory changes.......................................................................123 

Using custom data forms ..........................................................................125 

Reports overview.....................................................................................130 

Report groups and predefined reports lists ..................................................131 

Creating custom asset reports ...................................................................137 

iii

TABLE OF CONTENTS 

Chapter 5: Administering remotely ................................................................141 

Remote controlling clients .........................................................................142 

Configuring session options .......................................................................148 

Changing client remote control security ......................................................151 

Configuring Mac OS X remote control options...............................................152 

Using remote control logging .....................................................................153 

Troubleshooting remote control sessions .....................................................154 

Chapter 6: Distributing software and files .......................................................157 

Enhanced Software Distribution .................................................................158 

Setting up a package-building computer .....................................................162 

Package-building overview ........................................................................163 

Running the Package Builder wizard ...........................................................166 

Setting up the delivery server....................................................................168 

Configuring clients to receive packages .......................................................171 

Distributing a package..............................................................................172 

Working with Mac OS X distribution scripts and packages ..............................174 

Distributing files with a file transfer script....................................................176 

Uninstalling software distribution packages..................................................177 

Chapter 7: Using the Web console .................................................................181 

About the Web console .............................................................................181 

Getting started ........................................................................................182 

Selecting a core.......................................................................................184 

Finding a client........................................................................................184 

Adding clients to the target cart.................................................................185 

Using remote control................................................................................186 

Waking up a client ...................................................................................187 

Installing and configuring clients ................................................................188 

Installing client agents .............................................................................189 

Managing inventory data ..........................................................................191 

Viewing reports .......................................................................................196 

Using custom forms .................................................................................197 

Deleting computers from the database........................................................199 

Monitoring software licenses......................................................................200 

Software license monitoring views..............................................................202 

Creating product and vendor aliases ...........................................................203 

Viewing license compliance and product usage/denial trends..........................210 

iv


Denying product execution........................................................................211 

Distributing software and files ...................................................................212 

Scheduling and deploying software packages ...............................................214 

Customizing the Web console ....................................................................219 

Setting up feature-level security for rollup databases ....................................222 

Working with multiple cores ......................................................................223 

Setting preferences..................................................................................225 

Troubleshooting tips.................................................................................226 

Chapter 8: Monitoring software license compliance ..........................................229 

Monitoring software license compliance.......................................................230 

Creating product and vendor aliases ...........................................................231 

Monitoring products for compliance ............................................................233 

Editing software inventory.........................................................................245 

Exporting and importing Software License Monitoring window data .................249 

Using Software License Monitoring with Macintosh clients ..............................252 

Chapter 9: Deploying OS images and migrating profiles....................................253 

OS deployment overview ..........................................................................254 

OS image guidelines.................................................................................256 

Customizing images with Setup Manager and Sysprep ..................................258 

Agent-based deployment ..........................................................................260 

Creating imaging scripts with the OS Deployment/Migration Tasks wizard ........261 

Modifying scripts......................................................................................263 

Multicasting OS images.............................................................................264 

Viewing image status reports.....................................................................265 

PXE-based deployment .............................................................................266 

Using PXE representatives.........................................................................267 

Booting clients with PXE............................................................................269 

Understanding the PXE boot options ...........................................................270 

Profile migration overview.........................................................................275 

Profile content.........................................................................................277 

Creating migration scripts with the OS Deployment/Migration Tasks wizard......282 

Creating user-initiated profile migration packages ........................................284 

Running user-initiated profile migration packages.........................................285 

v


Chapter 10: Healing broken applications.........................................................287 

Configuring Application Healing..................................................................288 

Configure step 1: Setting up ESWD packages for healing...............................290 

Configure step 2: Making applications healable ............................................291 

Configure step 3: Distributing ARL files to clients..........................................294 

Viewing Application Healing events.............................................................296 

Viewing Application Healing reports ............................................................298 

Application Healing registry keys................................................................299 

Chapter 11: Managing application policies ......................................................303 

About Application Policy Management .........................................................304 

Configuring policies..................................................................................306 

Understanding policy types .......................................................................310 

Configuring policies for Macintosh clients.....................................................311 

Reporting on policy status.........................................................................313 

Chapter 12: Configuring alerts to notify you....................................................315 

How alerting works in Management Suite ....................................................316 

Configuring AMS alert actions ....................................................................317 

Working with configured alert actions .........................................................325 

Viewing the AMS Alert History ...................................................................327 

Chapter 13: Using the Patch Manager add-on..................................................331 

Patch Manager overview ...........................................................................332 

About the Patch Manager window...............................................................334 

Configuring clients to work with Patch Manager............................................340 

Updating vulnerability and detection rule information ....................................343 

Creating user-defined vulnerabilities and detection rules ...............................347 

Viewing vulnerability and detection rule information .....................................351 

Scanning clients for vulnerabilities..............................................................359 

Viewing detected vulnerabilities .................................................................361 

Downloading patches ...............................................................................363 

Remediating vulnerabilities .......................................................................364 

Using Patch Manager reports .....................................................................371 

Chapter 14: Using the Asset Manager add-on..................................................373 

Asset Manager overview ...........................................................................375 

Accessing Asset Manager in the Web console ...............................................378 

Managing assets......................................................................................379 

Working with computer assets ...................................................................381 

vi


Working with software assets ....................................................................383 

Managing contracts..................................................................................385 

Managing invoices....................................................................................386 

Managing projects ...................................................................................387 

Managing global lists ................................................................................388 

Creating new types ..................................................................................390 

Using a details summary...........................................................................392 

Adding details .........................................................................................394 

Adding table data fields ............................................................................398 

Managing detail templates ........................................................................399 

Adding detail templates ............................................................................400 

Using an item list.....................................................................................401 

Adding items to the database ....................................................................402 

Associating items.....................................................................................404 

Importing items.......................................................................................405 

Exporting items .......................................................................................407 

Using Asset Manager reports .....................................................................408 

Chapter 15: Using LANDesk Inventory Manager...............................................413 

Using Custom Data Forms with Inventory Manager .......................................414 

Appendix A: Additional inventory operations and troubleshooting.......................415 

Scanning custom information ....................................................................416 

Specifying the software scanning interval and history....................................417 

Appendix B: Additional OS deployment and profile migration information ............429 

Additional OS deployment procedures.........................................................430 

Using the LANDesk imaging tool for DOS.....................................................437 

Using the LANDesk imaging tool for Windows...............................................440 

Appendix C: Additional software distribution information...................................461 

Scripting guide for .CFG files .....................................................................462 

Troubleshooting .CFG files and their packages .............................................469 

Scripting guide for deployment scripts (.INI files) .........................................471 

Understanding Enhanced Software Distribution error codes............................473 

Files used in Enhanced Software Distribution ...............................................476 

About the Deploy Package wizard...............................................................478 

vii

Introduction to 

LANDesk® Management Suite 8 

LANDesk® Management Suite 8 consists of tools you can use to help manage your 

Windows NT*, Windows* 2000/2003, NetWare*, Macintosh*, Linux*, and UNIX* 

networks. Use these tools to distribute software packages, monitor software usage, 

deploy OS images and migrate profiles, remote control clients, and complete many 

other management tasks. 

In this chapter, you'll learn more about Management Suite 8, including: 

• What's new in this release 

• What you can do with Management Suite 8 

• Where to go for more information 

9

USER'S GUIDE 

What's new in LANDesk Management Suite 8 

• Improved database: New single database schema with improved data 

integrity and scalability. 

• Role-based administration: Add Management Suite users and configure 

their access to Management Suite tools and network devices based on their 

administrative role in your network. With role-based administration, you 

assign scope to determine the devices a user can view and manage, and 

rights to determine the tasks they can perform. See "Role-based 

administration" in chapter 1. 

• Enhanced Software Distribution improvements: Enhancements include 

byte-level checkpoint restart for interrupted downloads, peer download, 

dynamic bandwidth throttling that limits distribution bandwidth when clients 

need network bandwidth, and multi-file MSI multicast package support. See 

"Using Targeted Multicast with Enhanced Software Distribution" and "About 

byte-level checkpoint restart and dynamic bandwidth throttling" in chapter 6. 

• New Unmanaged Device Discovery feature: Discover unknown and 

unmanaged devices on your network through a directory service, domain 

discovery, or layer 3 ping sweep. Alerts notify you of newly discovered 

devices. Schedule device discovery so you can constantly be aware of new 

devices. See "Using Unmanaged Device Discovery" in chapter 2. 

• Enhanced client security: Certificate-based model allows clients to only 

communicate with authorized core servers and consoles. See "Client agent 

security and trusted certificates" in chapter 2. 

• New on-demand remote control: Optional and highly secure on-demand 

remote control model only loads the remote control agent on clients for the 

duration of an authorized remote control. See "Deploying remote control" in 

chapter 2. 

• New reports: Over 50 new predefined Management Suite service reports for 

planning and strategic analysis. See "Managing inventory and reports" in 

chapter 4. 

• New console interface: New console with dockable windows, network view, 

custom layouts, and more. See chapter 1, "Using the LANDesk Management 

Suite console" in chapter 1. 

• Additional Macintosh computer feature support: Targeted Multicast, 

Application Policy Management, and Software License Monitoring for Mac OS* 

X clients. See "Working with Mac OS X distribution scripts and packages" in 

chapter 6, "Configuring policies for Macintosh clients" in chapter 11, and 

"Using Software License Monitoring with Macintosh clients" in chapter 8. 

LANDesk Management Suite 8.1 adds these enhancements: 

• Enhanced inventory: Launch an immediate inventory scan on a client by 

right-clicking the client and clicking Inventory. Also, the inventory scanner 

now collects the operating system language on clients. 

• Improved software distribution: Software distribution now works better 

through firewalls, and you can now disable task completion on software 

distribution jobs, so if the job fails it isn't automatically retried. 

• Improved Web console: Generate basic client configuration packages and 

use software license monitoring from the Web. See "Installing client agents" 

and "Monitoring software license compliance" in chapter 7. 

10

INTRODUCTION TO LANDESK® MANAGEMENT SUITE 8 

• Enhanced application policy management reliability: Whenever a client 

checks with the core server for tasks or policies, the core server updates that 

client's IP address in the core database, avoiding problems with outdated IP 

addresses that may be part of an old inventory scan. 

• Improved scheduled task support: Provide multiple logins for the 

scheduler service to authenticate with when running tasks on clients that 

don't have Management Suite agents. This is especially useful for managing 

clients in multiple Windows domains. See "Configuring the scheduler service" 

in chapter 1. 

• New custom local scheduler tasks: Use the Management Suite local 

scheduler on clients to remotely schedule a recurring task. See "Configuring 

local scheduler scripts" in chapter 2. 

• Enhanced remote control: Store detailed remote control logs in the 

database. Log information includes who initiated the remote control session 

and the remote control tasks (file transfers, chat, and so on) they did on the 

client. Also, remote control sessions now pass 3rd mouse button/wheel 

movement to clients. See "Using remote control logging" in chapter 5. 

• Enhanced unmanaged device discovery: Generate reports on the 

unmanaged devices on your network. For more flexibility, you can now use an 

Unmanaged Device Discovery task to rediscover managed clients. This is 

useful if you've reset your database. See "Restoring client records" in chapter 

2. 

• New LANDesk Asset Manager 8 Add-on: Flexibly manage physical assets 

and perform inventory audits. Track business contracts, invoices, and 

purchase orders. Reconcile the existence and location of IT assets with 

financial records. See chapter 14, "Using the Asset Manager add-on." 

• Improved Patch Manager 8 Add-on: Create user-defined vulnerabilities so 

you can detect problems before a patch is available. Now you can scan for 

vulnerabilities on Mac OS X clients. See chapter 13, "Using the Patch Manager 

add-on." 

11

USER'S GUIDE 

What you can do with Management Suite 8 

With Management Suite 8, you can: 

• Use the LANDesk Management Suite console to configure and manage your 

network. See chapter 1, "Using the LANDesk Management Suite console." 

• Configure clients for Management Suite, schedule tasks, and discover 

unmanaged clients. See chapter 2, "Configuring clients." 

• Create and manage queries on inventory data and LDAP directories. See 

chapter 3, "Using queries." 

• Manage inventories, track inventory changes, create forms to gather custom 

data from clients, and view detailed reports, See chapter 4, "Managing 

inventory and reports." 

• Diagnose and troubleshoot problems on remote clients from the console. You 

can remote control, reboot, execute files, and transfer files to clients. See 

chapter 5, "Administering remotely." 

• Quickly distribute software to all of your network users. See chapter 6, 

"Distributing software and files." 

• Use a Web-based console to access key Management Suite features from 

anywhere you have a browser. See chapter 7, "Using the Web console." 

• Monitor software licenses and compliance, and track software usage and 

denial trends. Also edit the core database's software list, LDAPPL3.INI, that 

the inventory scanner uses to identify client applications. See chapter 8, 

"Monitoring software license compliance." 

• Deploy OS images and migrate user profiles. See chapter 9, "Deploying OS 

images and migrating profiles." 

• Monitor applications for problems and heal applications when there are 

problems. See chapter 10, "Healing broken applications." 

• Create application policies based on core database queries. Clients targeted 

by policies automatically receive application sets. See chapter 11, "Managing 

application policies." 

• Set up alert actions to notify you when critical thresholds are exceeded (for 

example, receive a pager message if disk usage exceeds 90 percent). See 

chapter 12, "Configuring alerts to notify you." 

12

INTRODUCTION TO LANDESK® MANAGEMENT SUITE 8 

Where to go for more information 

Refer to the LANDesk Management Suite Installation and Deployment Guide for: 

• Finding out system requirements 

• Installing Management Suite 

• Upgrading from previous versions of Management Suite 

• Setting up service centers 

Refer to the LANDesk Management Suite User's Guide for: 

• Using the console 

• Configure services 

• Setting up clients 

• Distributing software and files to clients 

• Remote controlling clients 

• Getting hardware and software inventory information 

• Deploying OS images and migrating client profiles 

• Managing patches 

• Monitoring software compliance 

• Managing and healing applications 

• Using the Web console 

• Monitoring network servers 

• Troubleshooting 

13

Chapter 1: Using the 

LANDesk Management Suite console 

LANDesk Management Suite includes a full range of tools that let you view, 

configure, manage, and protect the devices on your network. All of this can be done 

through the Management Suite console. 

Read this chapter to learn about: 

Using the Management Suite console 

• Management Suite console overview 

• Understanding the network view 

• Starting the Management Suite console 

• Changing the core server connection 

• Using role-based administration 

• Configuring agent discovery 

• Viewing client properties 

• Monitoring devices for network connectivity 

• Activating the core server 

Configuring Management Suite services 

• Selecting a core server and database 

• Configuring the Inventory service 

• Configuring the Scheduler service 

• Configuring the Custom Jobs service 

• Configuring the Multicast service 

• Configuring the OS Deployment service 

15

USER'S GUIDE 

Management Suite console overview 

The convenience of the Management Suite console is that you can perform all of its 

functions from one location, freeing you from the need to go to each managed client 

to perform routine maintenance or troubleshooting problems. From a single console, 

you can distribute and update software or configuration settings, diagnose hardware 

and software issues, deploy OS images and migrate user profiles, use role-based 

administration to control Management Suite users' access to features and devices, 

use remote control features to train end users or resolve problems. 

You can have multiple core servers and databases to accommodate your specific 

network management needs. For information on installing a LANDesk Management 

Suite core server and console, additional consoles, Web console, and managing 

multiple core servers and databases, refer to the Installation and Deployment Guide 

(this guide is available as a printable PDF document). 

Continue reading in this chapter to learn how to navigate and use the new LANDesk 

Management Suite 8 console to view and organize devices and access the various 

management tools. (Management Suite tools, such as software distribution and 

remote control, are described in subsequent chapters in this guide.) 

• Understanding the network view 

• Creating groups 

• Device icons 

• Viewing managed devices in the All Devices group 

• Shortcut menus 

• Configuring network view columns 

• Toolbar options 

• Using Management Suite tools 

• Dockable windows 

• Auto hide 

• Saving window layouts 

• Find bar 

• Status bar 

Understanding the network view 

The network view is the main window of the Management Suite console and is the 

starting point for most functions. This is where you view client's inventory data, 

create queries to search for and group devices, select clients to remote control, and 

so on. 

The network view window is always open and contains two panes. The left-hand 

pane shows a hierarchical tree view of the core server/database you're currently 

connected to and its Devices, Queries, and Configuration groups. You can expand or 

collapse the tree objects as needed. The right-hand pane in the network view 

displays a detailed list of the selected group's devices, queries, or configuration 

items, depending upon which type of group you've selected. 

You can resize the network view window and its panes and columns, but you can't 

close it. The network view window is not dockable like the tools windows. 

16

CHAPTER 1: USING THE LANDESK MANAGEMENT SUITE CONSOLE 

Role-based administration 

As a Management Suite user, the devices you can view and manage in the network 

view, and the management tools you can use, are determined by the access rights 

and device scope assigned to you by the Management Suite Administrator. For more 

information, see "Role-based administration" later in this chapter. 

The network tree view contains the following groups and sub-groups: 

Core 

The Core object identifies the core server you're currently connected to. The core 

object is located directly under the Network View root and can be collapsed and 

expanded. (The syntax for the core object name is: Server Name\Database 

Instance.) 

Devices 

The Devices group contains the following device subgroups. 

• My Devices: Lists devices for the currently logged-in user, based on the 

user's scope. A user can create device subgroups only under My Devices. 

Users can add devices to their My Devices group, or any of its subgroups, by 

copying them from the Public Devices and All Devices groups. Users can also 

click and drag devices from Public Devices and All Devices into their My 

Devices group. 

Dragging and dropping items in the network view 

When you click an item in order to drag it to another group in the network 

view, the cursor indicates where you can and can't drop the item. As you move 

the cursor over a group object, a plus-sign (+) indicates that you can add the 

item to that group; and a cross-out sign indicates that you can't add the item 

to that group. 

• Public Devices: Lists devices a Management Suite administrator has added 

from the All Devices group. An administrator (a user with the LANDesk 

Administrator right) sees all of the devices in this group, while other 

Management Suite users see only the devices allowed by their scope. Also, 

only an administrator can create a subgroup under Public Devices. 

• All Devices: Lists all devices that can be seen by the currently logged-in 

user, based on the user's scope, in a flat list (no subgroups). For an 

administrator, All Devices lists all managed devices that have been scanned 

into the core database. Devices running Management Suite agents (CBA and 

Inventory) automatically appear in the All Devices group/folder when they are 

scanned into the core database by the inventory scanner. 

For other Management Suite users, All Devices is a composite of their user's 

My Devices and Public Devices groups. 

Administrators and users can run asset reports on the devices in this group. 

17

USER'S GUIDE 

• User Devices: Lists all of the devices in the core database, organized into 

user subgroups. User subgroups are named with user login IDs (i.e., 

computername\user account, or domain\user account). Each user group 

contains the devices that appear in that user's My Devices group. 

Note that ONLY administrators can see the User Devices group and its 

subgroups. Other users do not see the User Devices group at all. 

Queries 

The Queries group contains the following query subgroups. 

• My Queries: Lists queries either created by the currently logged-in user, or 

added to the user's User Queries group by an administrator. A user can 

create, modify and delete query groups and queries under their My Queries 

group. They can also copy queries to this group from the Public Queries 

group. 

Any query a user runs is limited to the range of devices defined by the user's 

scope. For example, if a user's scope is All Machines, the query will search all 

devices in the core database, but if the user's scope is restricted to 20 

machines, only those 20 machines will be searched by the query. 

For more information on creating queries, see "Creating database queries" in 

chapter 3. 

• Public Queries: Lists queries that an administrator, or a user with the Public 

Query Management (PQM) right, has added. Only users with the LANDesk 

Administrator right or the PQM right can add, modify, or delete query groups 

or queries in the Public Queries group. However, all users can see the queries 

in this group, and can copy them to their own My Queries group. 

• All Queries: Lists all queries that can be seen by the currently logged-in 

user, based on the user's scope, in a flat list (no sub-groups). All Queries is a 

composite of the user's My Queries and Public Queries groups. 

• User Queries: Lists all queries in the core database, organized into 

subgroups by user. User subgroups are named with their login IDs (i.e., 

computername\user account, or domain\user account). Each user group 

contains the queries that appear in that user's My Queries group. 

Note that ONLY administrators can see the User Queries group and its 

subgroups. Other users do not see the User Queries group at all. 

Administrators can use this group to run a user's queries against that user's 

scope, as if they were that user. In this way, an administrator can preview 

exactly the results a user will see when they run a query. 

18


Configuration 

The Configuration group contains the following configuration devices. 

• PXE Holding Queue: Lists PXE holding queues and the clients that are 

waiting in the PXE holding queue. For more information, see "Using the PXE 

holding queue" in chapter 9. 

• Multicast Domain Representatives: Lists configured multicast domain 

representatives that can be used for software distribution load balancing. For 

more information, see "Using Targeted Multicasting" in chapter 6. 

• PXE Representatives: Lists clients configured as PXE representatives that 

can deploy OS images to clients in their subnet. For more information, see 

"Using PXE representatives" in chapter 9. 

• Pending Unmanaged Client Deployments: Lists clients that have been 

discovered by the Unmanaged Device Discovery tool, and are waiting for a 

client configuration job. For more information, see "Using Unmanaged Device 

Discovery" in chapter 2. 

Creating groups 

Groups help you organize devices and queries in the console's network view. You can 

create groups to organize network devices based on function, geographic location, 

department, device attribute or any other category that meets your needs. For 

example, you could create a marketing group for all clients in the marketing 

department or a group that includes all clients running a specific OS. 

Rules for creating groups 

• My Devices and My Queries: Administrators (users with LANDesk 

Administrator rights) and all other Management Suite users can create groups 

under My Devices and My Queries. 

• Public Devices: Only administrators can create groups under Public Devices. 

• Public Queries: Only administrators or users with the Public Query 

Management (PQM) right can create groups under Public Queries. 

• All Devices and All Queries: There are no subgroups in All Devices or All 

Queries. Users, including administrators, cannot create groups under All 

Devices or All Queries. 

• User Devices: Only administrators can create groups under the user-specific 

subgroups in User Devices. 

• User Queries: Only administrators, and users with the Public Query 

Management (PQM) right, can create groups under the user-specific 

subgroups in User Queries. 

To create a group 

1. In the console's network view, right-click the parent group (such as My 

Devices), and then click New Group. Or, select the parent group, and then 

click Edit | My Devices | New Group. 

2. Type in a name for the new group, and then press the Enter key. 

19

USER'S GUIDE 

You can right-click groups to perform various tasks, based on the type of group. For 

example, if you created a device subgroup, its shortcut menu lets you: 

• Add devices 

• Create a new sub-group 

• Run an asset report 

• Cut 

• Copy 

• Paste 

• Rename 

• Remove 

For more information on right-click features, see "Shortcut menus" below. 

Device icons 

Device icons display in the console's network view and show the current agent and 

health status of a device. 

You can update the agent and health status for devices one at a time as you select 

them in the network view, or for all of the visible devices in the network view at the 

same time. You can also update a device's status by selecting it and clicking the 

Refresh toolbar button. For information on configuring how agent discovery is 

handled, see "Configuring agent discovery" later in this chapter. 

The following table lists the possible device and status icons and what they mean: 

Icon 

Type and description 

Server: Represents a server device. 

Windows client: Represents a Windows client. 

Macintosh client: Represents a Macintosh client. 

Handheld client: Represents a handheld client. 

The status icons below can display next to the device icons noted above, 

depending on the device's current configuration and status. 

Not available: Indicates that the device is not currently available to 

the console. 

Unknown: Indicates that the status of the device is not currently 

known. This icon appears briefly while the device status is being 

updated. 

CBA: Indicates that the Common Base Agent (CBA) is loaded on the 

client. 

Remote control: Indicates the Remote Control agent is loaded on 

the client. 

20


Warning: Indicates a health warning for the client. A health status 

icon appears only if the LANDesk System Manager agent is loaded 

on the client. 

Critical: Indicates a critical health status for the client. A health status 

icon appears only if the LANDesk System Manager agent is loaded 


Icon display quality 

These are high-color icons and require at least a 16-bit color-depth setting. If the 

icons in your console appear out of focus, change your color settings in Display 

Properties. 

If your firewall blocks UDP packets 

If you manage clients through a firewall that blocks UDP packets, you won't be able 

to use these client shortcut menu features: Wake Up, Shut Down, Reboot, and 

Inventory Scan. 

Viewing managed devices in the All Devices group 

Devices running Management Suite agents (CBA and Inventory) automatically 

appear in the All Devices group when they are scanned into the core database by the 

inventory scanner. Typically, this scan takes place for the first time during initial 

client configuration. Once a client is scanned into the core database it is considered 

to be a managed client. In other words, it can now be managed by that core server. 

For more information on setting up clients, see chapter 2, "Configuring clients." 

Because the All Devices group is populated automatically, via an inventory scan, you 

may never need to manually discover clients. However, to discover clients not 

already in the core database, you can scan the network for clients with the 

Unmanaged Device Discovery tool. For more information, see "Using Unmanaged 

Device Discovery" in chapter 2. 

When connected to a particular core server, the Management Suite administrator can 

see every client managed by that core server. Management Suite users, on the other 

hand, are restricted and can only see the clients that reside within their assigned 

scope (a scope is based on either a database query or a directory location). For more 

information, see "Using role-based administration" later in this chapter. 

Shortcut menus 

Shortcut (context) menus have been significantly expanded in LANDesk Management 

Suite 8 for all items in the console, including groups, devices, queries, scheduled 

tasks, scripts, reports, and so on. Shortcut menus provide quick access to an item's 

common tasks and critical information. 

To view an item's shortcut menu, select and right-click the item. 

21

USER'S GUIDE 

For example, when you right-click a managed client in the network view, its shortcut 

menu will typically display the following options: 

• Inventory: Displays all of the client's inventory data scanned in the core 

database. 

• Inventory History: Displays inventory data changes for the attributes 

you've selected for tracking. You can print the inventory history or export it to 

a .CSV file. 

• Remote Control: Opens a remote control session with the client. 

• Chat: Opens a remote chat session with the client. 

• File Transfer: Opens the File Transfer dialog where you can transfer files to 

and from the client. 

• Remote Execute: Lets you browse to and execute a batch file or application 


• Wake Up: Remotely wakes up a client whose BIOS supports Wake on LAN* 

technology. 

• Shut Down: Remotely shuts down the client. 

• Reboot: Remotely reboots the client. 

• Inventory Scan: Runs an inventory scan on the client. 

• Add to new group: Adds a copy of the client to a new user-defined group 

under the My Devices group. You're prompted to enter a name for the new 

group. 

• Add to existing group: Lets you select the group where you want to add a 

copy of the client. 

• Scheduled Tasks and Policies: Displays the client's current scheduled tasks 

and application management policies. 

• Group Membership: Displays all of the groups where the client is currently a 

member. 

• Run Asset Report: Opens the Reports dialog where you can select from a 

list of asset reports to run on the client. Double-click the report name to run 

it. 

• Service Center: Opens the Service Center wizard, which you can use to 

install and configure a service center to help in load balancing. 

• Cut: Removes items from a user-defined group. You can't cut items from the 

"All" groups. 

• Copy: Creates a copy of the item that you can add to a another group. 

• Paste: Places the item you've cut or copied into a user-defined group. 

• Remove: Removes the item from a user-defined group. 

• Delete: Deletes the item from the "All" group AND from any other group it's 

a member of at the time. 

• Properties: Displays the client's inventory summary, device information, 

agent status, and remote control settings. 

This guide does not cover every console item's shortcut menu, but we recommend 

that you right-click any item to see the options that are available. 

22


Configuring network view columns 

With column configurations, you can customize inventory data that displays in the 

network view. You can also use the query dialog's Select Columns button to 

determine how query results display in the network view. Additionally, column 

configurations can be used to determine the content of inventory asset reports. 

To apply a column configuration to the network view 

1. Click Configure | Columns. 

2. Select a column configuration from the list. 

3. Click Close and Apply too apply the selected column configuration to the 

right-hand pane of the network view. 

About the Manage Column Configurations dialog 

Use this dialog to select a column configuration specifying the device inventory data 

that appears in the network view. 

• Column configurations: Lists all of the available column configurations by 

name. 

• New: Opens the Column Configuration dialog where you can create a new 

column configuration. 

• Delete: Removes the selected column configuration from the list. 

• Properties: Opens the Column Configuration dialog where you can edit the 

selected column configuration. 

• Rename: Makes the name field editable so that you can type in a different 

name. 

• Close and Apply: Closes the dialog and applies the selected column 

configuration to device lists in the network view. 

• Close: Closes the dialog without changing the current column configuration. 

The Column Configuration dialog is where you create column configurations. Each 

column represents a single inventory attribute scanned into the core database. 

Columns appear from left to right in the network view in the order that they appear 

in the Columns list. 

To create a column configuration 

1. Click Configure | Columns. 

2. Click New. 

3. In the Column Configuration dialog, enter a name for the new column 

configuration. 

4. Select inventory attributes from the list and add them to the Columns list by 

clicking Add to columns. 

5. If you like, you can customize the appearance of the columns by renaming 

the attribute heading, moving it up or down in the list, or removing it. 

6. Click OK to save the column configuration. 

23

USER'S GUIDE 

About the Column Configuration dialog 

Use this dialog to create a new column configuration. 

• Name: Identifies the column configuration. 

• Inventory attributes: Lists each of the inventory objects and attributes 

scanned into the core database. Expand or collapse objects by clicking the 

box to the left of the object. 

• Add to columns: Moves the selected inventory attribute into the columns 

list. If you select an entire inventory component, all of the inventory 

attributes contained in that component are added to the columns list. 

• Columns: Lists the inventory attributes in the order they will appear, from 

left to right, in the network view. 

• Rename: Lets you edit the attribute's name. This name appears in the 

column heading. 

• Remove: Removes the selected attribute from the list. 

• Move Up: Moves the selected attribute up one position. 

• Move Down: Moves the selected attribute down one position. 

• OK: Saves the current column configuration and closes the dialog. 

• Cancel: Closes the dialog without saving any of your changes. 

Toolbar options 

The Management Suite console includes a toolbar that provides one-click access to 

common network view operations and some basic console configuration options. The 

toolbar buttons are dimmed when an item in the network view is selected that does 

not support that operation. 

You can enable text descriptions for toolbar buttons by clicking View | Show 

Toolbar Text. 

The console toolbar includes the following buttons: 

• Cut: Removes items from the network view and stores them temporarily on 

the clipboard. If you accidentally cut an item, use the paste command to 

restore it. You must restore the deleted item before you perform any other 

command. 

• Copy: Copies items from one location in the network view to another. 

• Paste: Pastes items you've cut or copied. 

• Delete: Permanently removes the item. You can't restore items you delete 

from the network view. 

• Refresh: Updates the selected group or item in the network view. You can 

also collapse and expand a group to update its items. You can also click View 

| Refresh to update the currently selected item in the network view. 

• Layout: Lists your saved window layouts. Select a layout from the drop-down 

list to restore the console to that layout configuration. If you want to save 

your current layout, click the Save button. 

• Core: Lists available core servers you can connect to. You can select a core 

server from the list, or type the name of a core server and press Enter. 

Management Suite looks for the core server on your network, and prompts 

you to log in with a valid user name and password. 

24


Using Management Suite tools 

Management Suite tools are available through both the Tools menu and the Toolbox. 

To enable the Toolbox, click View | Toolbox. 

An administrator sees all of the tools in both the Tools menu and the Toolbox. Other 

Management Suite users will see only the tools (features) that are allowed by their 

assigned rights. Tools dependent on rights that a user has not been granted do not 

appear at all in the Tools menu or in the Toolbox when that user is logged in to the 

console. For example, if a user does not have the Reports right, the Reports tool 

does not appear in either the Tools menu or the Toolbox. 

Here is a complete list of Management Suite tools: 

• Application Healing: Keeps applications up and running on clients by 

automatically repairing specified applications. 

• Application Policy Management: Manages sets of applications on groups of 

clients. 

• Client Setup: Configures clients with LANDesk agents in order to make them 

fully manageable. 

• Custom Data Forms: Collects custom information from users and adds it to 

the core database. 

• Directory Manager: Queries LDAP directories for clients. 

• Manage Scripts: Manages OS deployment and profile migration scripts, 

distribution scripts, file transfer scripts, and other custom scripts. 

• PXE Boot Menu: Configures the boot menu that appears on PXE-clients 

when they first boot. 

• Reports: Manages predefined LDMS service and asset reports, and lets you 

create your own custom asset reports. 

• Scheduled Tasks: Schedules client configuration, software package 

distribution, OS deployment and profile migration, and other management 

tasks. 

• Software License Monitoring: Implements software asset management 

and license compliance policies. 

• Unmanaged Device Discovery: Finds clients on your network that aren't 

scanned into the core database. 

• Users: Controls Management Suite user access to tools and devices based on 

user rights and scope. 

When you click a tool name, the tool's window opens in the console. Tool windows 

can be resized, docked, floating, hidden, and closed. You can have multiple tool 

windows open at the same time, docked or floating. See the next section for more 

information on manipulating tool windows. 

25

USER'S GUIDE 

Dockable tool windows 

Dockable windows is a console interface feature that lets you open as many of the 

Management Suite tools as you want and move them in and out of the main console 

window. 

Note: You can save console layouts you've designed and prefer for certain 

management tasks, and restore a saved layout whenever you need it. For more 

information, see "Saving window layouts" later in this chapter. 

When you open multiple tool windows, they're tabbed in a single window. The active 

tool window displays on top, with a tab for each open tool running along the side or 

bottom. Click a tab to display that tool window. You can dock the tabbed tools 

window or drag it so that it is floating outside of the console window. 

Docking a tool window means attaching it to one of the edges of the console. The 

window is said to be in a docked state if it is currently attached to an edge of the 

console. You can also undock the tools window and have it free-floating outside of 

the console. You can dock windows horizontally or vertically in the console. 

To dock a tool window 

1. Click the window's title bar and drag the window to an edge of the console 

2. When the docking rectangle (dim outline of the window) appears indicating 

that the window will be docked, release the mouse button. The window 

attaches to that edge of the console. 

Note that only tool windows (those windows accessible from the Tools menu or 

Toolbox) can exist as docked windows, floating windows, or tabbed windows. The 

network view window can be resized but can't be tabbed with other windows, floated 

outside the console, or closed. 

If you minimize and then restore the main console window, then all docked and 

floating windows, including tabbed windows, are also minimized and restored with it. 

Auto Hide 

The tool windows also support the Auto Hide feature. Auto Hide is a push pin button 

in the upper right-hand corner of a window that lets you hold a window in place or 

hide it. 

When the push pin is in (i.e., the pin points down), the window is pinned in place and 

Auto Hide is temporarily disabled. When the push pin is out (i.e., the pin points to 

the left) the window goes into Auto Hide mode when the cursor moves off of the 

window. Auto Hide minimizes and docks the window along one of the edges of the 

console and displays a tab in its place. 

The Toolbox also supports Auto Hide. 

26


Saving window layouts 

Layouts are saved console configurations, meaning the position and size of the 

network view, the Toolbox, and all open tool windows. You can use window layouts 

to save and restore customized console configurations that are especially useful for 

certain tasks or users. 

To change the layout of the console, select a saved layout from the Layout dropdown 

list on the main toolbar. 

To save your current layout 

1. Configure the console interface the way you want it. 

2. Click the Disk button next to the Layout drop-down list on the toolbar. 

3. Enter a unique name for the layout. 

4. Click OK. 

About the Manage Window Layouts dialog 

Use this dialog to manage saved window layouts and to reset the console window to 

the previous layout. 

• Saved layouts: Lists all of your saved layouts. 

• Reset: Returns the console window to the previous layout. 

• Delete: Removes the selected layout. 

• Rename: Lets you change the name of the selected layout. 

Find bar 

Find lets you search for items in a list containing a specific word or phrase. The Find 

bar is available in the network view and tool windows that contain flat lists of items. 

For example, the Find bar appears when you're viewing the: 

• All Devices group 

• All Queries group 

• Pending Unmanaged Client Deployments group 

• Unmanaged Device Discovery tool window 

• All Asset Reports 

To search for an item with the Find bar 

1. Select the All Devices group. The Find bar appears at the top of the list. 

2. In the Find text box, type any text you want to search for. 

3. From the In Column drop-down list, select the column you want to search 

4. Click the Search toolbar button. 

The resulting list displays only those items that matched your search criteria. 

27

USER'S GUIDE 

Status bar 

The status bar at the bottom of the Management Suite console displays the following 

information: 

• Number of selected items in a listing 

• Current job name and status 

• Name of the currently logged-in user 

• Days until the core server will attempt to contact the LANDesk Software 

licensing server 

The status bar is always visible. 

28


Starting the Management Suite console 

To start the Management Suite console 

1. Click Start | Programs | LANDesk | LANDesk Management Suite 8. 

2. Enter a valid Management Suite user name and password. 

If you're connecting to a remote core server, follow the normal Windows rules 

for remote login (i.e., if the user is local to that core server, just enter the 

user name; if the user is a domain user, enter the domain name\user name). 

3. Select the core server you want to connect to. The user must have proper 

authentication credentials to that core server. 

4. Click OK. 

The Management Suite console opens with the layout (size, position, open tool 

windows, etc.) that was being used the last time this user logged out. 

About the Management Suite login dialog 

Use this dialog to launch the Management Suite console and connect to a core 

server. 

• Username: Identifies a Management Suite user. This might be an 

administrator user or some other type of Management Suite user with 

restricted access (see "Role-based administration" later in this chapter). The 

user must be a member of the LANDesk Management Suite group on the core 

server. If you're connecting to a remote core server, enter the user 

name/domain. 

• Password: The user's password. 

Note: If a Management Suite administrator changes the password of another 

user (i.e., an additional console user), the new password does not take affect 

until that user reboots the console. At that point, the user would enter their 

new password to log into the console. 

• Core server: Specifies the core server you want to connect to. This dropdown 

list is the same as the core server drop-down list available on the 

console toolbar. 

Changing the core server connection 

The Management Suite console lets you view and manage the contents of any 

database associated with a core server that you can connect to on your network. 

This allows you to create databases for different sites, organizational units, or logical 

internal networks. 

You can only be connected to one core server at a time. 

29

USER'S GUIDE 

To change core server connections 

1. Select a core server from the Core drop-down list located on the console 

toolbar. Or, enter a core server name in the text box and press Enter. 

Management Suite looks for the server on your network. If found, you're 

prompted to log in at the standard Management Suite Login dialog. 

2. Enter a valid Management Suite user name and password. 

Follow the normal Windows NT rules for remote login (i.e., if the user is local 

to that core server, just enter the user name; if the user is a domain user, 

enter the domain name\user name). 

Once you've connected to a core server, its name is automatically added to the Core 

drop-down list in the toolbar. 

30


Using role-based administration 

Role-based administration is a powerful new feature with LANDesk Management 

Suite 8. Administrators (users with the LANDesk Administrator right) can access the 

role-based administration tools by clicking Users in the Tools menu or in the 

Toolbox. 

Role-based administration lets you add users to your Management Suite system and 

assign those users special administrative roles based on their rights and scope. 

Rights determine the Management Suite tools and features a user can see and utilize 

(see "Understanding rights" later in this chapter). Scope determines the range of 

devices a user can see and manage (see "Creating scopes" later in this chapter). 

You can create roles based on users' responsibilities, the management tasks you 

want them to be able to perform, and the devices you want them to be able to see, 

access, and manage. Access to devices can be restricted to a geographic location like 

a country, region, state, city or even a single office or department. Or, access can be 

restricted to a particular client platform, processor type, or some other device 

hardware or software attribute. With role-based administration, it's completely up to 

you how many different roles you want to create, which users can act in those roles, 

and how big or small their scope of device access should be. 

For example, you can have one or more users whose role is software distribution 

manager, another user who is responsible for remote control operations, a user who 

runs reports, and so on. 

Example administrative roles 

The table below lists some of the possible Management Suite administrative roles 

you might want to implement, the common tasks that user would perform, and the 

rights that user would need in order to function effectively in that role. 

Role Tasks Required rights 

Administrator 

Configure core servers, install additional 

consoles, perform database rollup, 

manage users, configure alerts, integrate 

LANDesk System Manager, etc. (Of 

course, administrators with full rights can 

perform any management tasks.) 

LANDesk 

Administrator 

(all rights implied) 

Asset manager Discover devices, configure clients, run the 

inventory scanner, create and distribute 

custom data forms, enable inventory 

history tracking, etc. 

Unmanaged Device 

Discovery, Software 

Distribution, and 

Public Query 

Management 

Helpdesk 

Remotely control clients, chat, transfer 

files, execute software, shutdown, reboot, 

view agent and health status, etc. 

Remote Control 

31

USER'S GUIDE 

Application 

manager 

Migration 

manager 

Reporting 

manager 

Software 

license 

monitoring 

manager 

Distribute software packages, use 

Targeted Multicast and peer download, 

enable application policy management, 

heal applications, etc. 

Create images, deploy OS images, 

migrate user profiles, create and distribute 

user-initiated profile migration packages, 

deploy PXE representatives, assign PXE 

holding queues, configure the PXE boot 

menu, create boot floppy disks, etc. 

Run predefined reports, create custom 

reports, print reports, import and export 

reports, test user reports, etc. 

Configure applications to monitor, add 

licenses, upgrade and downgrade 

licenses, verify reports, etc. 

Software Distribution 

OS Deployment 

Reports (required for 

all reports) 

LANDesk 

Administrator 

These are just example roles. Role-based administration is flexible enough to let you 

create as many custom roles as you need. You can assign the same few rights to 

different users but restrict their access to a limited set of devices with a narrow 

scope. Even an administrator can be restricted by scope, essentially making them an 

administrator over a specific geographic region or type of managed device. How you 

take advantage of role-based administration depends on your network and staffing 

resources, as well as your particular needs. 

To implement and enforce role-based administration, simply designate current NT 

users, or create and add new NT users, as Management Suite users, and then assign 

the necessary rights (to Management Suite features) and scope (to managed 

devices). Follow the procedures below: 

• Adding Management Suite users 

• Understanding rights 

• Creating scopes 

• Assigning rights and scope to users 

Adding Management Suite users 

Management Suite users are users who can log in to the Management Suite console 

and perform specific tasks for specific devices on the network. 

Management Suite users are not actually created in the console. Instead, users 

appear in the All Users group (click Tools | Users | All Users) after they have been 

added to the LANDesk Management Suite group in the Windows NT users 

environment on the core server. The All Users group shows all of the users currently 

residing in the LANDesk Management Suite group on the core server. 

32


There are two default users in the All Users group: 

• Default Template User: This user is basically a template of user properties 

(rights and scope) that is used to configure new users when they are added 

to the LANDesk Management Suite group. In other words, when you add a 

user to that group in the Windows NT environment, the user inherits the 

rights and scope currently defined in the Default Template User properties. If 

the Default Template User has all rights selected and the Default All Machines 

Scope selected, any new user placed in the LANDesk Management Suite 

group will be added to the All Users group with rights to all of the 

Management Suite tools and access to all devices. 

You can change the property settings for the Default Template User by 

selecting it and clicking Edit User. For example, if you want to add a large 

number of users at once, but do not want them to have access to all of the 

tools or devices, change the settings for the Default Template User first, then 

add the users to the LANDesk Management Suite group (see steps below). 

The Default Template User cannot be removed. 

• Default Administrator: This is the user who was logged in to the server 

when Management Suite was installed. 

When you add a user to the LANDesk Management Suite group in NT, the user is 

automatically read into the All Users group in the Users window, inheriting the same 

rights and scope as the current Default Template User. The user's name, scope, and 

rights are displayed. Additionally, new user subgroups, named by the user's unique 

login ID, are created in the User Devices, User Queries, User Reports, and User 

Scripts groups (note that ONLY an Administrator can view User groups). 

Conversely, if you remove a user from the LANDesk Management Suite group in the 

Windows users environment, the user no longer appears in the All Users group. The 

user's account still exists on your server and can be added back to LANDesk 

Management Suite group at any time. Also, the user's subgroups under User 

Devices, User Queries, User Reports, and User Scripts are preserved so that you can 

restore the user without losing their data, and so that you can copy data to other 

users. 

To refresh the All Users group to display any newly added users, right-click All 

Users and click Refresh. 

To add a user to the LANDesk Management Suite group 

1. Navigate to the server's Administrative Tools | Computer Management | 

Local Users and Groups | Groups utility. 

2. Right-click the LANDesk Management Suite group, and then click Add. 

3. Select a user (or users) from the list. 

4. Click Add, and then OK. 

Note: You can also add a user to the LANDesk Management Suite group by rightclicking 

the user account in the Users list, clicking Properties | Member Of, and 

then clicking Add to select the group and add the user. 

If user accounts do not already exist in NT, you must first create them on the server. 

33

USER'S GUIDE 

To create a new user account 

1. Navigate to the server's Administrative Tools | Computer Management | 

Local Users and Group | Users utility. 

2. Right-click Users, and then click New User. 

3. In the New User dialog, enter a name and password. 

4. Specify password settings. 

5. Click Create. The New User dialog remains open so that you can create 

additional users. 

6. Click Close to exit the dialog. 

7. Add the user to the LANDesk Management Suite group to have them appear 

in the All Users group in the console. 

You can now assign your Management Suite users rights and scope. 

Understanding rights 

Rights provide access to specific Management Suite tools and features. Users must 

have the necessary right (or rights) to perform corresponding tasks. For example, in 

order to remote control devices in their scope, a user must have the Remote Control 

right. 

When a right is not assigned to a user, tools associated with that right are not visible 

to that user in the Management Suite console. For example, if a user is not given the 

Software Distribution right, the Application Policy Management and Application 

Healing tools do not appear in either the Tools menu or the Toolbox. 

See the descriptions below to learn more about each Management Suite right and 

how rights can be used to create administrative roles. 

Scope controls access to devices 

When using the features allowed by these rights, users will always be limited by their 

scope (the devices they can see and manipulate). 

LANDesk Administrator 

The LANDesk Administrator right provides full access to all of the Management Suite 

tools (however, use of these tools is still limited to the devices included in the 

administrator's scope). 

This is the default right for a newly added user, unless you've modified the settings 

for the Default Template User. 

34


The LANDesk Administrator right provides users the ability to: 

• See and access the Users tool in the Tools menu and Toolbox 

• See and access the Software License Monitoring tool in the Tools menu and 

Toolbox 

• See and manage User Device groups in the network view 

• See and manage User Query groups in the network view 

• See and manage User Scripts groups in the Manage Scripts window 

• See and manage User Reports groups in the Reports window 

• See and configure Product Licensing in the Configure menu 

• Perform all of the Management Suite tasks allowed by the other rights listed 

below 

Note on rights and tools 

The LANDesk Administrator right is exclusively associated with the Software License 

Monitoring and Users tools. If a user does not have the LANDesk Administrator right, 

those two tools will not appear in the console. 

All users, regardless of their assigned rights, can see and use these universal 

features: Inventory options, Alert history, and Alert settings. 

All of the other tools in the Management Suite console are associated with a 

corresponding right (as described below). 

OS Deployment 

The OS Deployment right provides users the ability to: 

• See and access the Manage Scripts tool in the Tools menu and Toolbox 

• Create and run OS deployment and profile migration scripts 

• Schedule OS deployment and profile migration tasks 

• Configure PXE representatives with the Deploy PXE Representative script 

• Designate PXE holding queues 

• Configure the PXE boot menu 

Software Distribution 

The Software Distribution right provides users the ability to: 

• See and access the Manage Scripts tool in the Tools menu and Toolbox 

• Create and run software distribution scripts 

• Create and run client configurations 

• Schedule other script-based tasks (with the exception of OS deployment and 

profile migration scripts) 

• Create and deploy Custom Data Forms 

• See and access the Application Healing tool in the Tools menu and Toolbox 

• Create and deploy Application Repair Lists (ARLs) 

• Distribute software packages through application policies (APM) 

• View LDAP directories 

35

USER'S GUIDE 

Reports 

The Reports right provides users the ability to: 

• See and access the Reports tool in the Tools menu and Toolbox 

• Run predefined reports 

• Create and run custom asset reports 

Remote Control 

The Remote Control right provides users the ability to: 

• Use the remote control options on a device's shortcut menu (otherwise, they 

are dimmed) 

• Remote control clients that have the remote control agent loaded 

• Wake up, shut down, and reboot clients 

• Chat with clients 

• Execute client programs remotely 

• Transfer files to and from clients 

Unmanaged Device Discovery 

The Unmanaged Device Discovery right provides users the ability to: 

• See and access the Unmanaged Device Discovery tool in the Tools menu and 

Toolbox 

• Create scanner configurations and run different types of discovery scans 

(CBA, NT Domain, etc.) 

Public Query Management 

The Public Query Management right provides users the ability to: 

• Create, modify, copy, delete, and move queries in the Public Queries group in 

the network view. (Without this right, the devices in the Public Query group 

are view only.) 

About the Patch Manager and Asset Manager rights 

The Patch Manager right is specific to the Patch Manager add-on product, which may 

or may not be installed on your Management Suite network. For more information, 

see "Using the Patch Manager add-on." 

The two Asset Manager rights are specific to the Asset Manager add-on product. For 

more information, see "Using the Asset Manager add-on." 

When the add-on products aren't installed, these rights still appear in the list 

(checked) but are grayed out. The respective add-on product's tools and features are 

not available, of course. After an add-on product is installed, its respective right(s) 

are activated in this list, and can be checked to allow access to the add-on's features 

or cleared to deny access. 

36


Creating scopes 

A scope defines the devices that can be viewed and managed by a Management 

Suite user. 

A scope can be as large or small as you want, encompassing all of the managed 

devices scanned into a core database, or possibly just a single device. This flexibility, 

combined with modularized tool access, is what makes role-based administration 

such a versatile management feature. 

Default scopes 

Management Suite's role-based administration includes two default scopes. These 

two predefined scopes can be useful when configuring the user properties of the 

Default Template User. 

• Default No Machines Scope: Includes no devices in the database. 

• Default All Machines Scope: Includes all managed devices in the database. 

You can't edit or remove the default scopes. 

Custom scopes 

There are two types of custom scopes you can create and assign to users: 

• Query-based: Controls access to only those devices that match a custom 

query search. You can select an existing query, or create new queries from 

the Assign Devices to Users dialog, to define a scope. Note that you can also 

copy queries from the Queries groups in the network view directly into the 

Scopes group. For more information on creating queries, see "Creating 

database queries" in chapter 3. 

• LDAP- or custom directory-based: Controls access to only those devices 

located in an Active Directory or NetWare eDirectory LDAP-compliant 

directory structure, or in a custom directory location. You can select directory 

locations from the Select Visible Devices dialog to define a scope. 

A Management Suite user can only be associated with one scope at a time, but a 

scope can be associated with multiple users simultaneously. 

To create a scope 

1. Click Tools | Users. 

2. Select the Scopes object, and then click the New Scope toolbar button. Or, 

right-click Scopes and select New Scope. 

3. In the Assign Devices to Users dialog, enter a name for the new scope. 

4. Specify the type of scope you want to create, query-based or directory-based 

by clicking one of the buttons. 

5. If you selected query-based, click New, define the query in the New Scope 

Query dialog, and then click OK. 

37

USER'S GUIDE 

6. If you selected directory-based, click Browse, select locations (LDAP and/or 

custom directory) from the Visible Devices list, and then click OK. 

Click on the plus (+) and minus (-) signs to expand and collapse nodes in the 

directory tree. You can multi-select locations by using Ctrl-click. All nodes 

under a selected parent node will be included in the scope. 

LDAP directory locations are determined by a client's Active Directory or 

eDirectory location. For more information, see "Using Active Directory and 

eDirectory" later in this chapter. 

Custom directory locations are determined by a client's Computer Location 

attribute in the inventory database. This attribute is defined during client 

configuration. For more information, see "Running the Client Setup wizard" in 

chapter 3. 

7. Click OK to save the scope and close the dialog. 

About the Assign Devices to Users dialog 

Use this dialog to create or edit a scope. You can access this dialog by selecting a 

scope and clicking the Edit Scope toolbar button or by right-clicking the scope and 

then clicking Properties. 

• Scope Name: Identifies the scope. 

• Assign permission for user to see devices: 

• Based on query: Creates a scope whose device range is determined 

by a custom query. 

• New: Opens the New Query dialog where you can define and save a 

query. This is the same query dialog you use when creating a database 

query from the network view. (Note that you can also copy queries 

from the Queries groups in the network view directly into the Scopes 

group.) 

• Based on LDAP or custom directory: Creates a scope whose device 

range is determined by the device location. 

• Browse: Opens the Visible Devices window where you can select 

locations. Click on the plus (+) and minus (-) signs to expand and 

collapse nodes in the directory tree. You can multi-select locations by 

using Ctrl-click. All nodes under a selected parent node will be included 

in the scope. 

• Current scope definition: Displays the query statements for a query-based 

scope, and the location paths for a directory-based scope. 

• Edit query: Opens the Edit Query dialog where you can change query 

parameters and statements. 

• OK: Saves the scope and closes the dialog. 

• Cancel: Closes the dialog without saving any of your changes. 

38


Using Active Directory and eDirectory 

The two sections below provide guidelines for using Active Directory and NetWare 

eDirectory locations to define directory-based scopes. 

To support Active Directory locations 

For an Active Directory location to be scanned as the Computer Location attribute in 

a client's inventory, the currently logged-in user on the client must be a domain 

user. 

To remove a client's Active Directory-based Computer Location attribute, the 

administrator must disconnect the client from the domain, and remove the DNS 

suffix from the client's computer name (if applicable). 

To support Netware eDirectory locations 

For a NetWare server location (or an eDirectory on a Windows server location) to be 

reported as the Computer Location attribute in a client's inventory, the administrator 

must give the public user Browse rights to the container where the client is located. 

Also, the NetWare server name (or eDirectory on a Windows server name) must be 

resolvable to an IP address. 

Assigning rights and scope to users 

Once you've added Management Suite users, learned about rights and how they 

control access to features and tools, and created device scopes to allow or restrict 

access to managed devices, the next step in establishing role-based administration is 

to assign the appropriate rights and a scope to each user. 

You can modify a user's rights and scope at any time. 

If you modify a user's rights or scope, those changes will only take affect the next 

time that user logs into the core server. 

39

USER'S GUIDE 

To assign rights and scope to a user 

1. Click Tools | Users. 

2. Select the All Users group to view all of the users that are currently a 

member of the LANDesk Management Suite group in the core server's 

Windows NT environment. 

The right-hand pane displays a list of users, including their user name, 

current scope, and assigned rights (an x character indicates the right is 

enabled or active). 

You can refresh this list by right-clicking All Users and selecting Refresh. 

3. Click a user, and then click the Edit User toolbar button. 

4. In the User Properties dialog, check or clear rights as desired (see 

"Understanding rights" earlier in this chapter). 

5. Select a scope from the Available scopes list (see "Creating scopes" earlier in 

this chapter). 

6. Click OK. 

The new rights and scope display next to the user's name in the list and will take 

affect the next time the user connects to the core server. 

About the User Properties dialog 

Use this dialog to view and modify a user's assigned rights and scope. 

• Assigned rights: Lists the rights assigned to the user (see "Understanding 

rights" earlier in this chapter). 

• LANDesk Administrator 

• OS Deployment 

• Software Distribution 

• Reports 

• Remote Control 

• Unmanaged Device Discovery 

• Public Query Management 

• Current Scope: Identifies the user's current scope. 

• Available Scopes: Lists all of the scopes you can associate with the user. 

• Create: Opens the Assign Devices to Users dialog where you can create a 

new query- or directory-based scope. 

• Edit: Opens the Assign Devices to Users dialog where you can make changes 

to the selected scope. 

• OK: Saves your changes to the user's properties and closes the dialog. 

• Cancel: Closes the dialog without saving changes. 

40


Configuring agent discovery 

Management Suite uses the agent discovery process to find managed clients that 

have the CBA or Remote Control agents installed. These two agents provide the 

following capability: 

• CBA: The Common Base Agent enables the PDS (ping discovery service). If 

the CBA is installed on a client, you can schedule software distributions and 

client setup configurations. 

• Remote Control: Lets you remotely access and control a client. 

Agent discovery uses TCP/IP to verify agents running on the clients. 

To perform CBA discovery with TCP/IP, Management Suite uses IP addresses as 

search criteria. Management Suite looks for CBA and Remote Control agents on 

clients within a specific range of IP addresses. This range of addresses is implied by 

the IP network address you supply. 

If you don't designate subnet network addresses when searching on TCP/IP, 

Management Suite performs discovery only on the network segment where the 

console initiating the discovery resides. For example, if you've installed four 

consoles, each residing on a different network segment, you would have to initiate 

four scans, one from each of the four consoles. 

On network segments where consoles do not exist, you MUST use subnet network 

addresses to access the information on that network segment. 

Note: If you have one or more firewalls on your network, Management Suite cannot 

use CBA discovery to search outside firewalls, because firewalls generally limit the 

flow of packet traffic to designated ports. 

To configure agent discovery options 

1. Click Configure | Agent Discovery Options. 

2. Select whether you want agent discovery to update agent status for only the 

selected item in the network view, or all visible items in the network view. 

3. Specify the agent status refresh rate. 

4. Configure how you want to discover the remote control agent, and prioritize 

the address resolution methods. 

5. Specify how long agent discovery will attempt to discover the remote control 

agent on the client before timing out. 

6. Click OK. 

41

USER'S GUIDE 

About the Agent Discovery Options dialog 

Use this dialog to configure the following agent discovery options. 

• Gather agent status: 

• For selected items only: Specifies that a device's agent status is 

updated as the device is selected in the network view. This option 

generates the least amount of network traffic and is the default. 

• For visible items in network view: Specifies that all visible devices 

in the network view will have their agent status updated according to 

the refresh rate. As new devices become visible, their agent status 

(and health) are updated. 

• Agent and health status refreshes every < > minutes: Indicates 

whether agent status is automatically updated. You can specify the refresh 

rate. 

• Remote Control agent discovery: 

• IP address: Uses the core database to retrieve the computer's stored 

IP address. 

• Domain Name Service (DNS): Resolves the computer's ID name 

with the DNS server when verifying the remote control agent. If you 

do not have a DNS server, clear this option. 

• Windows Internet Name Service (WINS): Uses NetBIOS name 

resolution. 

• IP addresses from database: Uses the core database to retrieve the 

client's stored IP addresses and tries each one. Computers can have 

several IP addresses in the database if they have multiple network 

cards. 

• Move up and Move down: Moves the selected method up or down in 

the Discover agent using list. Methods are tried in the order they 

appear in the list. 

• Timeout: Sets the timeout value before the remote control agent discovery 

fails for each checked address resolution method. 

42


Viewing device properties 

In Management Suite's network view, you can quickly view information about a 

device by right-clicking the device in the device list and selecting Properties. 

More detailed information about the client is available in its inventory data. You can 

view inventory data in the network view columns (which are configurable), or by 

right-clicking the client and selecting Inventory to open the full Inventory window. 

About the Device Properties dialog 

Use this dialog to view useful information about the selected device. The dialog 

includes three tabs: Inventory, Device, and Agents. Click each one to view related 

information. 

Inventory tab 

The Inventory tab contains a summary of the client's inventory data. For more 

information, see "Viewing a summary inventory" in chapter 4 for a detailed 

description. 

Device tab 

The Device tab contains basic information about a client, including its location and 

identity on the network. This tab also appears when you manually insert a device 

(from the All Devices group's shortcut menu, click Insert New Computer). 

• Device: 

• Name: The name that appears in the core database and network view 

for the device. 

If you are manually inserting a device, you can make this a userfriendly 

name. If you enter nothing here, the default device name will 

be the Windows computer name. 

• Type: The type of device, such as Windows 2000 Server or XP 

Workstation. 

• Network: 

• IP Name: The Windows computer name for the device. 

• IP address: The IP address assigned to the device. 

• WINS name: The WINS name assigned to the device. 

43

USER'S GUIDE 

Agents tab 

The Agents tab contains information about the current status of agents and remote 

control settings for the client. 

• Common Base Agent status: Indicates whether the Common Base Agent 

(CBA) is loaded on the client. 

• LANDesk System Manager status: Indicates whether the LANDesk System 

Manager agent is loaded on the client. This agent will only be loaded if you 

have LANDesk System Manager installed on your core server, and if you've 

deployed the System Manager agent to this client. (For more information, see 

chapter 2, "Configuring clients.") 

• Remote Control Agent status: Indicates whether the remote control agent 

is loaded on the client. If this agent is not loaded on the client, remote control 

operations (such as file transfer and chat) are not available. 

• Security type: Indicates the remote control security model used for the 

client. Options include: Local template, Windows NT security/local template, 

and Certificate-based/local template. 

• Allow: Shows the remote control operations that are allowed on the client. 

These operations were enabled by the client configuration. 

• Settings: Indicates how remote control operates when you attempt to 

interact with the client. 

• Visible indicators: Specifies how the remote control indicator appears on 

the client. 

44


Monitoring clients for network connectivity 

Device monitoring lets you regularly monitor the connectivity of any of your 

managed devices. 

Ping settings are specific to the device you've selected. When a device stops 

responding to a ping (when it goes offline), Management Suite can generate AMS 

alerts to notify you. You can also configure alerts to inform you when devices come 

back online. 

About the Configure Device Monitoring dialog 

Use this dialog to configure the following device monitoring options. 

• Monitor these devices: Lists the devices that are currently being monitored. 

• Add: Opens the Add Monitored Devices dialog where you can search for and 

select managed devices that you want to monitor. 

• Remove: Deletes the selected device from the list. 

• Ping frequency: Control when and how the ping operation occurs. These 

settings can be applied to each device individually. 

• Ping every: Schedules a periodic ping at the specified minute interval. 

• Schedule daily at: Schedules a daily ping at a specific time. 

• Retries: Specifies the number of ping retries. 

• Timeout: Specifies the number of seconds until ping retries will 

timeout. 

• Alert settings: Opens the Configure Alerts dialog where you can set up AMS 

alerting to notify you when the device goes offline or online. Alert Settings 

includes its own online Help that you can access by clicking the Help button. 

• OK: Saves your changes and closes the dialog. 

• Cancel: Closed the dialog without saving your changes. 

Configuring device monitoring alerts 

If you want device monitoring to notify you when managed clients come online or go 

offline, you have to first configure the alert settings. 

To configure device monitoring alert settings 

1. In the Configure Device Monitoring dialog, click Alert Settings. 

2. In the Configure Alerts dialog, expand the Device Monitor tree. 

3. Select the alert you want to configure and click Configure. 

4. Select an alert action and click Next. 

5. Select the client you want the alert action performed on. Don't select the 

client you're monitoring, because if it goes offline, it won't be able to process 

the alert action. 

6. Finish the alert configuration wizard. 

Note: When you configure alert settings, they apply to all of the clients you're 

monitoring. 

45

USER'S GUIDE 

Activating the core server 

LANDesk Software uses a central licensing server at LANDesk Software to help you 

manage your core server's product and node licenses. To use the LANDesk products, 

you must obtain from LANDesk a user name and password that will activate the core 

server with an authorized certificate. Activation is required on each core server 

before you can use LANDesk products on that server. You can activate each core 

server either automatically by the Internet or manually by e-mail. You may need to 

reactivate a core server in the event that you significantly modify its hardware 


On a periodic basis, the activation component on each core server will generate data 

regarding: 

• The precise number of nodes you're using 

• The non-personal encrypted hardware configuration 

• The specific LANDesk Software programs you're using (collectively, the "node 

count data”) 

No other data is collected or generated by the activation. The hardware key code is 

generated on the core server using non-personal hardware configuration factors, 

such as the size of the hard drive, the processing speed of the computer, and so on. 

The hardware key code is sent to LANDesk in an encrypted format, and the private 

key for the encryption resides only on the core server. The hardware key code is 

then used by LANDesk Software to create a portion of the authorized certificate. 

After installing a core server, use the Core Server Activation utility (Start | All 

Programs | LANDesk | Core Server Activation) to either activate it with a 

LANDesk account associated with the licenses you've purchased or with a 45-day 

evaluation license. The 45-day evaluation license is for 100 nodes. There are two 

types of licenses, client and server. Any time you install Management Suite agents 

on a server operating system, such as Windows 2000 Server or Windows 2003 

Server, that installation consumes a Management Suite license for a server. Rollup 

core servers don't need to be activated. 

You can switch from a 45-day evaluation to a paid license at any time by running the 

Core Server Activation utility and entering your LANDesk Software username and 

password. 

Each time the node count data is generated by the activation software on a core 

server, you need to send the node count data to LANDesk Software, either 

automatically by the Internet or manually by e-mail. If you fail to provide node count 

data within a 30-day grace period after the initial node count verification attempt, 

the core server may become inoperative until you provide LANDesk with the node 

count data. Once you send the node count data, LANDesk Software will provide you 

with an authorized certificate that will allow the core server to work normally once 

again. 

46


Once you've activated a core server, use the Management Suite console's Configure 

| Product Licensing dialog to view the products and the number of authorized 

nodes purchased for the account the core server authenticates with. You can also see 

the date the core server will verify node count data with the central licensing server. 

The core server doesn't limit you to the number of authorized nodes you purchased. 

You can view information about the licenses you're using by visiting the LANDesk 

Software licensing site at www.landesk.com/contactus. 

About the Core Server Activation utility 

Use the Core Server Activation utility to: 

• Activate a new server for the first time 

• Update an existing core server or switch from a trial-use license to a full-use 

license 

• Activate a new server with a 45-day trial-use license 

Start the utility by clicking Start | All Programs | LANDesk | Core Server 

Activation. If your core server doesn't have an Internet connection, see "Manually 

activating a core or verifying the node count data" later in this section. 

Each core server must have a unique authorized certificate. Multiple core servers 

can't share the same authorization certificate, though they can verify node counts to 

the same LANDesk account. 

Periodically, the core server generates node count verification information in the 

"\Program Files\LANDesk\Authorization Files\LANDesk.usage" file. This file gets sent 

periodically to the LANDesk Software licensing server. This file is in XML format and 

is digitally signed and encrypted. Any changes manually made to this file will 

invalidate the contents and the next usage report to the LANDesk Software licensing 

server. 

The core communicates with the LANDesk Software licensing server via HTTP. If you 

use a proxy server, click the utility's Proxy tab and enter your proxy information. If 

your core has an Internet connection, communication with the license server is 

automatic and won't require any intervention by you. 

Note that the Core Server Activation utility won't automatically launch a dial-up 

Internet connection, but if you launch the dial-up connection manually and run the 

activation utility, the utility can use the dial-up connection to report usage data. 

If your core server doesn't have an Internet connection, you can verify and send the 

node count manually, as described later in this section. 

47

USER'S GUIDE 

Activating a server with a LANDesk Software account 

Before you can activate a new server with a full-use license, you must have an 

account set up with LANDesk Software that licenses you for the LANDesk Software 

products and number of nodes you purchased. You will need the account information 

(contact name and password) to activate your server. If you don't have this 

information, contact your LANDesk Software sales representative. 

To activate a server 

1. Click Start | All Programs | LANDesk | Core Server Activation. 

2. Click Activate this core server using your LANDesk contact name and 

password. 

3. Enter the Contact name and Password you want the core to use. 

4. Click Activate. 

Activating a server with a trial-use license 

The 45-day trial-use license activates your server with the LANDesk Software 

licensing server. Once the 45-day evaluation period expires, you won't be able to log 

in to the core server, and it will stop accepting inventory scans, but you won't lose 

any existing data in the software or database. During or after the 45-day trial use 

license, you can rerun the Core Server Activation utility and switch to a full activation 

that uses a LANDesk Software account. If the trial-use license has expired, switching 

to a full-use license will reactivate the core. 

To activate a 45-day evaluation 


2. Click Activate this core for a 45-day evaluation. 

3. Click Evaluate. 

Updating an existing account 

The update option sends usage information to the LANDesk Software licensing 

server. Usage data is sent automatically if you have an Internet connection, so you 

normally shouldn't need to use this option to send node count verification. You can 

also use this option to change the LANDesk Software account the core server belongs 

to. This option can also change a core server from a trial-use license to a full-use 

license. 

To update an existing account 


2. Click Update this core server using your LANDesk contact name and 

password. 

3. Enter the Contact name and Password you want the core to use. If you 

enter a name and password that's different than the one used to originally 

activate the core, this switches the core to the new account. 

4. Click Update. 

48


Manually activating a core or verifying the node count data 

If the core server doesn't have an Internet connection, the Core Server Activation 

utility won't be able to send node count data. You'll then see a message prompting 

you to send activation and node count verification data manually through e-mail. E- 

mail activation is a simple and quick process. When you see the manual activation 

message on the core, or if you use the Core Server Activation utility and see the 

manual activation message, follow these steps. 

To manually activate a core or verify the node count data 

1. When the core prompts you to manually verify the node count data, it creates 

a data file called activate.xml in the "\Program 

Files\LANDesk\ManagementSuite" folder. Attach this file to an e-mail message 

and send it to [email protected]. The message subject and body don't 

matter. 

2. LANDesk Software will process the message attachment and reply to the mail 

address you sent the message from. The LANDesk Software message 

provides instructions and a new attached authorization file. 

3. Save the attached authorization file to the "\Program 

Files\LANDesk\Authorization Files" folder. The core server immediately 

processes the file and updates its activation status. 

If the manual activation fails or the core can't process the attached activation file, 

the authorization file you copied is renamed with a .rejected extension and the utility 

logs an event with more details in the Windows Event Viewer's Application Log. 

49

USER'S GUIDE 

Configuring Management Suite services 

You can configure the following services for any of your core servers and databases: 

• Selecting a core server and database 

• Inventory 

• Scheduler 

• Custom Jobs 

• Multicast 

• OS Deployment 

Before configuring a service, use the General tab to specify the core server and 

database you want to configure the service for. 

Note: Any service configuration changes you make for a core server and database 

will not take affect until you restart the service on that core server. 

Selecting a core server and database with General settings 

The General tab lets you select a core server and database and provide 

authentication credentials so that you can configure services for that core server. 

About the Configure Management Suite Services dialog: 

General tab 

Use this dialog to select the core server and database you want to configure a 

specific service for. Then, select the desired service tab and specify the settings for 

that service. 

• Server name: Displays the name of the core server you're currently 

connected to. 

• Server: Lets you enter the name of a different core server and its database 

directory. 

• Database: Lets you enter the name of the core database. 

• Username: Identifies a user with authentication credentials to the core 

database (specified during Setup). 

• Password: Identifies the user's password required to access the core 

database (specified during Setup). 

• This is an Oracle database: Indicates that the core database specified 

above is an Oracle database. 

• Refresh settings: Restores the settings that were present when you opened 

the Service Configuration dialog. 

50


Configuring the Inventory service 

Use the Inventory tab to configure the Inventory service for the core server and 

database you selected using the General tab. 


Inventory tab 

Use this tab to specify the following inventory options: 

• Server name: Displays the name of the core server you're currently 

connected to. 

• Log statistics: Keeps a log of core database actions and statistics. 

• Scan server at: Specifies the time to scan the core server. 

• Perform maintenance at: Specifies the time to perform standard core 

database maintenance. 

• Days to keep inventory scans: Sets the number of days before the 

inventory scan record is deleted. 

• Primary owner logins: Sets the number of times the inventory scanner 

tracks logins to determine the primary owner of a device. The primary owner 

is the user who has logged in the most times within this specified number of 

logins. The default value is 5 and the minimum and maximum values are 1 

and 16, respectively. If all of the logins are unique, the last user to log in is 

considered the primary owner. A device can have only one primary owner 

associated with it at a time. Primary user login data includes the user's fully 

qualified name in either ADS, NDS, domain name, or local name format (in 

that order), as well as the date of the last login. 

• Scanner settings: Opens the Software Scanning dialog where you can 

configure client software scanning time and history settings. 

• Duplicate ID: Opens the Duplicate Device ID dialog where you can select 

attributes that uniquely identify clients. You can use this option to avoid 

having duplicate device IDs scanned into the core database (see Configuring 

duplicate device ID handling below). 

• Inventory service status: Indicates whether the service is started or 

stopped on the core server. 

• Start: Starts the service on the core server. 

• Stop: Stops the service on the core server. 

About the Software Scanning dialog 

Use this dialog to configure the frequency of software scans. A client's hardware is 

scanned each time the inventory scanner is run on the client, but the client's 

software is scanned only at the interval you specify here. 

• Every logon: Scans all of the software installed on the client every time the 

user logs on. 

• Once every (days): Scans the client's software only on the specified daily 

interval, as an automatic scan. 

• Save history (days): Specifies how long the client's inventory history is 

saved. 

51

USER'S GUIDE 

Configuring duplicate device ID handling 

Because imaging is often used to configure clients in a network, the possibility of 

duplicate device IDs among clients is increased. You can avoid this problem by 

specifying other client attributes that, combined with the device ID, create a unique 

identifier for your clients. Examples of these other attributes include device name, 

domain name, BIOS, bus, coprocessor, and so on. 

The Duplicate ID feature lets you select client attributes that can be used to uniquely 

identify the client. You specify what these attributes are and how many of them must 

be missed before the client is designated as a duplicate of another client. If the 

inventory scanner detects a duplicate client, it writes an event in the applications 

event log to indicate the device ID of the duplicate client. 

To configure duplicate ID handling 

1. Click Configure | Services | Inventory | Duplicate ID. 

2. Select attributes from the Attributes list that you want to use to uniquely 

identify a client, and then click the right-arrow button to add the attribute to 

the Identity Attributes list. You can add as many attributes as you like. 

3. Select the number of identity attributes (and hardware attributes) that a 

client must fail to match before it's designated as a duplicate of another 

client. 

4. If you want the inventory scanner to reject duplicate device IDs, check the Reject 

duplicate identities option. 

About the Duplicate Device ID dialog 

Use this dialog to configure duplicate device ID handling. 

• Attributes List: Lists all of the attributes you can choose from to uniquely 

identify a client. 

• Identity Attributes: Displays the attributes you've selected to uniquely 

identify a client. 

• Duplicate Device ID Triggers: 

• Identity Attributes: Identifies the number of attributes that a client 

must fail to match before it's designated as a duplicate of another 

client. 

• Hardware Attributes: Identifies the number of hardware attributes 

that a client must fail to match before it's designated as a duplicate of 

another client. 

• Reject duplicate identities: Causes the inventory scanner to record the 

device ID of the duplicate client and reject any subsequent attempts to scan 

that device ID. Then, the inventory scanner generates a new device ID. 

52


Configuring the Scheduler service 

Use the Scheduler tab to configure the Scheduler service (Tools | Scheduled 

Tasks) for the core server and database you selected using the General tab. 

You must have the appropriate rights to perform these tasks, including full 

administrator privileges to the Windows NT/2000 clients on the network, allowing 

them to receive package distributions from LANDesk Management Suite. You can 

specify multiple login credentials to use on clients by clicking Change Login. 

One additional setting you can configure manually is the Scheduled Task's refresh 

rate. By default, every two minutes the Scheduled Tasks pane checks the core 

database to determine if any of the visible items have been updated. If you want to 

change the refresh rate, navigate to this key in the registry: 

HKEY_LOCAL_MACHINE\Software\Intel\LANDesk\LDWM\TaskLog 

Add a new DWORD value, label it "RefreshRate", and enter the number of seconds 

you want for the refresh rate. You will need to restart the Intel Scheduler service for 

the new key to take effect. 


Scheduler tab 

Use this tab to see the name of the core server and the database that you selected 

earlier, and to specify the following Scheduled Tasks options: 

• Username: The username under which the Scheduled Tasks service will be 

run. This can be changed by clicking the Change Login button. 

• Number of seconds between retries: When a scheduled task is configured 

with multiple retries, this setting controls the number of seconds the 

Scheduled Tasks will wait before retrying the task. 

• Number of seconds to attempt wake up: When a scheduled task is 

configured to use Wake On LAN, this setting controls the number of seconds 

that the Scheduled Tasks service will wait for a client to wake up. 

• Interval between query evaluations: A number that indicates the amount 

of time between query evaluations, and a unit of measure for the number 

(minutes, hours, days, or weeks). 

• Wake on LAN settings: The IP port that will be used by the Wake On LAN 

packet set by the scheduled tasks to wake up clients. 

• Schedule service status: Indicates whether the service is started or 

stopped on the core server. 

• Start: Starts the service on the core server. 

• Stop: Stops the service on the core server. 

53

USER'S GUIDE 

About the Configure Management Suite Services dialog: Change Login dialog 

Use the Change Login dialog (click Change Login on the Configure Services 

Scheduler tab) to change the default scheduler login. You can also specify alternate 

credentials the scheduler service should try when it needs to execute a task on 

unmanaged clients. 

To install Management Suite agents on unmanaged clients, the scheduler service 

needs to be able to connect to clients with an administrative account. The default 

account the scheduler service uses is LocalSystem. The LocalSystem credentials 

generally work for clients that aren't in a domain. If clients are in a domain, you 

must specify a domain administrator account. 

If you want to change the scheduler service login credentials, you can specify a 

different domain-level administrative account to use on clients. If you're managing 

clients across multiple domains, you can add additional credentials the scheduler 

service can try. If you want to use an account other than LocalSystem for the 

scheduler service, or if you want to provide alternate credentials, you must specify a 

primary scheduler service login that has core server administrative rights. Alternate 

credentials don't require core server administrative rights, but they must have 

administrative rights on clients. 

When using alternate credentials for Windows 9x clients, in the Alternate Credentials 

dialog you must specify a username called "Administrator." That same account must 

exist on the server the client authenticates to. Each Windows 9x client must also 

have the User-level access control option set in the Network properties dialog's 

Access Control tab, where you can enter the Windows NT/2000/2003 server name 

the client will authenticate to. 

The scheduler service will try the default credentials and then use each credential 

you've specified in the Alternate credentials list until it's successful or runs out of 

credentials to try. Credentials you specify are securely encrypted and stored in the 

core server's registry. 

You can set these options for the default scheduler credentials: 

• Username: Enter the default domain\username or username you want the 

scheduler to use. 

• Password: Enter the password for the credentials you specified. 

• Confirm Password: Retype the password to confirm it. 

You can set these options for additional scheduler credentials: 

• Add: Click to add the username and password you specified to the Alternate 

Credentials list. 

• Remove: Click to remove the selected credentials from the list. 

• Modify: Click to change the selected credentials. 

When adding alternate credentials, specify the following: 

• Username: Enter the username you want the scheduler to use. 

• Domain: Enter the domain for the username you specified. 

• Password: Enter the password for the credentials you specified. 

• Confirm password: Retype the password to confirm it. 

54


Configuring the custom jobs service 

Use the Custom Jobs tab to configure the custom jobs service for the core server and 

database you selected using the General tab. Examples of custom jobs include 

inventory scans, client deployments, or software distributions. 

When you disable TCP remote execute as the remote execute protocol, Custom Jobs 

uses the CBA protocol by default, whether it's marked disabled or not. Also, if both 

TCP remote execute and CBA are enabled, Custom Jobs tries to use TCP remote 

execute first, and if it's not present, uses CBA remote execute. 

The Custom Jobs tab also enables you to choose options for client discovery. Before 

the custom jobs service can process a job, it needs to discover each client's current 

IP address. This tab allows you to configure how the service contacts clients. 


Custom Jobs tab 

Use this tab to set the following Custom Jobs options: 

Remote execute options: 

• Disable TCP Execute: Disables TCP as the remote execute protocol, and 

thereby uses the CBA protocol by default. 

• Disable CBA Execute / File Transfer: Disables CBA as the remote execute 

protocol. If CBA is disabled and TCP remote execute protocol is not found on 

the client, the remote execution will fail. 

• Enable Remote Execute Timeout: Enables a remote execute timeout and 

specifies the number of seconds after which the timeout will occur. Remote 

execute timeouts trigger when the client is sending heartbeats, but the job on 

the client is hung or in a loop. This setting applies to both protocols (TCP or 

CBA). This value can be between 300 seconds (5 minutes) and 86400 

seconds (1 day). 

• Enable Client Timeout: Enables a client timeout and specifies the number of 

seconds after which the timeout will occur. By default, TCP remote execute 

sends a heartbeat from client to server in intervals of 45 seconds until the 

remote execute completes or times out. Client timeouts trigger when the 

client doesn't send a heartbeat to the server. 

• Remote Execute Port (Default is 12174): The port over which the TCP 

remote execute occurs. If this port is changed, it must also be changed in the 

client configuration. 

Distribution options: 

• Distribute to clients simultaneously: The maximum number of 

clients to which the custom job will be distributed simultaneously. 

55

USER'S GUIDE 

Discovery options: 

• UDP: Selecting UDP uses a Common Base Agent 8 (CBA) ping via UDP. Most 

Management Suite client components depend on CBA, so your managed 

clients should have CBA on them. This is the fastest discovery method and 

the default. With UDP, you can also select the UDP ping Retries and 

Timeout. 

• TCP: Selecting TCP uses an HTTP connection to the client on port 9595. This 

discovery method has the benefit of being able to work through a firewall if 

you open port 9595, but it's subject to HTTP connection timeouts if clients 

aren't there. These timeouts can take 20 seconds or more. If a lot of target 

clients don't respond to the TCP connection, your job will take a while before 

it can start. 

• Both: Selecting Both has the service attempt discovery with UDP first, then 

TCP, and lastly DNS/WINS if it's selected. 

• Disable subnet broadcast: When selected, disables discovery via a subnet 

broadcast. 

• DNS/WINS: When selected, disables a name service lookup for each client if 

the selected TCP/UDP discovery method fails. 

Configuring the Multicast service 

Use the Multicast tab to configure the multicast domain representative discovery 

options for the core server and database you selected using the General tab. 


Multicast tab 

Use this tab to set the following Multicast options: 

• Use Multicast domain representative: Uses the list of Multicast domain 

representatives stored in the network view's Configuration > Multicast 

Domain Representatives group. 

• Use cached file: Queries each Multicast domain to find out who might 

already have the file, therefore not needing to download the file to a 

representative. 

• Use cached file before preferred domain representative: Changes the 

order of discovery to make Use Cached File the first option attempted. 

• Use broadcast: Sends a subnet-directed broadcast to find any client in that 

subnet that could be a Multicast domain representative. 

• Log discard period (days): Specifies the number of days that entries in the 

log will be retained before being deleted. 

56


Configuring the OS Deployment service 

Use the OS Deployment tab to designate PXE representatives as PXE holding queues, 

and to configure basic PXE boot options for the core server and database you 

selected using the General tab. 

PXE holding queues are one method of deploying OS images to PXE-enabled clients. 

You designate existing PXE representatives (located in the Configuration group in the 

network view) as PXE holding queues. For more information, see "PXE-based 

deployment" in chapter 9. 

Select and move PXE representatives from the Available proxies list to the Holding 

queue proxies list. 


OS Deployment tab 

Use this tab to assign PXE holding queue proxies (representatives), and to specify 

the PXE boot options. 

• Available proxies: Lists all available PXE proxies on your network, identified 

by client name. This list is generated when the inventory scanner detects PXE 

software (PXE and MTFTP protocols) running on the client. 

• Holding queue proxies: Lists the PXE proxies that have been moved from 

the Available proxies list, thereby designating the proxy as a PXE holding 

queue. PXE-enabled clients on the same subnet as the PXE holding queue 

proxy will be automatically added to the PXE holding queue group in the 

console's network view when they PXE boot. The clients can then be 

scheduled for an image deployment job. 

• Reset: Forces all of the PXE-enabled clients on the same subnet as the 

selected PXE representative to re-enter the PXE holding queue group in the 

console's network view. The clients can then be scheduled for an imaging job. 

(The Reset button is enabled when you select a PXE proxy in the Holding 

queue proxies list.) 

• PXE boot options: Determines how the PXE boot prompt operates when 

clients attempt to PXE boot. 

Note: Changes you make here to the PXE boot options will not take 

effect on any of your PXE representatives until you run the PXE 

Representative Deployment script on that representative. 

• Timeout: Indicates how long the boot prompt displays before timing out and 

resuming the default boot process. The maximum number of seconds you can 

enter is 60 seconds. 

• Message: Specifies the PXE boot prompt message that appears on the client. 

You can type any message you like in the text box, up to 75 characters in 

length. 

57

Chapter 2: Configuring clients 

Clients need the Management Suite agents on them to be fully manageable. Read 

this chapter to learn about: 

• Client agent security and trusted certificates 

• Creating a client setup configuration 

• Pushing a client configuration to a preexisting agent 

• Scheduling tasks 

• Using Unmanaged Device Discovery 

• Running the Client Setup wizard 

• Deploying Remote Control 

• Deploying Inventory 

• Deploying Application Healing 

• Deploying Application Policy Management 

• Deploying Bandwidth Detection 

• Deploying Custom Data Forms 

• Enabling Migration Tasks 

• Deploying Enhanced Software Distribution 

• Deploying the Local Scheduler 

• Deploying Software Monitoring 

• Deploying Targeted Multicasting 

• Deploying Task Completion 

The Client Setup wizard lets you create new setup configurations for your Windows 

clients. The new client configurations you create with the wizard can then be pushed 

to clients using the console's Scheduled Tasks window. 

To create and push a new configuration to clients, the CBA or Remote Control agent 

must be installed. Clients must be enabled for management. For more information, 

see the Installation and Deployment Guide. 

Creating client configurations for Windows NT/2000/2003/XP computers 

not enabled for management 

If you have Windows NT/2000/2003/XP clients that are part of a Windows 

NT/2000/2003/XP domain, you can push a configuration to those clients even if the 

CBA and Remote Control agents are not present. For more information, see the 

Installation and Deployment Guide. 

59

USER'S GUIDE 

Client agent security and trusted certificates 

With Management Suite 8, the certificate-based authentication model has been 

simplified. Client agents still authenticate to authorized core servers, preventing 

unauthorized cores from accessing clients. However, Management Suite 8 doesn't 

require a separate certificate authority to manage certificates for the core, console, 

and each client. Instead, each core server has a unique certificate and private key 

that Management Suite Setup creates when you first install the core or rollup core 

server. 

These are the private key and certificate files: 

• .key: The .KEY file is the private key for the core server, and it 

only resides on the core server. If this key is compromised, the core server 

and client communications won't be secure. Keep this key secure. For 

example, don't use e-mail to move it around. 

• .crt: The .CRT file contains the public key for the core server. 

The .CRT file is a viewer-friendly version of the public key that you can view 

to see more information about the key. 

• .0: The .0 file is a trusted certificate file and has content identical to 

the .CRT file. However, it's named in a manner that lets the computer quickly 

find the certificate file in a directory that contains many different certificates. 

The name is a hash (checksum) of the certificates subject information. To 

determine the hash filename for a particular certificate, view the 

.CRT file. There is a .INI file section [LDMS] in the file. The 

hash=value pair indicates the value. 

An alternate method for getting the hash is to use the openssl application, which is 

stored in the \Program Files\LANDesk\Shared Files\Keys directory. It will display the 

hash associated with a certificate using the following command line: 

openssl.exe x509 -in .crt -hash -noout 

All keys are stored on the core server in \Program Files\LANDesk\Shared Files\Keys. 

The .0 public key is also in the LDLOGON directory and needs to be there by 

default. is the certificate name you provided during Management Suite 

Setup. During Setup, it's helpful to provide a descriptive key name, such as the core 

server's name (or even its fully qualified name) as the key name (example: ldcore or 

ldcore.org.com). This will make it easier to identify the certificate/private key files in 

a multi-core environment. 

You should back up the contents of your core server's Keys directory in a safe, 

secure place. If for some reason you need to reinstall or replace your core server, 

you won't be able to manage that core server's clients until you add the original 

core's certificates to the new core, as described below. 

60

CHAPTER 2: CONFIGURING CLIENTS 

Sharing keys among core servers 

Clients will only communicate with core and rollup core servers for which they have a 

matching trusted certificate file. For example, let's say you have three core servers, 

managing 5,000 clients each. You also have a rollup core managing all 15,000 

clients. Each core server will have its own certificate and private keys, and by 

default, the client agents you deploy from each core server will only talk to the core 

server from which the client software is deployed. 

There are two main ways of sharing keys among core and rollup core servers: 

1. Distributing each core server trusted certificate (the .0 file> to clients 

and their respective core servers. This is the most secure way. 

2. Copying the private key and certificates to each core server. This doesn't 

require you to do anything to clients, but since you have to copy the private 

key, it exposes more risk. 

In our example, if you want the rollup core and Web console to be able to manage 

clients from all three cores, you need to distribute the rollup core's trusted certificate 

(the .0 file) to all clients, in addition to copying the same file to each core 

server's LDLOGON directory. For more information, see "Distributing trusted 

certificates to clients" in the next section. 

Alternatively, you can copy the certificate/private key files from each of the three 

core servers to the rollup core. This way, each client can find the matching private 

key for its core server on the rollup core server. For more information, see "Copying 

certificates/private key files among core servers" later in this chapter. 

If you want one core to be able to manage clients from another core, you can follow 

the same process, either distributing the trusted certificate to clients or copying the 

certificate/public key files among cores. 

If you are copying certificates between standalone cores (not to a rollup core), there 

is an additional issue. A core won't be able to manage another core's clients unless it 

first has an inventory scan from those clients. One way of getting inventory scans to 

another core is to schedule an inventory scan job with a custom command line that 

forwards the scan to the new core. In a multiple core scenario, using a rollup core 

and the Web console is a simpler way to manage clients across cores. Rollup cores 

automatically get inventory scan data from all clients on the cores that get rolled up 

to it. 

61

USER'S GUIDE 

Distributing trusted certificates to clients 

There are two ways you can deploy trusted certificates to clients: 

1. Deploy a client setup configuration that includes the core server trusted 

certificates you want. 

2. Use a software distribution job to directly copy the trusted certificate files you 

want to each client. 

Each additional core server trusted certificate (.0) that you want clients to 

use must be copied to the core server's LDLOGON directory. Once the trusted 

certificate is in this directory, you can select it within the Client Setup wizard's 

Authentication page. Client setup copies keys to this directory on clients: 

• Windows clients: \Program Files\LANDesk\Shared Files\cbaroot\certs 

• Mac OS X clients: /usr/LANDesk/common/cbaroot/certs 

If you want to add a core server's certificate to a client, and you don't want to 

redeploy client agents through client setup, create a software distribution job that 

copies < hash>.0 to the directory specified above on the client. You can then use the 

Scheduled Tasks window to deploy the certificate distribution script you created. 

The following is an example of a custom script that can be used to copy a trusted 

certificate from the LDLOGON directory of the core server to a client. To use this, 

replace d960e680 with the hash value for the trusted certificate you want to deploy. 

; Copy a trusted certificate from the ldlogon directory of the core 

server 

; into the trusted certificate directory of the client 

[MACHINES] 

REMCOPY0=%DTMDIR%\ldlogon\d960e680.0, %TRUSTED_CERT_PATH%\d960e680.0 

Copying certificate/private key files among core servers 

An alternative to deploying certificates (.0) to clients is to copy 

certificate/private key sets among cores. Cores can contain multiple 

certificate/private key files. As long as a client can authenticate with one of the keys 

on a core, it can communicate with that core. 

When using certificate-based remote control, target clients must be in the 

core database 

If you're using certificate-based remote control security with clients, you can only 

remote control clients that have an inventory record in the core database that you're 

connected to. Before contacting a node to launch remote control, the core looks in 

the database to ensure the requesting party has the right to view the client. If the 

client isn't in the database, the core denied the request. 

62


To copy a certificate/private key set from once core server to another 

1. At the source core server, go to the \Program Files\LANDesk\Shared 

Files\Keys folder. 

2. Copy the source server's .key, .crt, and .0 

files to a floppy disk or other secure place. 

3. At the destination core server, copy the files from the source core server to 

the same folder (\Program Files\LANDesk\Shared Files\Keys). The keys take 

effect immediately. 

Care should be taken to make sure that the private key .key is not 

compromised. The core server uses this file to authenticate clients, and any 

computer with the .key file can perform remote executions and file 

transfer to a Management Suite client. 

63

USER'S GUIDE 

Creating a client setup configuration 

Use the Client Setup wizard to create and update client and server configurations 

(such as what components are installed on clients and what network protocols the 

client agents use). 

You can create different configurations for groups' specific needs. For example, you 

could create configurations for the clients in your accounting department or for 

clients using a particular operating system. 

To push a configuration to clients, you need to: 

• Create the client setup configuration: Set up specific configurations for 

your clients. 

• Schedule the client configuration: Push the configuration to clients that 

have the CBA or Remote Control agent installed. For more information, see 

"Scheduling tasks" later in this chapter. 

To create a client configuration 

1. In the console, click Tools | Client Setup. 

2. Double-click the Add new client configuration icon. 

3. In the Client Setup wizard's Install Components page, select the components 

you want to deploy. 

4. Proceed though the pages, making changes as necessary and clicking Next. 

5. At the end of the wizard, if you want the configuration to be the default (the 

configuration LDLOGON\IPSETUP.BAT will install), click Set as default 


6. Click Finish to complete the wizard. 

64


Pushing a client configuration to a preexisting agent 

To push a configuration to a client, make sure the CBA or remote control agent is 

installed. Also, another LANDesk product may have installed CBA. You can also install 

agents to a client by using login scripts (for details, see the Installation and 

Deployment Guide). 

Before you schedule a client configuration, you may want to poll the network for 

clients running CBA so that you have a freshly discovered list. 

To push a client configuration to a preexisting agent 


2. From the shortcut menu for the client configuration you want to push, click 

Schedule. 

3. From the network view, drag the client to the Scheduled Task window. For 

unmanaged devices, drag the devices from the Unmanaged Device Discovery 

window to the Scheduled Task window. 

4. In the Scheduled Task window, double-click the task to enter a start date and 

time. Note that the time you select is relative to the core server running the 

Scheduler service. You can also specify the number of retries. 

5. When you're done, click OK. You'll see the Scheduled Task status window. 

65

USER'S GUIDE 

Scheduling tasks 

You can schedule tasks and push them to clients. The Scheduler service runs on the 

core server. Management Suite consoles and Web consoles can add tasks to the 

Scheduler. The Scheduled Tasks window shows scheduled task status and whether 

tasks completed successfully or not. You can run reports on scheduled tasks for 

detailed task status. 

You can schedule these types of tasks: 

• Client configurations 

• Distribution packages 

• Various custom scripts 

• Custom data forms 

• Unmanaged device discoveries 

Each task has an ASCII script file associated with it. The script file tells the Scheduler 

what to do. You can manage most scripts in the Manage Scripts window (Tools | 

Manage Scripts). Scripts are stored in the LDMAIN\Scripts directory. 

The Scheduler has two ways of communicating with clients: 

• Through the CBA agent (must already be installed on clients). 

• Through a domain-level system account. The account you choose must have 

the log in as a service privilege. For more information on configuring the 

Scheduler account, see "Configuring the Scheduler service" in chapter 1. 

Assigning targets to a task 

Once you've scheduled a script, you can assign targets to it. Drag targets from the 

network view. Targets can include individual clients, computer groups, and queries. 

Queries and groups are powerful options that let you have a dynamic list of clients 

that can change for recurring tasks. For example, as the client target list from a 

query changes, any tasks using that query will automatically target the new clients. 

What you see when tasks run 

The Scheduled Tasks window always shows job status. If you're scheduling client 

configurations or OS deployments, you'll also see the Client Setup Utility dialog. As 

the Scheduler proceeds through the target list, you'll see the clients to be configured, 

clients being configured, and clients completed lists. For more information, see 

"About the Client Setup Utility dialog" later in this chapter. 

If you're scheduling Targeted Multicast distributions, you'll see the Multicast Software 

Distribution Status window. This window shows multicast status. For more 

information, see "About the Multicast Software Distribution Status window" in 

Appendix C. 

In all other cases, you'll see the Custom Job Processing window showing scheduled, 

working, and completed targeted clients, in addition to a line-by-line script status as 

it executes. 

66


Applying scope to scheduled tasks 

For scheduled tasks, multiple Management Suite users can add targets to a task. 

However, in the Scheduled Tasks window, each Management Suite user will only see 

targets within their scope. If two Management Suite users with scopes that don't 

overlap each add 20 targets to a task, each Management Suite user will see only the 

20 targets they added, but the task will run on all 40 targets. 

Scheduled Tasks window 

Use the Scheduled Tasks window to configure and schedule client configurations, 

package distributions, and script tasks. Schedule items for single delivery, or 

schedule a recurring task, such as a script task to regularly search for unmanaged 

devices. 

The Scheduled Tasks window is divided into two halves. The left pane shows task 

information and the right pane shows target client information. 

Left pane 

You can drag scripts onto the Scheduled Tasks window's left pane. Once a script is in 

the left pane, you can configure targets for it by dragging clients, queries, or groups 

to the right pane. 

• Task: Shows task names. 

• Start On: When the task is scheduled to run. Double-click a task name to 

edit the start time or to reschedule it. 

• Status: Shows the overall task status. View the right pane Status and Result 

columns for more details. 

Right pane 

• Machine: Clients the task will run on. Drag these from the network view. You 

can also drag groups and queries. 

• Status: Whether a job is waiting, failed, or done. 

• Result: Messages returned by the task. 

67

USER'S GUIDE 

About the Schedule Task dialog 

Access this dialog from the Tools | Scheduled Tasks window. Select a task and click 

the Set Start Time button or double-click a task listed in the Scheduled Tasks 

window. 

Use this dialog to set the start time for the task, whether to make it a recurring task 

and how often, and what to do if the scheduled task fails to complete. 

These are the options of the Schedule Task dialog: 

• Start now: Starts the task as soon as the dialog is closed. There can be a 

delay of up to a minute before the task actually starts. 

• Start later: Starts the task at the specified time and date. 

• Time: Starts a task at the selected time. By default, this field displays the 

current time. 

• Date: Runs a task on selected date. Type the date using MM/DD/YY format, 

or click the drop-down list to pick the date off a calendar. 

• Repeat every: Schedules the task to recur periodically. Select Day, Week, or 

Month from the drop-down list to choose how often the task repeats. It 

repeats at the time set above. 

• Reschedule only failed computers: Reschedules a task only for those 

computers that failed when the task was run previously. 

• Add items from clipboard: Adds items that were selected in the network 

view and added to the clipboard. You can copy network view items to the 

clipboard by clicking Copy on their shortcut menu. 

• Number of retries: Retries the task automatically for the selected number of 

times (if the task fails to complete). Enter a value or use the spinner. 

• Wake up computers: Wakes up a powered-down computer for the selected 

task. When the task is complete, the computer shuts itself down again. This 

feature only works on computers with BIOS versions that support Wake on 

LAN technology. Don't mark this option for pull distribution packages. 

About the Select a Task dialog 

Use the Select a Task dialog (Tools | Scheduled Tasks, Schedule Script toolbar 

button) to select a task and run it. Currently, the console can include script tasks 

such as: 

• am_verifyall: Verifies all packages installed via policies on clients 

• Generic sample dir command: Uses an OS deployment script to 

demonstrate rebooting a client with a virtual disk and running a dir command. 

• inventoryscanner: Runs the inventory scanner on the selected clients. 

• multicast_domain_discovery: Does a Targeted Multicast domain 

representative discovery. For more information, see "Using Targeted Multicast 

with Enhanced Software Distribution" in chapter 6. 

• multicast_info: Runs a troubleshooting script that shows what information 

the Scheduled Tasks window will pass to Targeted Multicast, including target 

client IP addresses and subnet information. Creates a file called 

C:\MCINFO.TXT. 

• MSI Service Deployment: Deploys the MSI service required for a PXE 


68


• PXE Representative Deployment: Deploys or updates a PXE 


• PXE Representative Removal: Removes the PXE service software from a 

PXE representative. 

• Restore Client Records: Runs the inventory scanner on selected clients, but 

the scanner reports to the core the client was configured from. If you have to 

reset the database, this task helps you add clients back to the proper core 

database in a multi-core environment. 

• Uninstall Metering Client: Removes the software metering client on target 

computers. This client was used in Management Suite prior to version 8. 

To edit task options, use the Manage Scripts window (Tools | Manage Scripts). 

Before you can schedule tasks for a client, you must do these things: 

• Start the Intel Scheduler service on the core server. This service starts 

automatically when the console is properly installed. 

• Start the Intel Ping Discovery Service (PDS) on the core server and clients. 

This service starts automatically when the console is properly installed. 

• Scan the client into the core database. When you originally configure a client, 

diagnostic information is scanned and automatically registered in the core 

database. 

The console includes scripts that you can schedule to perform routine maintenance 

tasks such as running inventory scans on selected computers. You assign the scripts 

from the Scheduled Tasks window and schedule them like any other task. 

Scripts are Windows .INI files that you can edit with any text editor and are stored in 

the \Program Files\LANDesk\ManagementSuite\Scripts directory on your core server. 

If you need to change the options in a script task, open the appropriate script and 

follow the instructions contained within it. 

To schedule a script 

1. In the Manage Scripts window, click Scripts > My Scripts or All Other 

Scripts, and the script you want to distribute. 

2. Click the Create Task button. This displays the Scheduled Tasks window 

with the script you selected. 

3. In the network view, locate the clients you want to update, then drag and 

drop their icons into the right pane of the Scheduled Tasks window 

4. From the Scheduled Tasks window, click the Set Start Time toolbar button 

to display the Schedule Task dialog. 

5. Set the timing options you want. Click Start Now and OK if you want to start 

the client update as soon as possible. 

69

USER'S GUIDE 

Configuring local scheduler scripts 

The local scheduler is a service that runs on client computers. You can install it 

through client setup. Usually the local scheduler handles Management Suite tasks, 

such as running the inventory scanner periodically. Other tasks that you schedule, 

such as software or OS deployments, are handled by the core server rather than the 

local scheduler. You can use the local scheduler to schedule your own tasks to run 

periodically on clients. Once you create a local scheduler script, you can deploy it to 

clients by using the Scheduled Tasks window. 

The local scheduler assigns each task an ID number. Local scheduler scripts have an 

ID range that is different from the default local scheduler scripts that Management 

Suite uses. By default, you can only have one custom scheduler script active on each 

client. If you create a new script and deploy it to clients, it will replace the old script 

(any script in the custom local scheduler ID range) without affecting the default local 

scheduler scripts, such as the local inventory scan schedule. 

These options are available in the Local Scheduler Command dialog: 

• Command: Enter the program you want to run locally. Include the full path 

to the program or make sure the program is in a folder that's in the client's 

path. This path must be the same on all clients you deploy this script to. 

• Parameters: Enter any command-line parameters you want passed to the 

program. 

• Frequency: If you want the task to recur, select the repeat interval. 

• IP address changed: Check this option if you want the task to run only if 

the client's IP address changes. Use this option to trigger an inventory scan 

when the IP address changes, keeping the IP address in the Management 

Suite database synchronized. 

• User is logged on: Check this option to run the task only when the user is 

logged on. 

• Bandwidth: Check this option to specify the minimum network bandwidth for 

the task to run (either RAS, WAN, or LAN). You also need to specify the 

computer that will be the target for the bandwidth test between the target 

and client. 

• Start time: Check this option to specify a date and time after which the task 

will be active. If you don't specify any other options, the task will run once at 

the start time you specify. 

• Hour of day: Check this option to specify a time range for the task to run. 

• Day of week: Check this option to specify a day-of-the-week range for the 

task to run. 

• Day of month: Check this option to specify a day-of-the-month range for the 

task to run. 

When selecting schedule options, don't be so restrictive that the task criteria are 

infrequently met, unless that's your intention. For example, while configuring a task, 

if you select Monday as the day of the week and 17 as the day of the month, the 

task will only execute on a Monday that's also the 17th of the month, which happens 

very infrequently. 

70


To configure a local scheduler command 

1. In the Managed Scripts pane (Tools | Managed Scripts), create a New Local 

Scheduler Script. 

2. Enter a Script name. 

3. Click Add to define the script options. 

4. Configure the local scheduler options as described earlier. 

5. Click Save to save your script. 

6. Use the Scheduled Tasks pane to deploy the script you created to clients. 

Understanding bandwidth options 

When configuring local scheduler commands, you can specify the minimum 

bandwidth criteria necessary for the task to execute. The bandwidth test consists of 

network traffic to the computer you specify. When the time comes for the task to 

execute, each client running the local scheduler task will send a small amount of 

ICMP network traffic to the computer you specify and evaluate the transfer 

performance. If the test target computer isn't available, the task won't execute. 

You can select these bandwidth options: 

• RAS: The task executes if the client's network connection to the target 

computer is at least RAS or dialup speed. Selecting this option generally 

means the task will always run if the client has a network connection of any 

sort. 

• WAN: The task executes if the client's connection to the target computer is at 

least WAN speed. LAN speed is defined as 262,144 bps by default. 

• LAN: The task executes when the client's connection to the target computer 

exceeds the LAN speed setting. 

71

USER'S GUIDE 

Using Unmanaged Device Discovery 

Unmanaged Device Discovery (UDD) is new with Management Suite 8. UDD finds 

clients on your network that haven't submitted an inventory scan to the Management 

Suite core database. UDD has multiple ways of finding unmanaged clients. 

• CBA discovery: Looks for the LANDesk CBA agent on computers. This option 

discovers computers that have Management Suite, LANDesk Client Manager, 

LANDesk System Manager, and so on. 

• Network scan: Looks for computers by doing an ICMP ping sweep. This is 

the most thorough search, but also the slowest. You can limit the search to 

certain IP and subnet ranges. By default this option uses NetBIOS to try and 

gather information about the device. You also have an IP FingerPrint option, 

where UDD tries to discover the OS type through TCP packet responses. The 

IP FingerPrint option slows down the discovery somewhat. 

• Windows NT domain: Looks for clients in a domain you specify. Discovers 

members whether the computer is on or off. 

• LDAP directory: Looks for clients in a directory you specify. Discovers 

members whether the computer is on or off. 

To automate unmanaged client discovery, you can schedule discoveries to occur 

periodically. For example, you could divide your network into thirds and schedule a 

ping sweep for one third each night. 

If you schedule a discovery, the core server does the discovering. Unscheduled 

discoveries happen from the console that starts it. 

To discover unmanaged devices 

1. In the Unmanaged Device Discovery window (Tools | Unmanaged Device 

Discovery), click the Scan Network button. 

2. Select the discovery type you want. 

3. Enter a starting and ending IP range for the scan. You must enter a range for 

CBA Discovery or Network Discovery to work. The range is optional for NT 

Domain and LDAP. 

4. Enter a Subnet mask. 

5. Click the Add button to add the scan you just configured to the task list. 

6. In the task list at the bottom of the dialog, select the scans you want to run 

and click the Scan Now button to scan immediately, or the Schedule Task 

button to run the scans later or on a recurring schedule. The Scan Now and 

Schedule Task buttons only run scans you've added to the task list and that 

are selected. 

7. Watch the Scan Status dialog for scan status updates. When the scan 

finishes, click Close in the Scan Status and Scanner Configuration dialogs. 

8. Click Computers in the UDD tree to view the scan results. 

72


Configuring Windows NT domain discovery 

UDD's Windows NT domain discovery option won't work unless you configure the 

Scheduler service to log in to the domain with a domain administrator account. 

To configure the Scheduler login account 

1. Click Configure | Services and click the Scheduler tab. 

2. Click Change Login. 

3. Enter a domain administrator username and password. 

4. Click OK 

5. Restart the Scheduler service so the change takes effect. On the Scheduler 

tab, click Stop, and once the service has stopped click Start. 

What happens when UDD finds an unmanaged device 

When UDD finds an unmanaged device for the first time, it tries to identify the device 

type so it can add the device to one of these four categories: 

• Computers: Contains computers 

• Infrastructure: Contains routers and other network hardware 

• Other: Contains unidentified devices 

• Printers: Contains printers. 

These four categories help keep the UDD list organized so you can more easily find 

the devices you're interested in. You can sort the device lists by any column heading 

when you click on a heading. UDD may not categorize devices correctly every time. 

You can easily drag misidentified devices to the correct group. 

UDD tries to discover basic information about each device. 

• Device name: The discovered device name, if available. 

• IP address: The discovered IP Address. UDD always shows this. 

• Subnet mask: The discovered subnet mask. UDD always shows this. 

• OS description: The discovered OS description, if available. 

• MAC address: The discovered MAC address, usually returned if the device 

has CBA, NetBIOS, or if the device is on the same subnet as the core server 

or console that's doing the discovery. 

• Group: The UDD group the device belongs to. 

• CBA: Shows whether the device has CBA on it. "Y" in the column means yes 

and "N" means no. You can deploy the Management Suite client directly to 

devices that have CBA loaded. 

• All Users: Users logged in at the device being scanned, if available. 

• Group/Domain: The group/domain the device is a member of, if available. 

• First Scanned: The date UDD first scanned this device. 

• Last Scanned: The date UDD last scanned this device. This column helps you 

find unmanaged devices that may not be on the network any more or that 

were recently found. 

• Times Scanned: The number of times UDD scanned this device. 

73

USER'S GUIDE 

Depending on the device, UDD may not have information for all columns. When UDD 

finds a device for the first time, it looks in the core database to see if that device's IP 

address and name are already in the database. If there's a match, UDD ignores the 

device. If there isn't a match, UDD adds the device to the unmanaged device table. 

Devices in the unmanaged table don't use a Management Suite license. A device is 

considered managed once it sends an inventory scan to the core database. You can't 

drag devices from UDD into the main console network view. Once unmanaged 

devices submit an inventory scan, they'll be removed from UDD and added to the 

network view automatically. 

If there's a discovered device that doesn't have all of its columns populated, you can 

select the device and click Do IP Fingerprint. UDD will send a series of packets to 

the device, and based on the response, try to identify more information about the 

device. Depending on the device and its OS type, IP Fingerprint can find varying 

degrees of information. 

You can create groups to further categorize unmanaged devices. If you move a 

device to another group, UDD will leave that device in that group if UDD detects the 

device again later. By keeping the main Computers group organized and by moving 

devices you know you won't be managing with Management Suite into subgroups or 

other categories, you can easily see new devices in the Computers group. If you 

delete a group that contains devices, UDD moves the devices to the Other group. 

You can quickly find devices matching search criteria you specify by using the Find 

toolbar field. You can search for information in a particular column, or in all columns. 

Search results appear in the Find Results category. For example, use Find to group 

unmanaged computers that have CBA by searching for "Y" in the CBA field. 

You can also create an AMS alert when UDD finds unmanaged devices. In AMS, the 

alert name to configure is Unmanaged device found. 

Deploying to unmanaged devices 

You can deploy Management Suite agents to unmanaged devices in one of these 

ways: 

• Push-based deployments using Scheduled Tasks and a domain administrative 

account you've configured for the Scheduler. Works for Windows 

NT/2000/2003/XP clients. 

• Push-based deployments using CBA. If the clients have CBA, you can do a 

push-based deployment. 

• Pull-based deployment using a login script. 

For more information on deploying clients, see Phase 4 in the Installation and 

Deployment Guide. 

74


When organizing clients for agent deployment, you may find it easier to sort the 

unmanaged device list by CBA to group for CBA client deployments and to sort by 

domain for Scheduled Task deployments. 

When deploying to Windows XP clients 

Windows XP's default setting forces network logins that use a local account to log in 

using the guest account instead. If you aren't using a domain-level administrative 

account and are using a local account for the Scheduler service, scheduled tasks will 

fail because the Scheduler service won't be able to authenticate. For more 

information, see "Phase 4: Deploying the primary agents to clients" in the 


To deploy agents to unmanaged devices 

1. Click Tools | Client Setup and create a new configuration or use an existing 

one. From that configuration's shortcut menu, click Schedule. 

2. Click Tools | Unmanaged Devices, and select the devices you want to 

deploy to. Drag the devices onto the Scheduled Tasks window. If the 

Scheduled Tasks window is a minimized tab, you can drag devices onto the 

Scheduled Tasks tab, which opens the Scheduled Tasks window. 

3. If the devices don't have CBA, click Configure | Services, and click the 

Scheduler tab. Make sure the Scheduler account is one that will have 

administrative privileges on the devices you're deploying to. 

4. Double-click the deployment script and set a start time. Click OK when you're 

done. 

5. Watch the Scheduled Tasks window for updates. 

Restoring client records 

Should you ever reset your core database and need to restore client data, you can 

use UDD to discover all clients on the network. You can then use the discovery 

results as the target for the "Restore client records" scheduled task. If the clients 

have the CBA agent on them, this task has the clients send a full inventory scan to 

the core database that each client is locally configured for. The result of this task is 

those clients that have already configured will be rescanned backed into the 

database and the clients will still be pointing to their correct managing core server. 

The task will fail on clients that haven't been managed by a core server. 

To restore client records 

1. Use UDD to discover unmanaged devices, as described earlier. 

2. Click Tools | Scheduled Tasks. 

3. In the Scheduled Tasks pane, click the Schedule Script button. 

4. Click Restore Client Records and click OK. 

5. From the UDD Find Results tree, drag the computers you want restored to the 

Scheduled Tasks right pane. 

6. Double-click the script and set a start time. Click OK when you're done. 

7. Watch the Scheduled Tasks window for updates. 

75

USER'S GUIDE 

About the Scanner Configuration dialog 

Use the Scanner Configuration dialog (Tools | Unmanaged Device Discovery, 

Scanner Configuration button) to customize and do unmanaged device scans. 

• Saved Configurations: Shows the saved scanner configurations. Save a 

configuration by changing the settings you want, clicking New, naming the 

configuration, and with your new configuration selected, clicking Save. 

• CBA discovery: Discovers clients with the CBA agent running. If your clients 

have CBA, this is the fastest discovery method. 

• PDS2 discovery: Discovers devices using the older LANDesk PDS2 

agent. You can only select this option if you select CBA discovery 

first. 

• Network scan: Discovers devices using an ICMP ping sweep. This is the 

most thorough and slowest discovery method. 

• IP FingerPrint: Discovers device information where possible, such as 

OS type, logged in user, domain, and so on. Depending on the 

discovered device type and OS, UDD may find varying degrees of 

information. This option slows discovery somewhat, as UDD sends 

specially formed packets to discovered devices and analyzes the 

responses. 

• NT domain: Discovers devices in a Windows NT domain. This option uses the 

NT domain account information and doesn't require an IP address range, 

though you can specify one. Selecting this option and clicking Configure 

shows the NT Domain Configuration dialog where you can customize the NT 

domain discovery settings. 

• Filter by IP range (for both NT domain and LDAP): Filters NT domain and 

LDAP discovery by the IP ranges specified in Starting IP and Ending IP. 

• LDAP: Discovers devices in an LDAP directory. Selecting this option and 

clicking Configure shows the LDAP Configuration dialog where you can 

customize the LDAP discovery settings. 

• Starting IP: Enter the starting IP address for the range of addresses you 

want to scan. 

• Ending IP: Enter the ending IP address for the range of addresses you want 

to scan. UDD automatically updates this field as you type the Starting IP, 

but you can change the ending IP address manually. Ending IP is calculated 

using the value of Subnet mask + what is typed in Starting IP. 

• Subnet mask: Enter the subnet mask for the IP address range you're 

scanning. 

• Add and Remove: Adds or removes your IP address ranges from the work 

queue at the bottom of the dialog. 

• Schedule task: Schedules the scan based on your settings. You can 

customize the start time in the Scheduled Tasks window. Scheduled scans 

originate from the core server. 

• Scan now: Starts the scan immediately based on your settings. Scans 

started here originate from the console you're at. Once you start the scan, a 

Scan Status dialog appears showing the total number of devices found, how 

many existing devices were updated, and how many new unmanaged devices 

were added. 

76


About the NT Domain Configuration dialog 

Use this dialog to configure how you connect to the domain you want to scan. 

• Domain: Enter the domain you want to scan. 

• Logon as current user: Select this if you're logged in as a user with access 

to the domain you're scanning. 

• Logon as: Select this if you aren't logged in as a user with access to the 

domain you're scanning. Also enter a User name and a Password. 

• Add and Remove: Add each domain you configure and want to scan to the 

work queue by clicking Add. Click Remove to delete the selected domain 

from the work queue. 

About the LDAP Configuration dialog 

Use this dialog to configure how you connect to the LDAP directory you want to scan. 

• LDAP://: Enter the LDAP directory you want to scan. 

• Logon as current user: Select this if you're logged in as a user with access 

to the directory you're scanning. 

• Logon as: Select this if you aren't logged on as a user with access to the 

directory you're scanning. Also enter a User name and a Password. 

• Select individual OUs: Select the OUs that you want to scan. Click Add to 

add them to the work queue. Click Remove to delete the selected OU from 

the queue. 

• Active Directory Path: Shows the Active Directory path, if applicable. 

77

USER'S GUIDE 

Using LANDesk Server Manager and LANDesk 

System Manager with LANDesk Management 

Suite 

Server Manager and System Manager are available separately from LANDesk 

Software and integrate with Management Suite. Management Suite includes one 

server license and as many client licenses as you purchased. If you install 

Management Suite agents on a server operating system, Management Suite requires 

an additional server license for each server. Server Manager adds Management Suite 

server licenses, in addition to Server Manager-specific features for managed servers. 

System Manager helps you manage clients on your network and troubleshoot 

common computer problems before they become serious. If you have clients on your 

network that you're already managing with System Manager, you can use 

Management Suite's System Manager integration to manage these computers from 

the Management Suite console. 

Deploying Server Manager and System Manager to clients 

Once you install Server Manager and/or System Manager on your core server, there 

will be two configuration icons available in the Client Setup window: an Add server 

configuration icon and an Add client configuration icon. The options and defaults 

for each type of configuration vary slightly depending on which one you choose. 

• The Add server configuration option can install the server version of the 

System Manager client and a version of remote control that runs at the 

application level rather than the driver level. Running at the application level 

helps prevent a remote control problem that might crash your server, though 

its performance is slightly slower. The System Manager-specific options in this 

client setup type are System Manager (Server) and Remote Control for 

Servers. 

• The Add client configuration option can install the client version of System 

Manager in addition to all of the other Management Suite components. The 

System Manager-specific options in this client setup type are System 

Manager for desktop clients and System Manager Mobile Support for 

mobile clients. 

The System Manager agents require a client reboot before they will work. If you 

install System Manager agents, client setup will prompt clients to reboot after it 

finishes. 

System Manager for Servers will only install on a server operating system, and 

System Manager will only install on a client operating system. If you deploy a server 

configuration to a client operating system or a client configuration to a server 

operating system, client setup will report success, and all other components will 

install except the System Manager components you selected. 

For more information on deploying client setup configurations, see the Installation 

and Deployment Guide. 

78


Working with Server Manager and System Manager clients 

Once you have System Manager clients on your network, you can manage them from 

the Management Suite console. Clicking Tools | System Manager Administration 

shows the System Manager Administration window, where you can manage Server 

Manager and System Manager clients. 

You can check to see if the System Manager agent is on a client by selecting a client 

and from its shortcut menu clicking Properties and the Agents tab. 

If you select a System Manager client in the console's network view, from that 

client's shortcut menu you can click System Manager to show a separate window 

that manages just the client you selected. 

79

USER'S GUIDE 

Running the Client Setup wizard 

The Client Setup wizard (Tools | Client Setup) is where you customize clients 

configurations. Use this wizard to specify the components you want to install and the 

options for those components. You can create as many client configurations as you 

want. Only one configuration can be the default. 

Note: If you use the Client Setup wizard to create a new default client configuration, 

be aware that all clients who log in to the core server using login scripts will be 

automatically reconfigured with the new default configuration settings the next time 

they log in, even if their current settings match the new default settings. 

Changes made to the default client configuration on the core server are not 

automatically perpetuated to any other client deployment service centers currently 

installed. You must reinstall those client deployment service centers to update their 

default settings to match the core server. 

The following sections describe the Client Setup wizard pages. 

About the Client Setup wizard: Install Components page 

The Client Setup wizard: Install Components page contains the following features: 

• Configuration name: The name of this configuration settings file. This name 

appears on the settings file icon in the Client Setup window. 

• Application Healing: Automatically keeps configured applications running on 

clients. Use this to protect critical or commonly-used applications. 

• Application Policy Management: Automatically installs a set of applications 

on groups of clients. Use this to manage groups of clients that have common 

software needs. 

• Bandwidth Detection: Enables bandwidth detection between clients and the 

core server. You can limit Management Suite actions, such as Software 

Distribution, based on available bandwidth. Use this option if you have remote 

clients or clients that connect to the network via a slow link. 

• Common Base Agent: Installs the CBA that forms the basis of 

communication between clients and the core server. Most components require 

the Common Base Agent. 

• Custom Data Forms: Presents a form to users for them to complete. You 

can query the core database for the data users enter. Use this to retrieve 

customized information from users directly. 

• Enable Migration Tasks: Selects the components necessary for OSD and 

Profile Migration: Bandwidth Detection, Common Base Agent, and Enhanced 

Software Distribution. 

• Enhanced Software Distribution: Automates the process of installing 

software applications or distributing files to clients. Use this to install 

applications simultaneously to multiple clients or to update files or drivers on 

multiple clients. 

• Inventory Scanner: Gathers software and hardware information for clients 

that you can view through database queries. Use this to record detailed 

inventory information about all clients. 

80


• Local Scheduler: Allows Application Policy Management and Task 

Completion to be run on clients at specified times. Use this if you don't want 

the Application Policy Management or Task Completion agents to run at login 

or if you want the agents to run more/less frequently. 

• Remote Control: Lets you take control of a client or server from across the 

network. Minimizes the time it takes to resolve customer issues from a 

centralized help desk. Use this to provide remote management of clients 

across the LAN/WAN. 

• Software Monitoring: Monitors and reports on software license usage. 

• Targeted Multicasting: Adds Targeted Multicast support for ESWD, 

Application Policy Management, Application Healing, OSD, and so on. 

• Task Completion: Checks with the core server to see if there are any tasks 

the client needs to run. Use this with intermittently connected clients such as 

mobile users to make sure they get scheduled tasks. 

If you install LANDesk Server Manager or LANDesk System Manager (both available 

separately) you may see these additional options: 

Additional server configuration options 

• System Manager (Server): Installs the Server Manager agents on the 

server so you can do real-time health monitoring, alerting, and historical data 

collection. 

• Remote Control for Servers: Installs a special application-level version of 

remote control for extra reliability. By running remote control at the 

application level instead of the driver level, the server won't be as vulnerable 

to remote control problems. 

Additional client configuration options 

• System Manager: Installs the System Manager agents on clients so you can 

do real-time health monitoring, alerting, and so on. 

• System Manager Mobile Support: Installs the System Manager agent for 

Mobile clients. 

Deploying remote control 

When deploying remote control, you need to consider which security model you want 

to use. You have these choices: 

• Local template: This is the most basic security that uses whatever remote 

control settings are specified on the client. This model doesn't require any 

other authentication or group membership. 

• Windows NT security/local template: This security model uses a Windows 

NT Remote Control Operators group. Members of this group are allowed to 

remote control clients. Permitted users still use the client's remote control 

settings, such as permission required. 

• Certificate-based/local template: This is the most secure option and is 

new to Management Suite 8. It's also known as on-demand secure remote 

control and is described in the next section. 

81

USER'S GUIDE 

Warning: Windows XP clients must disable the Internet Connection Firewall 

for remote control to work 

If clients turn on the Windows XP Internet Connection Firewall, you won't be able to 

remote control them. 

About on-demand secure remote control 

LANDesk Management Suite 8 introduces a new on-demand secure remote control 

(certificate-based/local template) that you can use. This new remote control 

improves on the prior version in these ways: 

• Remote consoles authenticate with the core server. 

• The remote control agent on a client loads on-demand once a remote control 

session is authorized by the core. 

• All remote control authentication and traffic is encrypted over an SSL 

connection. 

• Once remote control finishes with a client, the remote control agent unloads. 

Here's an outline of the remote control communication flow: 

1. The Management Suite console asks the core server for permission to remote 

control the specified client. 

2. If the console/user is authorized to remote control the specified client, the 

core server tells the client to load the remote control agent with a randomly 

generated set of authentication credentials. 

3. The core server passes the authentication credentials to the console. 

4. The console authenticates to the client with the authentication credentials and 

remote control begins. 

Warning: On-demand remote control requires the core server 

With on-demand remote control, if the core server isn't available, consoles won't be 

able to remote control clients. On-demand remote control requires the core server to 

work. 

Using Windows NT security/local template with Windows XP clients 

For Windows NT security/local template authentication to work with Windows XP 

clients, you must configure clients so that the Windows XP sharing and security 

model for local accounts is classic (local users authenticate as themselves). If you 

don't do this, the default guest-only authentication won't work with remote control's 

Windows NT security. 

To set the Windows XP security model to classic 

1. On the Windows XP client, click Start | Control Panel. 

2. In the Administrative Tools, Local Security Policy applet, click Security 

Options > Network access: Sharing and security model for local 

accounts, and set it to Classic - local users authenticate as themselves. 

82


About the Client Setup wizard: Authentication page 

The Client Setup: Authentication page always appears. If you didn't check Remote 

Control on the Install Components page, the template options are dimmed. It 

contains the following features: 

• Trusted Certificates: Select the core server certificates you want clients to 

accept. Clients will only communicate with cores and consoles they have 

certificates for. For more information on certificates and copying them from 

other core servers so you can select them here, see "Client agent security and 

trusted certificates" earlier in this chapter. 

• Local template: Uses only the local client simple permissions and 

authentication set from the Remote Control Settings page of this wizard. 

• Windows NT security\local template: Only allows members of the Remote 

Control Operators group to initiate remote control connections from the 

console to remote clients. Permitted users are still required to use the 

permissions set from the Remote Control Settings page of this wizard. 

Since the Remote Control Operators group is a local group, each client has its 

own copy of the group. To avoid managing each client's Remote Control 

Operators group individually, include global (domain level) groups with each 

local group. 

Permitted users still use the client's remote control settings, such as 

permission required. 

• Certificate-based\local template: Communication between the console 

and remote clients is authenticated using the core server; only consoles 

authenticated from the same core server can use remote control functions for 

these clients. Select the certificates you want to allow in the Trusted 

Certificates list. Permitted users are still required to use the permissions set 

from the Remote Control Settings page of this wizard. This option is also 

known as on-demand secure remote control, as described earlier in this 

chapter. 

Adding users to the Remote Control Operators Group 

If you select Windows NT security/local template as your security model, the 

Add to Remote Control Operators Group dialog lists the users for the console or for 

the selected Windows NT domain. The users you select here have remote control 

access to the clients that receive the settings defined in this configuration settings 

file. 

This dialog is accessed only from the Client Setup wizard in the Client Setup window. 

To choose from an existing server or domain 

1. In the List names from combo box, select either the core server name or a 

Windows NT domain name containing user accounts. 

2. In the Names box, select one or more users and click Insert to add them to 

the Inserted names list. 

3. Click OK to add the selected names to the Remote Control Operators group 

on each client that receives these configuration settings. 

83

USER'S GUIDE 

To manually enter names 

You can enter names manually by clicking in the Inserted Names list and using any 

of the following formats to enter names. Use semicolons to separate names. 

• DOMAIN\username where DOMAIN is the name of any domain accessible 

to the target client. 

• MACHINE\username where MACHINE is the name of any client in the same 

domain as the target client. 

• DOMAIN\groupname where DOMAIN is the name of any domain accessible 

to the target client, and groupname is the name of a management group in 

that domain. 

• MACHINE\groupname where MACHINE is the name of any client in the 

same domain as the managed node, and groupname is the name of a 

management group on that client. 

If you don't specify a domain or client name, it is assumed that the user or group 

specified belongs to the local client. 

Click OK to add the names to the Remote Control Operators group on the target 

client. 

About the Client Setup wizard: Remote Control settings page 

The Client Setup: Remote Control page appears if you checked Remote Control on 

the Install Components page. It contains the following features: 

• Permission required: Requires the console user to receive permission from 

the client before any kind of remote access is granted. 

• Ask for all allowed permissions at one time: Prompts user once for 

session permissions. Normally with permission required, the user has to 

permit remote control, chat, file transfer, and so on individually. This option 

gives permission for all remote control-related options for the duration of a 

session. 

• Display client messages: Agent error messages appear on the screen. 

Otherwise, errors are written to the event log. 

• Beep when remote control is established: Sounds an alert every 10 

seconds while the client is being remote controlled. 

• Allow clients to change settings: Adds a Remote Control Settings icon to 

the clients' Start | Programs | LANDesk Management program group. Clients 

can use this program to customize their remote control options. 

• Compress data: Substantially decreases the amount of network bandwidth a 

remote control session requires. 

• Floating Desktop Icon (remote control indicator): Displays the Remote 

Control Agent icon on the client screen at all times or only when being 

remotely controlled. When being controlled by the console, the icon changes 

to show a magnifying glass and the icon's titlebar turns red. 

• System Tray icon (remote control indicator): Places the Remote Control 

Agent icon in the system tray. Again, the icon can be visible all the time or 

only while being remotely controlled. 

84


Permission required while logged in 

When you enable the Remote Control permission required setting through Client 

Setup or the EDITINI file, you can't remote control another Windows NT or Windows 

2000/2003/XP computer until the user lets you. If no one is logged in at the client 

you are trying to remote control and the permission required setting is active, no one 

is around to give you permission. 

To address this problem, there is an additional Permission Required setting type that 

requires permission only when someone is logged in. This setting requires you to 

manually change the NTSTACFG.INI file in your LDLOGON directory and then rerun 

WSCFG32.EXE on clients that should have the new permission required setting. 

To change the setting in the NTSTACFG.INI file, open it and search for the 

Permission Required entry, then change it from its current value (0 or 1) to 2. 

About the Client Setup wizard: Remote Control page 

The Client Setup: Remote Control page appears if you checked Remote Control on 


• Remote control: Grants permission to control the client. 

• Reboot: Grants permission to reboot the client. 

• Chat: Grants permission to chat with the client. 

• File transfer: Grants permission to transfer files to and from the client's local 

drives. 

• Remote execute: Grants permission to run programs on the client. 

You can also add members to the Remote Control Operators group on target 

Windows NT or Windows 2000/2003 clients. These are the users that can use the 

console to remote control the target clients when you enable the Windows NT 

security/local template option in the Authentication page. 

Click Add to open a dialog where you specify members of the Remote Control 

Operators group on Windows NT/2000/2003 clients. 

To remove a name from the list, select it and click Remove. 

85

USER'S GUIDE 

Deploying Inventory 

About the Client Setup wizard: Inventory Scanner page 

The Client Setup: Inventory Scanner page appears if you checked Inventory Scanner 

on the Install Components page. It contains the following features: 

• Manual update: The software list used to exclude titles during software 

scans is loaded down to each remote client. Each time the software list is 

changed from the console, you must manually resend it to remote clients. 

• Automatic update: Remote clients read the software list from the core 

server during software scans. If this option is set, each client must have a 

drive mapped to the LDLOGON directory on the core server so they can 

access the software list. Changes to the software list are immediately 

available to clients. 

• Update using HTTP: Beginning with Management Suite 8, the 

inventory scanner can use HTTP for LDAPPL3.INI file transfers. This 

allows the scanner to support Targeted Multicast features like polite 

bandwidth and peer download. Peer download allows clients needing 

LDAPPL3.INI updates to check with the core server for the latest 

version's date, then broadcast to peers on their subnet to see if a peer 

has the update in its multicast cache. If a peer has the update, the file 

transfer happens on the local subnet without generating network 

traffic across routers or WAN links. 

• Start inventory scanner in: The drop-down list beside this option allows 

you to select from in startup group, between hours of, and manually 

from client. If you start the inventory scanner from the startup group, the 

scanner will run each time the user logs in. If you have users run the scanner 

manually, they can launch it from Start | Programs | LANDesk 

Management | Inventory Scan. 

Using the inventory scanner's between hours of option 

If you select the inventory scanner's between hours of option, you can specify an 

hour range using 24-hour military time. If a client logs in during the time range you 

specify, the inventory scan runs automatically. If the client is already logged in, once 

the starting hour arrives the inventory scan starts automatically. This option is useful 

if you want to stagger inventory scans on clients so they don't send scans all at 

once. 

86


About the Client Setup wizard: Inventory Scanner (scope) page 

To implement role-based administration, Management Suite uses device scope to 

control which clients a user can see and manage. An administrator creates scopes 

and assigns them to users. Scopes can be based on: 

• Database queries: Controls access to only those clients that match a custom 

query search. 

• LDAP directories: If you have an Active Directory or Netware eDirectory 

LDAP-compliant structure, you can use these directory locations to define 

scope. 

• Custom directories: If you don't have an Active Directory or NetWare 

eDirectory LDAP-compliant structure, or you want to use a custom directory 

location, enter a directory path on this page of the wizard. When a client is 

configured, the path you enter here determines the client's Computer 

Location attribute value. 

When the inventory scanner is run on a client, it records the client's Computer 

Location attribute. If you entered a custom directory path in that client's Client Setup 

configuration, that path is the location the scanner records. If you left the custom 

directory path blank, the scanner tries to populate the inventory attribute with the 

client's Active Directory or NetWare eDirectory location. If neither a custom directory 

or an LDAP-compliant directory is found, the Computer Location attribute is not 

defined. However, the client can still be accounted for in query-based scopes. 

The Client Setup wizard scope page uses a path format that's similar to a file path, 

but with forward slashes as separators. If you want to use custom directory-based 

scopes, decide how you want to categorize your nodes for management. You might 

do it by geography, office, or organizational group. 

Directory location paths you enter here as part of a client configuration are added to 

the clients' registry under: 

HKLM\Software\Intel\LANDesk\Inventory\ComputerLocation 

For more information on scopes, see "Role-based administration" in chapter 1. 

Deploying Application Healing 

The Application Healing agent automatically repairs applications on the client that no 

longer run as a result of files being accidentally deleted or corrupted. With 

Application Healing, you can configure Management Suite to heal applications you 

specify. 

Application Healing requires the Common Base Agent and Enhanced Software 

Distribution components. 

When you select Application Policy Management or Application Healing agents, you'll 

also see a Client Status TCP Port page. This is the port clients use to communicate 

status to the core server. By default, this port is 12175. 

87

USER'S GUIDE 

About the Client Setup wizard: Application Healing page 

The Client Setup: Application Healing page appears if you checked Application 

Healing on the Install Components page. It contains the following features: 

• Disable Application Healing (alerts still enabled): Enables Application 

Healing AMS alerts but disables the healing process. Use this if you want to 

find out what applications aren't running correctly on your clients. When an 

application fails, AMS alerts you configure will trigger, but nothing else 

happens on the client. 

• Dialog timeout: Specifies in seconds how long the client dialog should wait 

for a response before healing a broken application. This value is useful when 

there isn't anyone at the client and you want healing to happen. 

• Healing delta: Specifies in seconds how long the Application Healing agent 

should wait to repair an application before trying to repair it again. This value 

is important if Application Healing can't repair an application for some reason. 

You don't want Application Healing to get stuck in a repair loop on a client. 

• Hide all feedback from user: When selected, installs the package silently in 

the background, as long as the package wasn't originally created with any 

user interface customizations. 

• Allow alternative package location: When selected, gives the option to 

specify an alternative repair package location when repairs need to be made. 

Alternative package locations are useful for mobile users not connected to the 

network that are using a CD containing repair packages. 

• Allow user to delay repair: When selected, allows users to delay repairs. 

• Allow user to cancel: When selected, allows users to cancel repairs that are 

in progress. Enabled by default. 

• Display background screen: When selected, the Application Healing agent 

uses a blue background splash screen while healing is in progress. 

About the Client Setup wizard: Application Repair Lists (ARLs) page 

The Client Setup: Application Repair Lists (ARLs) page appears if you checked 

Application Healing on the Install Components page. It contains the following 

features: 

• Available ARLs to send: If you've already configured Application Healing to 

heal applications as described in the User's Guide, you'll have ARL files you 

can deploy to clients at the same time you deploy agents. If you haven't 

configured Application Healing yet, you can deploy the agents without the ARL 

files. Application Healing won't be active until clients have the agent and ARL 

files on them. 

88


Deploying Application Policy Management 

The Application Policy Management (APM) agent enables you to automatically install 

sets of applications on groups of clients. Use this agent to manage groups of clients 

that have common software needs. APM requires the Common Base Agent and 

Enhanced Software Distribution agents. 

In order for clients to receive policies that are targeted through Active Directory or 

NetWare Directory Services, they have to be configured to log in to the directory. 

This means that they need to have all the correct client software installed, and they 

need to actually log in to the correct directory so that their fully distinguished name 

will match the name that was targeted through Directory Manager and Application 

Policy Manager. 

Windows 95/98 clients need to be configured to log in to the domain where the 

Active Directory resides. Windows NT and Windows 95/98 don't include Active 

Directory support. You must install Active Directory support on clients that log in to a 

directory and require Application Policy Management. As of this printing, more 

information on installing Active Directory client support was available here: 

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextensi 

on.asp 

About the Client Setup wizard: Application Policy Management page 

The Client Setup: Application Policy Management page appears if you checked 

Application Policy Management on the Install Components page. You can configure 

the details for each option on this page by clicking the Configure button. 

It contains the following features: 

• Add an Application Policy Management shortcut to the LANDesk 

Management Start menu group: Creates a LANDesk Management Suite 

program group that clients can use to manually run the APM agent user 

interface. The agent should only run pull tasks currently in the cache. 

• Launch the APM client whenever a user logs on: Runs the APM agent 

when users log on. The agent checks for policies and closes automatically 

when it is done. 

• Launch the APM client at specified intervals (requires the Local 

Scheduler on clients): Allows the client agent to run only at the specified 

times. 

89

USER'S GUIDE 

About the Client Setup wizard: Application Policy Management Options dialog 

The Application Policy Management Options dialog displays when you click the 

Configure button from the Application Policy Management wizard page. 


• Run APM silently: APM runs without showing the client interface. 

• Run required policies and cache the rest: Runs required policies. Caches 

preferred and optional policies locally in case clients want to install policies 

later. 

• Only run policies from the clients local cache: Runs policies from the 

cache only. Clients won't initiate any network traffic. 

• Client timeout: Delay timeout in seconds. 

• Allow any network connection: The policy executes regardless of the type 

of connection clients have. If your clients all have high-speed network access 

to the package server, this option is appropriate. 

• Allow any non-RAS network connection: The policy executes if the 

client's connection to the package server is at least WAN speed but less than 

LAN speed. LAN speed is defined as 262,144 bps by default. 

• Only allow a high-speed network connection: The policy executes when 

the client's connection to the package server exceeds the LAN speed setting 

(the default is 262,144 bps). 

About the Client Setup wizard: Application Policy Management Options (specified 

intervals) dialog 



You can also specify that the Application Policy Management agent only run 

periodically or only between certain times/days/weeks/months. The agent will run 

once for the Run every interval you specify. 





later. 

• Only run policies from the client's local cache: Runs policies from the 


• Run APM client periodically: Check this option and select a Run Every 

interval from the list box. The agent will run once during the interval you 

specify. If you check this option, be sure to click the Time Filters button and 

set the interval details. The user needs to log in for the agent to run. 


of connection they have. If your clients all have high-speed network access to 

the package server, this option is appropriate. 

90





• Only allow a high speed network connection: The policy executes when 



About the Client Setup wizard: Application Policy Management Options (logon 

options) dialog 



You can also specify that the Application Policy Management agent only run 

periodically or only between certain times/days/weeks/months. The agent will run 

once for the Run Every interval you specify. 





later. 

• Only run policies from the client's local cache: Runs policies from the 


• Run APM client periodically: Check this option and select a Run every 

interval from the list box. The agent will run once during interval you specify. 

If you select this option, be sure to click the Time Filters button and set the 

interval details. The user needs to log in for the agent to run. 

• Client timeout: Delay timeout in seconds. 


of connection clients have. If your clients all have high-speed network access 

to the package server, this option is appropriate. 




• Only allow a high speed network connection: The policy executes when 



91

USER'S GUIDE 

About the Client Setup wizard: Time Filter Options page 

The Time Filter Options dialog is available from the Application Policy Management 

and Task Completion wizard pages. Time filters configure the Local Scheduler to 

launch the Application Policy Management and Task Completion agents at the times 

you specify. Time filters only work on clients that have the Local Scheduler installed 

on them. 

You can use time filters to configure clients to run the agents after-hours or on 

weekends rather than at login. 

The Time Filter Options dialog has these options: 

• Use a time of day filter. The task won't run unless the time of day is 

between the specified hours: Select the start and end times you want. 

• Use a day of week filter. The task won't run unless the day of the 

week is between the specified days: Select the start and end days you 

want. 

• Use a day of the month filter. The task won't be run unless the day of 

the month is between the specified dates: Select the start and end dates 

you want. 

About the Client Setup wizard: Bandwidth Detection page 

The Client Setup: Bandwidth Detection page appears if you checked Application 

Healing or Application Policy Management on the Install Components page. It 


• Choose bandwidth detection method: Select whether to use ICMP or PDS 

for bandwidth detection. ICMP sends ICMP echo requests of varying sizes to 

the remote client and uses the round trip time of these echo 

requests/responses to determine the approximate bandwidth. ICMP also 

distinguishes between LAN (high speed) and WAN (slow, but not dialup) 

connections. However, not all routers or clients support ICMP echo requests. 

If your network isn't configured to allow ICMP echo requests, you can select 

PDS. The PDS bandwidth tests aren't as detailed, but they detect either a LAN 

or a low-bandwidth RAS (typically dialup) connection. 

• LAN threshold, in bits per second: The threshold that classifies a 

connection as WAN rather than LAN. The default is 262144 bps. 

• Enable dynamic bandwidth throttling: Specifies that the network traffic a 

client creates has priority over distribution traffic. This option also forces a full 

download of the file into the client's cache, which also enables byte-level 

checkpoint restart, where downloads resume where they left off if interrupted. 

This option is also available from the Deploy Package wizard. If you enable 

this option in client setup but not in the Deploy Package wizard, it will still be 

enabled on the client. If you don't enable this option in client setup but do 

enable it in the Deploy Package wizard, dynamic bandwidth throttling will be 

enabled on the client for that package script. 

92


About the Client Setup wizard: Client Status TCP Port page 

The Client Setup: Client Status TCP Port page appears if you checked Application 

Healing or Application Policy Management on the Install Components page. It 


• TCP Port: Specifies the port the Application Healing/Application Policy 

Management agent will use to communicate with the core server. The default 

port is 12175. You'll need to make sure this port is open on any firewalls 

between clients and the core server. If you change this port, you'll also need 

to change it on the core server. You can change the port the QIP Server 

service uses by editing this registry key: 

HKLM\Software\Intel\LANDesk\LDWM\QIPSrvr 

About the Launching the APM client at specified intervals 

There are two dialogs in the Client Setup wizard that control the Application Policy 

Management client launch interval: 

• Application Policy Management Options: Access this dialog by clicking the 

Launch APM client at specified intervals option, then clicking the 

Configure button. 

• Local Scheduler Time Filter Options: Access this dialog by clicking the 

Time Filters button in the Application Policy Management Options dialog. 

The Application Policy Management Options dialog has a Run APM client 

periodically option. This option tells the Local Scheduler agent to rerun the task at 

the interval you select. If you don't select this option, Application Policy Management 

will only be scheduled to run once. 

When you select the Run APM client periodically option, you must also specify a 

Run every interval to run the task daily, weekly, or monthly. This interval starts the 

first time the Local Scheduler runs the task. For example, if you select weekly, the 

first chance Local Scheduler gets, it will run the task. If it runs the task on Tuesday 

the first time, generally the Scheduler will run the task every Tuesday. 

To configure in detail when the task will run, use the Time Filter Options dialog. You 

can set as many as three filters that define when the task will run: 

• Time-of-day filter 

• Day-of-week filter 

• Day-of-month filter 

These filters further define the Run every interval you specify (daily, weekly, or 

monthly). For example, if you set the Run every interval to "monthly," then specify a 

day-of-month filter for the "21st" to the "22nd," the Local Scheduler will run the task 

once a month, sometime during the interval between the 21st and 22nd. 

You can set one or multiple filters on the Run every interval, but ensure that the 

filters make sense for the interval you've chosen. For example, if you set the Run 

every interval to "daily," and then add a time-of-day filter of "8 p.m." to "11 p.m." 

and a day-of-week filter of "Monday," the task won't run daily, but rather each 

Monday between the times of 8-11 p.m. 

93

USER'S GUIDE 

If you use a bandwidth filter in the Client Setup: Application Policy Management 

Options dialog, the bandwidth filter also determines when the Local Scheduler runs 

the job. Both the time and bandwidth filters must pass for the Local Scheduler to run 

the task. For example, perhaps you've configured a job to run on Wednesday every 

week and you've also specified the high-speed network connection bandwidth filter. 

If a client connects via dialup on Wednesday, the task won't run, even though the 

time filter criteria were met. 

Deploying Bandwidth Detection 

Bandwidth Detection enables bandwidth detection between clients and the core 

server. You can limit Management Suite actions such as Software Distribution based 

on available bandwidth. Use this option if you have remote clients or clients that 

connect to the network via a slow link. 

Deploying Custom Data Forms 

You can create and distribute Custom Data Forms to collect client information that 

will supplement the standard information available in the core database. The forms 

you create using the Form Designer can be distributed by a Client Deployment 

service or by using the Client Setup wizard. 

Custom Data Forms requires the Inventory Scanner component. 

Customize the forms that are distributed to clients in your management domain 

using the Form Designer. For more information, see "Using custom data forms" in 

chapter 4. 

About the Client Setup wizard: Custom Data Forms page 

The Client Setup: Custom Data Forms section consists of two pages, and only 

appears if you checked Custom Data Forms on the Install Components page. 

The first page contains the following features: 

• Manual update: Selected forms are sent to each client. If the forms change 

or new forms are added, you must manually resend the forms to remote 

clients. 

• Automatic update: Remote clients check the core server for updated forms 

each time the inventory scanner is run, such as at startup. Each client must 

have a drive mapped to the LDLOGON directory on the core server to access 

the updated forms. 

94


• Show forms: Choose how remote clients access custom forms: 

• On startup: The selected forms run automatically at startup on each 

client. 

• When inventory scanner runs: The selected forms run only when 

the inventory scanner is run on each client. The inventory scanner 

runs automatically on startup, and can be run manually by clients at 

any time. 

• Only in LANDesk program folder: The selected forms appear as 

items in the client's LANDesk Management folder. They aren't 

automatically run. 

The second page lists all defined custom data forms. Mark which forms are made 

available to clients receiving this configuration task. 

About the Client Setup wizard: Available Forms page 

The Client Setup: Custom Data Forms section consists of two pages, and only 

appears if you checked Custom Data Forms on the Install Components page. 

Use the second page to select the forms you want to deploy. You'll have to create 

forms (Tools | Custom Data Forms) before they can appear in this list. 

Enabling Migration Tasks 

The Migration Tasks Client Setup option selects the components necessary for OS 

deployment and profile migration. The only thing the Migration Tasks option does is 

provide a fast way of selecting the Bandwidth Detection, Common Base Agent, and 

Enhanced Software Distribution components. If you've already selected these 

components, selecting the Migration Tasks option doesn't make a difference. 

Deploying Enhanced Software Distribution 

Enhanced Software Distribution automates the process of installing software 

applications and distributing files to clients. Use this agent to install applications 

simultaneously to multiple clients or to update files or drivers on multiple clients. 

Enhanced Software Distribution uses a Web or file server to store packages. Clients 

access this package server when downloading a package. You'll need to configure a 

package server as described in the Enhanced Software Distribution chapter in the 

User's Guide. You can deploy the Enhanced Software Distribution agent to clients 

before you set up a package server. 

Configuring clients for Enhanced Software Distribution 

In the Client Setup wizard, there aren't any pages specific to Enhanced Software 

Distribution. 

Enhanced Software Distribution requires the Bandwidth Detection and Common Base 

Agent components. 

95

USER'S GUIDE 

Deploying the Local Scheduler 

The Local Scheduler agent enables Management Suite to launch client tasks based on 

a time of day or bandwidth availability. The Local Scheduler agent is most useful for 

mobile computers that may not always be on the network or may connect to the 

network via a dialup connection. For example, you can use the Local Scheduler to 

allow mobile computer package distribution only when those clients are on the WAN. 

When you schedule Enhanced Software Distribution packages for distribution, or 

when you create application policies, you can specify which bandwidth the packages 

or policies require before they are applied. 

The Local Scheduler runs as a service on Windows NT/2000/XP, or as a pseudoservice 

on Windows 95/98. 

The Local Scheduler requires the Bandwidth Detection component. 

About the Client Setup wizard: Local Scheduler page 

The Client Setup: Local Scheduler page appears if you marked Local Scheduler on 


• The interval, in seconds, where the Local Scheduler client will poll for 

tasks that are ready to run: How often the Local Scheduler checks for 

tasks. The default is 30 seconds. The polling interval you select is stored on 

the local computer. 

• Bandwidth detection interval, in seconds: How often the Local Scheduler 

should check bandwidth. The default is 120 seconds. Bandwidth checks 

happen only when there's a pending scheduled task. 

Deploying Software Monitoring 

The Software Monitoring agent enables you to monitor license compliance and 

product usage and denial trends on clients across your network. The agent records 

data about all installed applications on a client and stores this data in the client's 

registry. Using the Software License Monitoring window, you can choose to monitor 

the most important of these installed applications. Application usage data that you 

don't monitor is ignored and eventually overwritten with newer data in the client's 

registry. 

After you indicate the product files and licenses that you want to monitor, the 

following occurs: 

• Management Suite detects clients that are running the applications you want 

to monitor and imports this list into the Software License Monitoring window. 

The client list is static until the next software scan occurs. 

• During the next scan, the scanner reads client data collected by the Software 

Monitoring agent and sends this data up to the core server. Management 

Suite then updates the Software License Monitoring window with information 

for the specific licenses and products you're monitoring. 

96


For mobile clients disconnected from the network, the Software Monitoring agent 

continues to record data and caches it in the client's registry. After the client 

reconnects to the network, the next scan detects which of the cached data is being 

monitored and sends that data to the core server. The Software License Monitoring 

window is then updated with the latest license compliance, usage, and denial data 

for those mobile clients. Software Monitoring requires the Inventory Scanner 

component. 

Deploying Targeted Multicast 

Targeted Multicast enables you to transmit software packages to multiple clients 

without modifying your router configuration. It's designed to work with your existing 

software distribution packages. When you use Targeted Multicast, you can easily 

distribute software, even in WAN environments with multiple hops and low 

connection speeds (56k). Targeted Multicast uses HTTP for delivery from a Web site 

to a subnet representative. Management Suite's Inventory service provides all the 

subnet information to the Targeted Multicast service. 

Targeted Multicast provides unique benefits that standard methods of multicast don't 

provide. Inventory-based targeting of clients enables you to send a package to a 

selected group of computers that fit specific criteria via a broadcast. Targeted 

Multicast is also simplified because there's no need to configure routers to handle 

deliveries. 

Targeted Multicasting is the default method of software distribution in Management 

Suite. You'll probably want to leave it that way. However, if you want to turn it off, 

clear the Use Multicast to distribute this package option on the Create Script 

dialog that you'll see when creating a distribution package script. 

Deploying Task Completion 

The Task Completion agent checks with the core server to see if there are any 

scheduled jobs the client needs to run. Task Completion is especially useful for 

mobile users who aren't always connected to the network and tend to miss 

scheduled jobs. 

When the Task Completion agent runs, it launches a status window on clients while it 

checks with the core server. This window disappears after 15 seconds by default. You 

can specify that the Task Completion agent only run periodically or only between 

certain times/days/weeks/months. If the Task Completion agent runs and the 

computer isn't connected to the network or it can't talk to the core server, the Task 

Completion agent will exit. 

Task Completion requires the Bandwidth Detection, Common Base Agent, and 

Enhanced Software Distribution components. 

For more information on scheduling Task Completion, see "Launching the APM client 

at specified intervals" earlier in this chapter. The information in that section also 

applies to the Task Completion agent. 

97

USER'S GUIDE 

About the Client Setup wizard: Task Completion page 

The Client Setup: Task Completion page appears if you marked Task Completion on 

the Install Components page. The Task Completion agent checks with the core server 

to see if there are any scheduled jobs the client needs to run. Task Completion is 

especially useful for mobile users who aren't always connected to the network and 

therefore tend to miss scheduled jobs. 

When the Task Completion agent runs, it launches a status window on clients while it 

checks with the core server. This window disappears after 15 seconds by default. 

You can also specify that the Task Completion agent only run periodically or only 

between certain times/days/weeks/months. 

If the Task Completion agent runs and the computer isn't connected to the network, 

or it can't talk to the core server, the Task Completion agent will exit. 


• Launch the Task Completion client whenever a user logs on: Adds the 

Task Completion client to the Startup group. 

• Launch the Task Completion client at specified intervals (requires the 

Local Scheduler on clients): Allows you to specify when you want the Task 

Completion client to run. 

• Full UI: Shows the Task Completion window on clients every time Task 

Completion runs. 

• Only show UI if there are outstanding tasks: Shows the Task Completion 

window only when there are tasks that still need to run. 

• Run silently: Specifies that the Task Completion window should never show 

on clients. 

About the Client Setup wizard: Task Completion Options page 

The Client Setup: Task Completion page appears if you checked Task Completion on 

the Install Components page. Click the Configure button to access the Task 

Completion Options dialog. 

You can click the Time Filters button in this dialog if you want to configure the Task 

Completion agent to run periodically. 


• Launch the Task Completion client periodically: You can select how 

frequently Task Completion checks with the core server for tasks. Check this 

option and select a Run every interval from the list box. The agent will run 

once during interval you specify. If you select this option, be sure to click the 

Time Filters button and set the interval details. The user needs to log in for 

the agent to run. 

• Allow any network connection: Task Completion executes regardless of 

the type of connection clients have. If your clients all have high-speed 

network access to the package server, this option is appropriate. 

98


• Allow any non-RAS network connection: Task Completion executes if the 



• Only allow a high-speed network connection: Task Completion executes 

when the client's connection to the package server exceeds the LAN speed 

setting (the default is 262,144 bps). 

About the Client Setup wizard: Reboot Options page 

The Client Setup: Reboot options page always appears. It contains the following 

features: 

• Do not reboot clients after configuration: Clients won't reboot, even if 

the selected components require a reboot. If a reboot is necessary, 

components won't work correctly until the client reboots. 

• Reboot clients if necessary: Reboots clients only if a selected component 

requires a reboot. 

• Reboot with user option to cancel: If a selected component requires a 

reboot, clients will have the option to cancel the reboot. If a reboot is 

necessary, components won't work correctly until the client reboots. You can 

select how long the reboot prompt stays on the client's screen before the 

computer reboots. This timeout is useful for users that are away from their 

computers when the client deployment happens. 

About the Client Setup wizard: Reboot information page 

The Client Setup: Reboot options page always appears. It reminds you that reboot 

options only apply to client setup deployments run as scheduled tasks. 

About the Client Setup wizard: Finished page 

The Finished page appears once you've completed all of the wizard pages. It lets you 

set the configuration you've created as the default configuration. This configuration is 

the default configuration the next time you create a new configuration. It also is 

used to reconfigure existing clients that use login scripts on the core server. 

You can also have Client Setup wizard create an Enhanced Software Distribution 

(ESWD) self-extracting package that you can distribute to clients. Clients need to 

have the Enhanced Software Distribution agent on them for this feature to work. 

You can also use Targeted Multicast to distribute updated client configuration 

packages to many computers simultaneously, while minimizing the amount of 

network bandwidth being used. For more information, see "Using Targeted Multicast 


99

USER'S GUIDE 

To create a Software Distribution package 

1. Create a client configuration. 

2. In the Client Setup wizard's Finished page, select Create ESWD Package. 

3. Click Finish. 

4. In the Save Enhanced Software Distribution package as file browser, 

select a filename and a location to store the package. Note that the default 

directory is the LDMAIN directory. Clients don't have access to this directory. 

Select the directory you're using to store packages and that clients have 

access to. 

5. Click Save. The wizard creates the self-extracting .EXE package. 

About the Client Setup Utility dialog 

The Client Setup Utility dialog displays the status of a scheduled client configuration 

task as the task is processed. This dialog is for information only; the clients to be 

configured were selected when the task was scheduled. 

The Client Setup Utility dialog contains the following features: 

• Clients to configure: Lists the clients scheduled to receive these 

configuration settings. 

• Clients being configured: Lists the clients that have been contacted by the 

console and are in the process of being configured with this settings file. 

• Clients completed: Lists the clients that the console has configured during 

this scheduled session. If the configuration attempt was successful, the status 

is Complete. If the configuration attempt failed for any reason, the status is 

Failed. These statuses are mirrored in the Scheduled Tasks window when this 

task is selected. 

• Creating configuration files: Displays a status bar indicating the 

completion status of the entire configuration task. 

Setting up a Client Deployment service center 

The Client Deployment service center provides an easy method for deploying 

LANDesk agents to Windows clients. When you set up a Client Deployment service, 

login scripts are automatically created. You then need to assign clients the 

appropriate script in order for them to be configured. 

In accordance with the phased deployment strategy, you should initially limit the 

services deployed to the clients. For the initial rollout, we recommended that you 

create a client configuration that includes CBA (the agent that provides 

communication with the core server), the Remote Control agent, and the Inventory 

agent. 

The Service Center wizard uses the settings for each component that you establish in 

the Client Setup wizard. The Client Setup wizard lets you specify the settings for 

each component you deploy. If you don't establish these settings in the Client Setup 

wizard before running the Service Center wizard, the default settings will be used. 

100


If the client is running Windows NT/2000/2003/XP 

Users must have administrator privileges on their workstation to install agents with a 

login script. If users don't have administrative rights, consider using the push-based 

configuration method. 

To create a client configuration 


2. Double-click the Add new client configuration icon. 

3. In the Client Setup wizard's Install components page, select the Common 

Base Agent, Inventory Scanner, and Remote Control components. 


Click Help for information on each page. 

5. At the end of the wizard, click Set as default configuration. 


For more information on setting up Client Deployment service centers, see Phase 4 in 

the Deployment Guide. 

101

Chapter 3: Using queries 

Queries are customized searches of your core databases. LANDesk Management 

Suite provides tools that let you query for clients in your core database with 

database queries, and for clients in other directories via LDAP queries. You create 

core database queries in the console's network view. You create LDAP queries with 

the Directory Manager tool. 


Management Suite queries 

• Queries overview 

• Query groups 

• Creating database queries 

• Running queries 

• Importing and exporting queries 

LDAP queries with Directory Manager 

• Using Directory Manager to query directories via LDAP 

• About the Directory Manager window 

• Creating LDAP directory queries 

• More about LDAP 

103

USER'S GUIDE 

Queries overview 

Queries help you manage your network by allowing you to search for and organize 

network devices, that are in the core database, based on specific system or user 

criteria. 

For example, you can create and run a query that captures only clients with a 

processor clock speed of less than 166 MHz, or with less than 64 MB of RAM, or a 

hard drive of less than 2 GB. Create one or more query statements that represent 

those conditions and relate statements to each other using standard logical 

operators. When the queries are run, you can print the results of the query, and 

access and manage the matching clients. 

Query groups 

Queries can be organized into groups in the network view. Create new queries (and 

new query groups) by right-clicking either the My Queries group and selecting New 

query or New group, respectively. 

A Management Suite administrator (user with LANDesk Administrator rights) can 

view the contents of all of the query groups, including: My Queries, Public Queries, 

All Queries, and User Queries. 

When other Management Suite users log in to the console, they can see queries in 

the My Queries, Public Queries, and All Queries groups, based on their device scope. 

A user will not see the User Queries group. 

When you move a query to a group (by right-clicking and selecting Add to new 

group or Add to existing group, or by dragging and dropping the query), you're 

actually creating a copy of the query. You can modify or delete the copy in any query 

group and the master copy of the query (in the All Queries group) is not affected. 

An administrator needs to double-click the User Queries group in the 

console before user queries will be added to it 

After creating users and assigning rights and scopes to users, the core administrator 

need to double-click on the User Queries group to make sure that all the private 

queries saved will be under the User Queries group. This only needs to be done once. 

Any private queries created before doing this end up in the All Queries group. 

For more information on how query groups and queries display in the network view, 

and what you can do with them, see "Understanding the network view" in the 

Chapter 1. 

Creating database queries 

Use the New Query dialog to build a query by selecting from attributes, relational 

operators, and the attribute's values. Build a query statement by choosing an 

inventory attribute and relating it to an acceptable value. Logically relate the query 

statements to each other to ensure they're evaluated as a group before relating 

them to other statements or groups. 

104

CHAPTER 3: USING QUERIES 

To create a database query 

1. In the console's network view, right-click the My Queries group (or Public 

Queries, if you have the Public Query Management right), and then click 

New Query. 

2. Enter a unique name for the query. 

3. Select a component from the inventory attributes list. 

4. Select a relational operator. 

5. Select a value from the values list. You can edit a value. 

6. Click Insert to add the statement to the query list. 

7. If you want to query for more than one component, click a logical operator 

(AND, OR) and repeat steps 2-5. 

8. (Optional) To group query statements so they're evaluated as a group, select 

two or more query statements and click Group( ). 

9. When you're finished adding statements, click Save. 

About the New Query dialog 

Use this dialog to create a new query with the following functions: 

• Name: Identifies the query in query groups. 

• Machine components: Lists inventory components and attributes the query 

can scan for. 

• Relational operators: Lists relational operators. These operators determine 

which description values for a certain component will satisfy the query. 

The Like operator is a new relational operator. If a user doesn't specify any 

wild cards (*) in their query, the Like operator adds wildcards to both ends of 

the string. Here are three examples of using the Like operator: 

Computer.Display Name LIKE "My Machine" queries for: Computer.Display 

Name LIKE "%Al's Machine%" 

Computer.Display Name LIKE "Al's Machine*" queries for: Computer.Display 

Name LIKE "Al's Machine%" 

Computer.Display Name LIKE "*Al's Machine" queries for: Computer.Display 

Name LIKE "%Al's Machine" 

• Display scanned values: Lists acceptable values for the chosen inventory 

attribute. You can also manually enter an appropriate value, or edit a selected 

value, with the Edit values field. If the selected relational operator is Exists or 

Does Not Exist, no description values are possible. 

• Logical operator: Determines how query statements logically relate to each 

other: 

• AND: Both the previous query statement AND the statement to be 

inserted must be true to satisfy the query. 

• OR: Either the previous query statement OR the statement to be 

inserted must be true to satisfy the query. 

• Insert: Inserts the new statement into the query list and logically relates it to 

the other statements according to the listed logical operator. You can’t choose 

this button until you’ve built an acceptable query statement. 

105

USER'S GUIDE 

• Edit: Lets you edit the query statement. When you're finished making 

changes, click the Update button. 

• Delete: Deletes the selected statement from the query list. 

• Clear all: Deletes all statements from the query list. 

• Query list: Lists each statement inserted into the query and its logical 

relationship to the other listed statements. Grouped statements are 

surrounded by parentheses. 

• Group (): Groups the selected statements together so they’re evaluated 

against each other before being evaluated against other statements. 

• Ungroup: Ungroups the selected grouped statements. 

• Filters: Opens the Query Filter dialog that displays device groups. By 

selecting device groups, you limit the query to only those clients contained in 

the selected groups. If you don't select any groups, the query ignores group 

membership. 

• Select columns: Lets you add and remove columns that appear in the query 

results list for this query. Select a component, and then click the right-arrow 

button to add it to the column list. You can manually edit the Alias and Sort 

Order text, and your changes will appear in the query results list. 

• Save: Saves the current query. When you save a query before running it, the 

query is stored in the core database and remains there until you explicitly 

delete it. 

Query statements are executed in the order shown 

If no groupings are made, the query statements listed in this dialog are executed in 

order from the bottom up. Be sure to group related query items so they're evaluated 

as a group; otherwise, the results of your query may be different than you expect. 

Running database queries 

To run a query 

1. In the network view, expand the query groups to locate the query you want 

to run. 

2. Double-click the query. Or, right-click and select Run. 

3. The results (matching devices) display in the right-hand pane of the network 

view. 

Importing and exporting queries 

You can use import and export to transfer queries from one core database to 

another. You can import Management Suite 8 exported queries and Web console 

exported queries as .XML files. Import Management Suite 6.52, 6.62, and 7.0 

exported queries as .QRY files. 

To import a query 

1. Right-click the query group where you want to place the imported query. 

2. Select Import from the shortcut menu. 

3. Navigate to the query you want to import and select it. 

4. Click Open to add the query to the selected query group in the network view. 

106


To export a query 

1. Right-click the query you want to export. 

2. Select Export from the shortcut menu. 

3. Navigate to the location where you want to save the query (as an .XML file). 

4. Type a name for the query. 

5. Click Save to export the query. 

107

USER'S GUIDE 

Using Directory Manager to query directories via 

LDAP 

In addition to providing a way to query the core database, Management Suite also 

provides the Directory Manager tool that lets you access and manage clients in 

directories via LDAP (the Lightweight Directory Access Protocol). 

You can query clients based on specific attributes such as processor type or OS. You 

can also query based on specific user attributes such as employee ID or department. 

About the Directory Manager window 

Use Directory Manager to accomplish the following tasks: 

• Manage Directory: Opens the Directory Properties dialog where you identify 

and log in to an LDAP directory. 

• Remove Directory: Removes the selected directory from the preview pane 

and stops managing it. 

• Refresh View: Reloads the list of managed directories and targeted users. 

• New Query: Opens the LDAP Query dialog where you can create and save an 

LDAP query. 

• Delete Query: Deletes the selected query. 

• Run Query: Generates the results of the selected query. 

• Object Properties: See the properties for the selected object. 

• Application Policy Manager (APM): Launches the APM tool so that you can 

target policies to saved queries or to individual LDAP users. 

Using Directory Manager, you can add saved queries and individual LDAP users to 

the Application Policy Manager (APM) to target policies to them, drag and drop 

queries as the target list in APM, and drag and drop users onto a static target list in 

APM. 

The Directory Manager window consists of two panes: a directory pane on the left 

and a preview pane on the right. 

Directory pane 

The directory pane displays all registered directories and users. As an administrator, 

you can specify the name of a registered directory and see a list of queries that are 

associated with the directory. You can create and then save new queries for a 

registered directory with a right mouse click or by using drop-down menus. After 

creating a query, you can drag and drop it to the Application Policy Manager (APM) 

so that the policy is applied to users who match the query. 

108


Preview pane 

When you select a saved query in Directory Manager’s directory pane on the left side 

of the dialog, the policies targeted to that query appear in the preview pane on the 

right side. Likewise, when an individual LDAP user is selected in the directory pane, 

the policies targeted to that user appear in the preview pane. 

• Registered directory: Query groups item and Browse item. 

• Query groups: Queries associated with the directory. 

• Query: Provides details about the query. 

• Browse and directory items: Sub-items in the directory. 

• All users: Lists all users who currently have policies targeted to them. 

• Individual users: Lists the policies currently associated with the user. 

Creating LDAP directory queries 

To create and save a directory query 

The task of creating a query for a directory and saving that query is divided into two 

procedures: 

To select an object in the LDAP directory and initiate a new query 

1. Click Tools | Directory Manager. 

2. Browse the Directory Manager directory pane, and select an object in the 

LDAP directory. You'll create an LDAP query that returns results from this 

point in the directory tree down. 

3. From Directory Manager, click the New Query toolbar button. Note that this 

icon only appears when you select the root organization (o) of the directory 

tree (o=my company) or an organizational unit (ou=engineering) within the 

root organization. Otherwise, it’s dimmed. 

4. The Basic LDAP Query dialog appears. 

To create, test, and save the query 

1. From the Basic LDAP Query dialog, click an attribute that will be a criterion for 

the query from the list of directory attributes (example = department). 

2. Click a comparison operator for the query (=,=). 

3. Enter a value for the attribute (example department = engineering). 

4. To create a complex query that combines multiple attributes, select a 

combination operator (AND or OR) and repeat steps 1 through 3 as many 

times as you want. 

5. When you finish creating the query, click Insert. 

6. To test the completed query, click Test query. 

7. To save the query, click Save. The saved query will appear by name under 

Saved Queries in the directory pane of Directory Manager. 

109

USER'S GUIDE 

About the Basic LDAP Query dialog 

• LDAP Query Root: Select a root object in the directory for this query 

(LDAP://ldap.xyzcompany.com/ou = America.o = xyzcompany). The query 

that you're creating will return results from this point in the tree down. 

• LDAP Attributes: Select attributes for user-type objects. 

• Operator: Select the type of operation to perform relating to an LDAP object, 

its attributes, and attribute values including equal to (=), less than or equal 

to (=). 

• Value: Specify the value assigned to the attribute of an LDAP object. 

• Test Query: Execute a test of the query you've created. 

• Saved: Save the created query by name. 

• Advanced: Create a query using the elements of a basic LDAP query but in a 

freeform manner. 

• Insert: Insert a line of query criteria. 

• Delete: Delete a selected line of criteria. 

• Clear All: Clear all lines of query criteria. 

• Insert: Insert a line of query criteria. 

About the Save LDAP query dialog 

From the Basic LDAP Query dialog, click Save to open the Save LDAP Query dialog, 

which displays the following: 

• Choose a name for this query: Enables you to choose a name for the query 

you've created. 

• Query Details LDAP Root: Enables you to create a query using the 

elements of a basic LDAP query but in a freeform manner. 

• Query Details LDAP Query: Displays query examples you can use as a 

guide when creating your own query in freeform. 

• Save: Enables you to save the created query by name. The query is saved 

under the Saved Queries item under the LDAP directory entry in the Directory 

Manager directory pane. 

Once a query is saved, you can drag and drop it to the Application Policy Manager 

(APM) to be applied to users who match the query. 

110


About the Directory Properties dialog 

From the Directory Manager toolbar, click the Manage Directory toolbar button to 

open the Directory Properties dialog. This dialog enables you to start managing a 

new directory, or to view properties of a currently managed directory. This dialog 

also shows the URL to the LDAP server and the authentication information required 

to connect to the LDAP directory: 

• Directory URL: Enables you to specify the LDAP directory to be managed. An 

example of an LDAP directory and the correct syntax is 

ldap..com. For example, you might type 

ldap.xyzcompany.com. 

• Authentication: Enables you to: 

• Log in as the current user (that is, as the user who is currently logged 

in). 

• Log in as the following user (that is, you specify a user path and name 

and the user password). 

About the Advanced LDAP Query dialog 

From the Basic LDAP Query dialog, click Advanced to open the Advanced LDAP 

Query dialog, which displays the following: 

• LDAP Query Root: Enables you to select a root object in the directory for 

this query. The query that you’re creating will return results from this point in 

the tree down. 

• LDAP Query: Enables you to create a query using the elements of a basic 

LDAP query but in a freeform manner. 

• Examples: Displays query examples you can use as a guide when creating 

your own query in freeform. 

• Test Query: Enables you execute a test of the query you have created. 

The Advanced LDAP Query dialog appears when you select to edit a query that has 

already been created. Also, if you select an LDAP group in Directory Manager and 

then choose to create a query from that point, the Advanced LDAP Query dialog 

appears with a default query that returns the users who are members of that group. 

You can’t change the syntax of this default query, only save the query. 

111

USER'S GUIDE 

More about the Lightweight Directory Access 

Protocol (LDAP) 

Lightweight Directory Access Protocol (LDAP) is an industry standard protocol for 

accessing and viewing information about users and clients. LDAP enables you to 

organize and store this information into a directory. An LDAP directory is dynamic in 

that it can be updated as necessary, and it is distributed, protecting it from a single 

point of failure. Common LDAP directories include Novell Directory Services* (NDS) 

and Microsoft Active Directory Services* (ADS). 

The following examples show LDAP queries that can be used to search the directory: 

• Get all entries: (objectClass=*) 

• Get entries containing 'bob' somewhere in the common name: (cn=*bob*) 

• Get entries with a common name greater than or equal to 'bob': (cn>='bob') 

• Get all users with an e-mail attribute: (&(objectClass=user)(email=*)) 

• Get all user entries with an e-mail attribute and a surname equal to 'smith': 

(&(sn=smith)(objectClass=user)(email=*)) 

• Get all user entries with a common name that starts with 'andy', 'steve', or 

'margaret': (&(objectClass=User) (| 

(cn=andy*)(cn=steve*)(cn=margaret*))) 

• Get all entries without an e-mail attribute: (!(email=*)) 

The formal definition of the search filter is as follows (from RFC 1960): 

• ::= '(' ')' 

• ::= | | | 

• ::= '&' 

• ::= '|' 

• ::= '!' 

• ::= | 

• ::= | | 

• ::= 

• ::= | | | 

• ::= '=' 

• ::= '~=' 

• ::= '>=' 

• ::= '


113

Chapter 4: Managing inventory and reports 

LANDesk Management Suite uses an inventory scanning utility to add clients to the 

core database and to collect clients' hardware and software data. You can view, 

print, and export inventory data. You can also use it to define queries, group clients 

together, and generate specialized reports. 


Inventory 

• Inventory scanning overview 

• Viewing inventory data 

• Tracking inventory changes 

• Using custom data forms 

Reports 

• Reports overview 

• Report groups and predefined reports lists 

• Creating custom asset reports 

• Running reports 

• Using the Report View 

• Importing and exporting reports 

Note: For more information about running the inventory scanner, and inventory 

scanner troubleshooting tips, see "Appendix A: Additional inventory operations and 

troubleshooting." 

115

USER'S GUIDE 

Inventory scanning overview 

When you configure a client with Management Suite's Client Setup wizard, you can 

select to install an Inventory Scanner component (one of the Management Suite 

agents) on the client. This component is selected by default. You can also specify 

whether to place the inventory scanner in the client's Startup folder so that it will run 

every time the client boots. 

The inventory scanner runs automatically when the client is initially configured. The 

scanner executable is named LDISCAN32.EXE and supports Windows 95/98 and 

Windows NT/2000/XP clients. The inventory scanner collects hardware and software 

data and enters it into the core database. After that, the hardware scan runs each 

time the client is booted, but the software scan only runs at an interval you specify. 

To schedule a software scan, click Configure | Services | Inventory | Scanner 

Settings. 

For more information on configuring the inventory service, see "Configuring the 

Inventory service" in chapter 1. 

After the initial scan, the inventory scanner can be run manually from the client as 

well as from the Management Suite console as a scheduled task. The CBA must be 

running on remote clients to schedule an inventory scan to them. 

Note: A client added to the core database using the discovery feature has not yet 

scanned its inventory data into the core database. You must run an inventory scan 

on each client for full inventory data to appear for that client. 

You can view inventory data and use it to: 

• Customize the network view columns to display specific inventory attributes 

• Query the core database for clients with specific inventory attributes 

• Group clients together to expedite management tasks, such as software 

distribution 

• Generate specialized reports based on inventory attributes 

You can also use inventory scans to keep track of hardware and software changes on 

clients, and generate alerts or log file entries when such changes occur. For more 

information, see "Tracking inventory changes" later in this chapter. 

Read the sections below to learn more about how the inventory scanner works. 

Delta scanning 

After the initial full scan is run on a client, the inventory scanner only captures delta 

changes and sends them to the core database, making daily MODE=ALL scanning 

practical. MODE=ALL scans look for all of the installed software on the client, 

including unrecognized software files. 

Note: For more information on software scanning and MODE=ALL, see "Editing the 

LDAPPL3.TEMPLATE file" in chapter 8, "Monitoring software license compliance." 

116

CHAPTER 4: MANAGING INVENTORY AND REPORTS 

Forcing a full scan 

If you want to force a full scan of the client's hardware and software data, use one of 

the following methods: 

• Delete the INVDELTA.DAT file from the client. A copy of the latest inventory 

scan is stored locally as a hidden file named INVDELTA.DAT on the root of the 

hard drive. (The LDMS_LOCAL_DIR environment variable sets the location for 

this file.) 

• Add the /sync option to the inventory scanner utility's command line. To edit 

the command line, right-click the Inventory Scan shortcut icon and select 

Properties | Shortcut, and then edit the Target path. 

• On the core server, set the Do Delta registry key to 0. This key is located at: 

HKLM\Software\Intel\LANDesk\LDWM\Server\Inventory Server\Do Delta 

Scan compression 

Inventory scans performed by the Windows inventory scanner (LDISCAN32.EXE) are 

compressed by default. The scanner compresses full scans and delta scans with 

approximately an 8:1 compression ratio. Scans are first built completely in memory, 

then compressed and sent to the core server using a larger packet size. Scan 

compression requires fewer packets and reduces bandwidth usage. 

Scan encryption 

Inventory scans are now encrypted (TCP/IP scans only). 

You can disable inventory scan encryption by setting the core server's Disable 

Encryption registry key to 0. This key is located at: 

HKLM\Software\Intel\LANDesk\LDWM\Server\Inventory Server\Disable Encryption 

117

USER'S GUIDE 

Viewing inventory data 

Once a client has been scanned by the inventory scanner, you can view its system 

information in the Management Suite console. 

Client inventories are stored in the core database, and include hardware, device 

driver, software, memory, and environment information. You can use the inventory 

to help manage and configure clients, and to quickly identify system problems. 

You can view inventory data in the following ways: 

• Summary inventory 

• Full inventory 

You can also view inventory data in reports that you generate. For more information, 

see "Reports overview" later in this chapter. 

Viewing summary inventory 

Summary inventory is found on the client's properties page and provides a quick look 

at the client's basic OS configuration and system information. The summary also 

shows the date and time of the last inventory scan so you know how current the data 

is. 

Note: If you added a client to the core database using the discovery tool, its 

inventory data isn't yet scanned into the core database. You must run an inventory 

scan on the client for the Summary Inventory feature to complete successfully. 

To view summary inventory 

1. In the console's network view, right-click a client. 

2. Click Properties | Inventory tab. 

Inventory summary data is different for Windows NT/2000 and Windows 9.x/ME 

clients. The lists below show the different data components by OS. 

Windows NT/2000 client summary data 

This information appears when you view summary inventory for a Windows 

NT/2000/XP client. 

NT Configuration: 

• Computer name: NetBIOS name assigned to the client. 

• Domain name: Domain the client participates in. 

• Operating system: Windows OS running on the client: NT, 2000, or XP. 

• Version: Version number of the Windows NT/2000/XP OS running on the 

client. 

• Build: Build number of the Windows NT/2000/XP software. This number more 

precisely identifies the version running on the client. 

118


System 

• Processor type: Type of processor or processors running on the client. 

• Processor speed: Speed of the CPU(s). 

• Processor count: Number of processors running on the client. 

• Math coprocessor: Type of math coprocessor on the client, if any. Possible 

values are internal or external. 

• Bus type: Type of bus on the Windows NT/2000/XP client. There are four bus 

types that may appear in this field: Industry Standard Architecture (ISA), 

Micro Channel Architecture (MCA), Extended Industry Standard Architecture 

(EISA), and Peripheral Component Interface (PCI). 

• BIOS date: Date of the ROM BIOS version. 

• Physical: Amount of RAM available on the client. 

• Virtual: Amount of memory available to the client, including RAM and swap 

file memory. 

Windows 9.x/ME client summary data 

Hardware type: 

• Machine type: Supported clients (machines) include PC/AT, PC/XT, and 

PS/2. The correct machine type is returned only for IBM clients. IBM 

compatibles usually appear as the closest IBM type. If Management Suite 

can't discover the model, it lists the model and submodel numbers. 

• CPU type: Management Suite recognizes 80386 and greater processors, in 

addition to common 3rd-party Intel-compatible processors. 

• CPU speed: Speed of the processor in MHz. 

• Math coprocessor: Type of math coprocessor on the client, if any. Possible 

values are internal or external. 

• Bus type: Management Suite recognizes these bus types: Industry Standard 

Architecture (ISA), MicroChannel Architecture* (MCA), Extended Industry 

Standard Architecture (EISA), and Peripheral Component Interface (PCI). 

• Video adapter: Management Suite recognizes these adapter types: 

Monochrome, VGA Color, and VGA Monochrome. This information is from the 

CMOS. If Management Suite doesn't recognize the video adapter, it generally 

lists "Monochrome." 

Memory type: 

• Conventional: Amount of conventional memory. Conventional memory is the 

memory that DOS accesses directly for its processing tasks. Every DOS-based 

client has as much as 640 KB of conventional memory. 

• Extended: Amount of extended memory (XMS). Extended memory is the 

main memory over 1 MB that has not been configured as expanded memory. 

• Expanded: Amount of expanded memory (EMS). Expanded memory is 

memory over 1 MB that can only be used by applications supporting one of 

the expanded memory specifications. 

• Base: Base address (in hexadecimal) of the area in memory that has been 

reserved by EMS, if any. The size of this area and its starting address depend 

on what type of EMS driver is installed, how much expanded memory is 

installed, and what other programs are loaded in conventional memory. 

119

USER'S GUIDE 

Environment: 

• Mouse support: Mouse driver installed on the client. Supported types are 

serial, bus, Inport*, PS/2, and Hewlett Packard. 

• BIOS date: Date of the ROM BIOS version. 

• DOS version: Version of DOS. 

• Ports: Printer Ports group box displays the addresses of all serial and parallel 

ports on the client. 

Viewing a full inventory 

A full inventory provides a complete listing of a client's detailed hardware and 

software components. The listing contains objects and object attributes. 

To view a full inventory 

1. In the console's network view, right-click a client. 

2. Click Inventory. 

About the Inventory window 

Use the Inventory window to view a client's complete inventory, including the 

following components: 

• BIOS: Type, date, ID bytes, and system model for the BIOS. The BIOS 

permanently resides in the computers ROM (read-only memory) and enables 

the computer's memory, disk drives, and monitor to communicate. 

Additional BIOS information appears in the Inventory window as BIOS text 

strings. To view and search BIOS text strings, expand the BIOS object, select 

BIOS Strings, right-click the Data attribute and select Properties, and then 

click Extended Values. During an inventory scan, Management Suite outputs 

the text strings available in the BIOS to a text file, LDBIOS.TXT. You can set 

up a query in the LDAPPL3.INI file that outputs one or more of the BIOS text 

strings to the console. For more information, see "Appendix A: Additional 

inventory operations and troubleshooting." 

• Bus: Bus type. The bus connects the microprocessor, disk drives, memory, 

and input/output ports. Bus types can be ISA, EISA, VESA Local Bus, PCI, and 

USB. 

• Coprocessor: Type of coprocessor, if present. The coprocessor is distinct 

from the main microprocessor, though it can reside on the same motherboard 

or even the same chip. The math coprocessor evaluates floating point 

operations for the main microprocessor. 

• Environment: File locations, command path, system prompt, and other 

variables for the Windows environment. 

• Keyboard: Keyboard type attached to the client. Currently, the most 

common type of keyboard is the IBM-enhanced keyboard. Code page is the 

language the keyboard uses. 

120


• LANDesk Management: Information about the LANDesk agents, LANDesk 

Client Manager, and Alert Management System (AMS). Also contains 

information about the inventory scanner and initialization files. 

• Mass Storage: Storage devices on the computer, including floppy drives, 

hard disks, logical and tape drives, and CD-ROM. The hard disk and floppy 

drive objects include head, number, sector, and total storage attributes. 

• Memory: Page file, physical, and virtual memory attributes. Each of these 

memory objects includes byte attributes. The first byte is the amount of 

memory available. The second byte is the total memory. 

• Mouse: Type of mouse attached to the client. Mouse type values include 

PS/2, serial, and infrared. 

• Network: Network adapter, NIC address, and the adapter's node address 

information. The Network object includes information for each protocol loaded 

on the computer. Typical values include IPX*, NetBEUI, NetBIOS, and TCP/IP 

objects. 

• IPX is a protocol that NetWare* servers can use to communicate with 

their clients and other servers. The IPX object contains the address, 

network number, and node address attributes. 

• NetBEUI allows a computer to communicate with Windows NT/2000, 

Windows for Workgroups, or LAN Manager servers. Microsoft now 

recommends using TCP/IP for these connections. 

• NetBIOS is an interface (API) for applications to send and receive 

packets to each other over TCP/IP, NetBEUI, or IPX. 

• TCP/IP is a protocol that enables a computer to communicate over 

the Internet and with WANs. This object contains the address (contains 

the computers TCP/IP address), host name (contains the computers 

DNS context), IP routing enabled, and NetBIOS resolution (uses DNS 

and WINS proxy enabled attributes). 

• Network Adapters: Attributes for every installed network adapter on the 

client. 

• OS: Operating system, drivers, services, and ports. These objects and their 

attributes vary according to the configurations of the loaded drivers and 

services. 

• Ports: Objects for each of the computers output ports (serial and parallel). 

Each output port contains address and name attributes. The address attribute 

contains the hardware address for the port. 

• Printers: Objects for each printer connected to the computer, either directly 

or through a network. The printer objects contain driver, name, number, and 

port attributes. The port attribute contains either the network queue or the 

port the printer is connected to. 

• Processor: Attributes of the client's CPU. Detects Intel, Motorola 680x0, and 

PowerPC processors. 

• Resources: Objects for every hardware resource of the computer. Each 

hardware resource object contains attributes that describe the type of 

resource and any ports and interrupts it is using. 

• Software: Objects for every software application installed on the client's hard 

drive. Each software program object lists attributes that typically contain the 

software name, location, and version number. 

• Video: Objects for each video adapter on the client. The video adapter object 

typically contains attributes that describe the resolution and the number of 

supported colors. 

121

USER'S GUIDE 

Viewing attribute properties 

You can view attribute properties for a client's inventory objects from the inventory 

listing. Attribute properties tell you the characteristics and values for an inventory 

object. You can also create new custom attributes and edit user-defined attributes. 

To view an attribute's properties, double-click the attribute. 

About the Inventory Attribute Properties dialog 

Use this dialog to view an attribute's properties. The Characteristics tab displays the 

following information: 

• Name: The name of the core database attribute whose properties you're 

viewing. 

• Value: The value assigned to this inventory attribute. 

• User defined: Indicates whether the selected attribute was defined by the 

user or not. This option can't be changed. 

• Primary key: Indicates whether the attribute uniquely identifies objects of 

the same type. An object can have only one primary key. 

• Notify event log on change: Whether a change to this attribute should be 

logged to the Windows event log. 

• Track changes in database history: Whether changes to this attribute 

should be logged to the inventory history log. 

• Generate AMS alert: Whether changes to this attribute should be sent to 

AMS to generate an alert. 

• Event log/alert severity: The severity of a log or alert entry. 

• Factor (Integer values only): Integer value used to divide the attribute 

into units. If you change the factor value, you must enter the appropriate 

code in the format specifier field. For example, to view the number of 

Megabytes if the attribute is recorded in Kilobytes, enter the value 1000. 

• Format specifier (Integer values only): Notation used to display the value 

in appropriate form. For example, %d MB displays the attribute value without 

decimal values; %.1f MB displays the attribute value to the first floating 

decimal point in MB units. If no factor value is entered, this format specifier 

must describe integer values (%d, %u, etc). If a factor value is entered, this 

format specifier must describe floating point values (%f, %e, etc). 

122


Tracking inventory changes 

Management Suite can detect and record changes about the client hardware and 

software. Tracking inventory changes can help you control your network assets. 

Inventory change settings let you select which types of changes you want to save 

and with what severity level. The selected changes can be saved in an inventory 

history log, the core server's NT event log, or sent as an AMS alert. 

You can view and print a client's history of inventory changes. Additionally, you can 

export the inventory changes to a .CSV formatted file for analysis using your own 

reporting tools. 

To track and use inventory changes, you must first configure the inventory change 

settings. You will be able to perform the other inventory changes history tasks: 

• Configuring inventory change settings 

• Viewing, printing, and exporting an inventory changes 

Configuring inventory change settings 

Note: You must first configure these settings if you want to view, print, or export 

inventory changes for any clients on your network. 

To configure inventory change settings 

1. Click Configure | Inventory History. 

2. In the Inventory Change Settings dialog, expand the Computer object in the 

Current inventory list, and select the system component you want to track. 

3. In the Log event in list, select the component's attribute you want to track. 

4. Check the appropriate box to specify where to record a change in that 

attribute. Inventory changes can be recorded in the inventory changes history 

log, Windows NT event viewer log, or as an AMS alert. 

5. Select a severity level from the Log/Alert severity drop-down list. Severity 

levels include: None, Information, Warning, and Critical. 

6. Click OK. 

About the Inventory Change Settings dialog 

Use this dialog to select which inventory attributes are logged when changes occur at 

individual clients, and to determine where those changes are logged. 

• Current inventory: Lists all objects stored in the core database. Click an 

object to display its attributes in the Log event in list. Expand an object group 

to see the data objects contained within it. 

123

USER'S GUIDE 

• Log event in: Lists the attributes of the inventory object selected in the 

Current inventory list. 

To set where inventory changes are logged, select an attribute and check 

one or more options. Check the Inventory option to log inventory 

changes in the client's Inventory Changes History dialog. Check the NT 

Log option to log inventory changes in the Windows NT event log. Check 

the AMS option to send inventory changes as an alert via AMS (configure 

AMS alerts with the Alert Settings tool). 

• Log/Alert severity: Lists the alert priority options. This feature is dimmed 

until an attribute is actually selected. You can select a severity level of None, 

Information, Warning, or Critical. 

Viewing, printing, or exporting inventory changes 

To view, print, or export inventory changes 

1. In the console's network view, right-click a client (or clients). 

2. Click Inventory History. 

3. Click Print to print the inventory changes history. 

4. Click Export to save the inventory changes history as a .CSV file. 

About the Inventory Changes History dialog 

Use this dialog to view a client's inventory changes. You can also print and export 

the inventory changes history from this dialog. 

• Device Name: Displays the name of the client(s) selected in the console's 

network view for which inventory change data is requested. 

• Component: Identifies the system component that has changed. (Only 

components selected in the Inventory Change Settings dialog can appear 

here.) 

• Attribute: Identifies the specific component attribute being logged. 

• Time: Indicates when the change occurred. 

• New Value: Shows the new (changed) value for the listed attribute. 

• Old Value: Shows the old (previous) value for the listed attribute. 

• Print: Opens a standard print dialog where you can print the contents of the 

inventory changes history. 

• Export: Opens a Save As dialog where you choose a name and location for 

the exported .CSV file containing the inventory changes history. 

You can click a column heading to sort the listing by that attribute. Click the heading 

again to reverse the sort order. 

124


Using custom data forms 

Management Suite includes a custom data forms tool (Tools | Custom Data 

Forms) that you can use to create and manage forms. Custom data forms provide a 

way for you to collect information from users and add it to the core database. 

The inventory scanner can't gather certain types of personalized user-specific 

information, such as: 

• Where is a user's desk 

• What is a user's asset number 

• What is the user's phone number 

The best way to get this information is directly from your users with custom data 

forms. 

Custom data forms have two main components: the Form Designer which is used by 

you to create forms for users to fill out, and the Form Viewer which is used by users 

to fill out forms. 

Forms can be stored centrally or locally. If they're stored centrally, all users 

automatically have access to the latest forms because everyone views the same form 

from the same place. If forms are stored locally, you must ensure that users receive 

the latest forms. 

After a user completes a form, the Form Viewer stores the results locally in 

\LDClient\LDCUSTOM.DAT. This file contains the results from all of the forms the 

user has responded to. If the user ever needs to fill out the same form again (for 

example, if the original form was revised), the Form Viewer fills in the form with the 

previously entered data. 

The inventory scanner takes the information from each client's LDCUSTOM.DAT file 

and adds it to the core database. 

Oracle databases are case-sensitive 

When creating custom fields with custom data forms (or any other feature in 

Management Suite) on an Oracle database, make sure you consistently capitalize 

field names. For example, data associated with "Cube location" is stored in a 

different place in the database than data associated with "Cube Location." 

Also, make sure custom fields have names that are unique regardless of 

capitalization. Management Suite may not retrieve the correct inventory data if two 

custom fields have the same name but different capitalization. 

For more information about custom data forms, see the following procedures: 

• Creating a custom data form 

• Creating a group of forms 

• Configuring clients to receive custom data forms 

• Filling out forms on the client 

125

USER'S GUIDE 

Creating a custom data form 

Follow these steps to create a custom data form. 

To create a custom data form 

1. Click Tools | Custom Data Forms. 

2. In the Custom Data Forms window, double-click Add new form. 

3. Enter a name for the form. 

4. Enter a description for the form. 

5. Click Add to open the Add Question dialog. 

6. In the Add Question dialog, type in the Question text, Inventory name, 

and Description. 

7. Select the Control type. 

8. Select whether you want the field to be required. 

9. If you selected the Edit control type, click Finish to close the Add Question 

dialog. The Edit control type lets users type in their own answers to questions 

in an editable text box. You can add more questions or proceed to step 12. 

10. If you selected either of the Combo box control types, click Next to open the 

Add Items dialog. The Combo box control type lets users select their answers 

from a drop-down list of pre-defined items. 

11. In the Add Items dialog, enter an item name and click Insert to place the 

item in the Items list. These items appear in a drop-down list for that 

question on the form. You can add as many items as you like, then click 

Finish. 

12. When you're done adding questions, click Close to save the form. 

You can right-click on a form to schedule it for distribution to clients. 

About the Create/Edit a Custom Data Form dialog 

Use this dialog to create or edit a custom data form. 

• Form name: Identifies the form and appears on the Form Viewer when a 

user fills out the form. 

• Description: Provides additional information to users about the form. 

• Add: Opens the Add Question dialog where you can create a new question for 

the form. 

• Edit: Opens the Edit Question dialog where you can edit any of the question's 

options. 

• Delete: Removes the question from the form. 

• Page break: Controls the layout of the form by adding page breaks to group 

questions on pages. When there's a page break, users click the Next button to 

proceed to questions on the next page. 

Note: The maximum number of questions per page is nine. 

• Preview: Opens the form so that you can preview how it will look for users. 

In preview mode, you don't have to fill in any data and nothing you type is 

saved. 

126


About the Add/Edit Question dialog 

Use this dialog to create or edit questions that appear on the custom data form. 

Forms consist of questions and a place for users to put their answers. First, identify 

the question: 

• Question text: One-line description of what's being asked for. This text 

appears beside the data field. 

• Inventory Name: Name of the database field in the core database. If you 

wanted to query the core database for this item, the Label ID is what you 

would query on. 

• Description: Additional information that appears when users click Help (or 

press F1) while in this question's data field. 

You also need to specify what type of data field (control) to show beside each 

question, and if it is required. The available data fields are: 

• Edit box: Users type their answer in an editable text box. 

• Combo box (edit list): Users select one of the predefined list items, or type 

in a new one of their own. 

• Combo box (fixed list): Users select one of the predefined list items. 

• Make the control a required field to fill out: Forces the user to answer 

the question. The user can't finish a form or move to the next form page 

before responding to required fields. 

About the Add Items dialog 

Use this dialog to add items to a drop-down list that the user can choose from when 

answering that question on a form. 

• Item name: Identifies the item. This name appears in the question's dropdown 

list. 

• Items list: Lists all the items that appear in the question's drop-down list. 

• Insert: Places the item in the Items list. 

• Delete: Removes the item from the Items list. 

Creating a group of forms 

If you have more than one form that you want to send to clients, you can organize 

them into a group. Then you can simply schedule the group of forms for distribution. 

Of course, this is not a required procedure. 

When you schedule a group of forms for distribution, Scheduled Tasks reads the 

contents of the group when it's time to distribute it. In other words, you can still 

change the contents of the group even after it has been scheduled (as long as the 

scheduled job hasn't yet occurred). 

Note: If a form that is part of a group is later modified or deleted, the group 

automatically reflects those changes. 

127

USER'S GUIDE 

To create a group of forms 

1. In the Custom Data Forms windows, click the Multiple Forms toolbar button. 

2. Enter a name for the new group. 

3. Select the forms you want to add to the group from the list of available forms. 

4. Click OK. 

You can right-click on a group of forms to schedule it for distribution to clients. 

About the Select Multiple Forms to Distribute dialog 

Use this dialog to create a group of forms that shows the group name and lists 

available forms that can be part of a group. 

• Name of group: Identifies the group in the Custom Data Forms window. 

• Available forms: Lists all of the available forms you can add to the group. 

• OK: Saves the group and closes the dialog. 

• Cancel: Closes the dialog without saving the group. 

Configuring clients to receive custom data forms 

When you set up clients, you can configure them to receive custom data forms. You 

must select to install the Custom Data Forms component, and specify options on the 

Custom Data Form pages of the Client Setup wizard. For more information, see 

"Deploying Custom Data Forms" in chapter 2. 

During the Client Setup wizard, you need to specify how you want to update forms 

on the client: 

• Automatic update: If all of the forms are stored centrally (automatic 

updates), users check a single location for new forms. That way, when a new 

form is available, all clients looking there have immediate access to it. The 

disadvantage is that users may see forms that aren't relevant to them. 

• Manual update: If forms are stored locally (manual updates), you'll need to 

distribute the forms to the users that need to fill them out. There is less 

network overhead because each client has its own copy of the form. The 

benefit of local forms is that you can limit the forms users see to only those 

that are relevant to them. You copy forms to clients during client setup or 

with the Scheduled Tasks tool. 

You also need to specify when forms will be shown on the client: 

• On startup: The client's Form Viewer checks for any new or modified forms 

each time the client boots. The Form Viewer launches after the operating 

system loads. The next time the inventory scanner runs, it sends completed 

forms to the core database. 

• When the inventory scanner runs: The inventory scanner starts the Form 

Viewer, which checks for any new or modified forms. As soon as users finish 

filling out the form and close the Form Viewer, the scan finishes and the data 

is entered in the core database. 

128


• Only in LANDesk program folder: The Form Viewer can be launched 

manually from the LANDesk Management Suite program group. The next time 

the inventory scanner runs, it sends completed forms to the core database. 

You can also use the Scheduled Tasks to launch the Form Viewer on clients at a 

predefined time. In this scenario, use the Scheduled Tasks to first distribute the 

forms to clients. Make sure to allow enough time to distribute the forms before you 

use the Scheduled Task's scriptable jobs feature to run the Form Viewer. 

Filling out forms on the client 

When the Form Viewer launches on the client, a list of forms and each form's status 

displays: 

• New: Indicates the form has never been filled out by this user. 

• Completed: Indicates the user has opened this form and filled out, at a 

minimum, the required fields. 

• Do Again: Indicates the user has completed this form before, but the form 

has since changed. The user needs to look at the form again and make any 

necessary changes. Once this is done, the form's status changes to 

completed. 

Once users select a form to fill out and click Open, a simple Form wizard appears. It 

contains a list of questions and fields for answers. If there are more questions than 

fit on a page, there are Back/Next buttons. Users can click Help (or press F1) while 

the cursor is in a field to display a help message generated by the Description field in 

the Form Designer. 

Users must answer any required questions before continuing to the next page or 

exiting a form. Required questions have a red dot beside them. 

The last page of the Form wizard has a Finish button that users click when they're 

done. Clicking this button returns users to the Form Selection dialog where the 

status message beside the form name is updated. 

129

USER'S GUIDE 

Reports overview 

Management Suite includes a powerful reporting tool that lets you select and run 

reports on the clients on your network. 

You can choose from a wide variety of predefined LANDesk Management Suite 

(LDMS) service reports and inventory asset reports, or create your own custom asset 

reports. You can also organize reports into user-defined groups. 

Read this section to learn more about: 

• Report groups and predefined report lists 

• Creating custom asset reports 

• Running reports 

• Using the Report View 

• Importing and exporting reports 

130


Report groups and predefined reports lists 

Reports are organized in groups in the Reports window (Tools | Reports). 

Administrators can view the contents of all of the report groups. Users with the 

Reports right can also see and run reports, but only on the devices included in their 

scope. 

You can create new reports by right-clicking the Reports, My Reports, or All Custom 

Reports group, and then selecting New report. When you create a new report, it's 

automatically added to the All Custom Reports group. 

The left-hand pane of the Reports window shows a hierarchical view of the following 

report groups: 

My Reports 

Lists the reports (and reports groups) a user has added to their own My Reports 

group. Reports are run against the currently logged-in user's scope. 

An administrator can also add and remove reports in users' reports groups (see User 

Reports below). 

All LDMS Reports 

Lists all of the predefined Management Suite reports. Administrators and users with 

the Reports right see all of the LDMS reports. LDMS reports provide status 

information about various Management Suite service jobs, actions, or events that are 

executed on clients on your network, and include: 

APM Status 

• APM Status by Machine: Lists, by selected devices, the policies run 

on the devices along with the associated user the policy was run on, 

the last time the policy was run, and the status of the policy. 

• APM Status by Policy: Lists, by selected policies, the devices the 

policies have been run on along with the associated user the policy 

was run on, the last time the policy was run, and the status of the 

policy. 

• APM Status by User: Lists, by selected user, the policies run on the 

user along with the devices affected, the last time the policy was 

updated, and the status of the policy. 

• APM Status of All Policies: Lists by policy and device the user the 

policy was run on, the last time the policy was run, and the status of 

the policy. 

131

USER'S GUIDE 

Application Healing 

• Applications Healed Per Client: Lists, by selected date, the devices 

that have had Application Healing tasks run on them along with 

associated successful, failed and cancelled healing totals. 

• Broken Applications List: Lists for all devices the applications that 

are reporting being broken and the number of times they have been 

reported broken. 

• Client Event History: Lists by device every event that has taken 

place on a device along with any system error, auto installer error, or 

event code messages. 

• Computers Healed per Application: Lists by product the devices 

healed with that product, the number of successful, failed and 

cancelled healing attempts for the devices, and the last time healing 

took place. 

Multicast Client Status 

Multicast Subnet Representative Status 

OS Deployment Success Rate 

Scriptable Job Status 

Instead of containing predefined reports, the reports groups above contain log files 

for scheduled tasks (corresponding to the group category) that have been run on 

your Management Suite system. The number associated with each log indicates the 

Scheduled Task job number that the log references. You can right-click log files and 

select Run to generate a report based on the information contained in the log file. 

Note: All log files are stored in the \LANDesk\ManagementSuite\log directory. 

132


All Asset Reports 

Lists all of the predefined inventory asset reports. Administrators and users with the 

Reports right see all of the asset reports. Asset reports provide inventory information 

about clients on the network. 

Note: Inventory asset reports are Crystal Reports* templates of inventory 

attributes. A report consists of a query (.QRY), a data definition file (.TTX), and a 

report template file (.RPT). You can create additional reports to appear in the 

Reports dialog using Crystal Decisions' Crystal Reports 9. 

There are more than 50 predefined inventory asset reports: 

• Add Remove Programs by Computer: Lists all programs, for a selected 

device, that are registered for the Add/Remove Programs window on the 

Control Panel. 

• Anti-Virus Program Summary: Lists, by selected programs, the anti-virus 

software installed on all of the devices in the user's scope. 

• BIOS Summary: Lists, by BIOS manufacturer, the BIOS copyright string and 

date for all of the devices in the user's scope. 

• Computer Installations by File: Lists, by selected file, all of the instances 

of the file on the devices in the user's scope. 

• Computer Installations by Product: Lists, by program, each instance of 

every program for all of the devices in the user's scope. 

• Computer Installations by Vendor: Lists the number of copies of a given 

program by developer for all devices in the user's scope. 

• Computer Operating Systems: Lists the computers using operating 

systems you specify. 

• Computer Software Summary: Lists all of the programs for the selected 

device. 

• Computers by LDMS Client Version: Lists, by scanner version, all of the 

devices in the user's scope. 

• Computers for a Specific User: Lists, for the primary owner, the devices in 

the user's scope, along with the devices domain or workgroup location. 

• Computers in Domain or Workgroup: Lists, for the selected domains 

and/or workgroups, the devices in the user's scope that are members of a 

given domain or workgroup. 

• Computers in Subnet: Lists, by subnet, all of the devices in the user's scope 

that are a member of a given subnet. 

• Computers Running a Specific Service: Lists, for selected services, all of 

the devices in the user's scope that have a given service in their operating 

system. 

• Computers that can be Upgraded to Windows 2000: Lists all of the 

devices in the user's scope that meet the minimum disk, memory, and 

processor requirements for Windows 2000. 

• Computers that can be Upgraded to Windows XP: Lists all of the devices 

in the user's scope that meet the minimum disk, memory, and processor 

requirements for Windows XP. 

• Computers that can not be Upgraded to Windows 2000: Lists all of the 

devices in the user's scope that do not meet the minimum disk, memory, and 

processor requirements for Windows 2000. 

133

USER'S GUIDE 

• Computers that can not be Upgraded to Windows XP: Lists all of the 

devices in the user's scope that do not meet the minimum disk, memory, and 

processor requirements for Windows XP. 

• Computers with a Specific Hard Disk Size: Lists computers that have the 

hard disk size you specify. 

• Computers with Duplicate IDs: Lists all of the duplicate device names in 

the user's scope. 

• Days Since Last Hardware Scan: Lists, by the selected range of days, 

when the last hardware scan was run on all of the devices in the user's scope. 

• Days Since Last Software Scan: Lists, by the selected range of days, when 

the last software scan was run on all of the devices in the user's scope. 

• Disk Space Summary: Lists the hard disk total and available storage size for 

every device in the user's scope. 

• Domain Users: Lists all of the users in a given domain. 

• Hardware Inventory: Lists various hardware specifications for all of the 


• Hot Fix Installed: Lists, by hot fix, all of the hot fixes installed on all of the 


• IP Address Summary: Lists, by subnet, the IP address and NIC address for 

all devices in the user's scope. 

• Macintosh Disk Space: Lists the hard disk total and available storage size 

for every Macintosh device in the user's scope. 

• Macintosh Hardware Inventory Summary: Lists various hardware 

specifications for all of the Macintosh devices in the user's scope. 

• Manufacturers: Lists, by manufacturer, all of the devices, along with their 

computer model description and operating system, in the user's scope. 

• Memory Upgrade: Lists the total available memory, as well as the number 

of RAM slots used and available, for every device in the user's scope. 

• Operating System by Service Pack: Lists all of the devices in the user's 

scope by service pack. 

• Operating System Summary: Lists, by operating system, all of the devices 

in the user's scope. 

• Peripherals Summary: Lists, by device, information on the modem, printer, 

sound card, keyboard, and network adapter attached to the given device for 

all devices in the user's scope. 

• Physical Memory: Lists the amount of memory by range of memory for all 

of the devices in the user's scope. 

• Processor Distribution: Lists, by processor type, all of the devices in the 

user's scope, including processor speed. 

• Processor Speed: Lists the processor speed by range of processor speeds 

for all of the devices in the user's scope. 

• Processor Summary: Lists, by device, various information on the devices 

CPU for all of the devices in the user's scope. 

• Processor Type: Lists the processor type by processor class (Pentium II, 

Pentium 4, and so on) for all of the devices in the user's scope. 

• Processor Type and Speed: Lists the number of all processor types by 

speed for all of the devices in the user's scope. 

• Subnets by Subnet Mask: Lists, by subnet mask, all of a masks associated 

subnets. 

• System Asset Tags: Lists the current or last login name, serial number, and 

asset tag for all devices in the user's scope. 

• System Serial Number: Lists the current or last login name, serial number, 

and domain or workgroup for all devices in the user's scope. 

134


• Users in Selected Domain: Lists, by domain, all of the users in a given 

domain. 

• Video Adapter Type Summary: Lists by video adapter all of the devices in 

a user's scope that have a given video adapter as well as the video adapter's 

total memory. 

• Video Memory Summary: Lists, by total video memory, all of the devices in 

a user's scope that have a given amount of video memory. 

• Video Summary: Lists, by device, various information on the video adapter 

for all devices in a user's scope. 

All Software Licensing Reports 

Lists all of the predefined software license monitoring reports, including: 

• Application Usage by Computer: Lists, by selected device, the products 

run on that device by name, number of executions and duration of usage. 

• Applications Used in the Last N Days: Lists, by selected number of days, 

the products used, as well as the date and time of their last usage, for all 

devices. 

• Applications Used Less Than N Times: Lists, by selected product and 

range of times the product has been used, the number of times the selected 

product has been used on all devices. 

• Denial Report: Lists, by selected product, every device reporting that the 

selected product has been attempted to have been run along with the 

associated user and number of times denied. 

• Group Compliance: Lists, by selected product group, the products in the 

group along with their number of licenses and installations as well as the 

number of products out of compliance and licenses not being used. 

• License Product Usage by Product: Lists, by selected product, all of the 

devices that have the selected product, the last time the product was used, 

the last user of that product, the number of times the product was executed, 

the length of time the product was run, and the number of days since the 

product was last used. 

• Licensed Product Using Downgrade Rights: Lists for all products 

exercising a downgrade the number of licenses they are borrowing and from 

which product they are borrowing the licenses from. 

• Licenses Not Deployed Overall: Lists for all product groups the number of 

licenses not deployed by each group. 

• Licenses Not Deployed By Group: Lists, by selected product group, the 

number of licenses not deployed for every product in the group. 

• Overall Compliance: Lists for all product groups if the group is in 

compliance, the number of devices that are out of compliance, and the 

number of licenses not deployed. 

Note: Software License Monitoring reports are not constrained by the user's scope. 

135

USER'S GUIDE 

All Remote Control Reports 

Lists all remote control reports: 

• Remote Control History by Client: Lists the remote control histories for all 

clients in a specified date range. 

• Remote Control History by Console: Lists the remote control histories for 

all consoles in a specified date range. 

• Remote Control History for Managed Computer: Lists the remote control 

history for a specific client. 

• Remote Control Summary: Lists a summarized remote control history in a 

specified date range. 

All Unmanaged Devices Reports 

Lists all unmanaged device discovery reports: 

• Unmanaged Devices - Computers: Lists all computers in UDD's Computers 

tree. 

• Unmanaged Devices - Infrastructure: Lists all infrastructure network 

devices in the UDD's Infrastructure tree, such as routers. 

• Unmanaged Devices - Other: Lists all devices in UDD's Other tree. These 

are devices that don't respond to a discovery with more than an IP address. 

For example, this could be Macintosh or UNIX computers. 

• Unmanaged Devices - Printers: Lists all printers in UDD's Printers tree. 

• Unmanaged Systems: Lists all devices on the network that aren't assigned 

to a core server. 

• Unmanaged Systems with LANDesk Client Agent (CBA): Lists all 

computers in UDD's Computers tree that do have the Management Suite CBA 

agent installed on them. 

• Unmanaged Systems without LANDesk Client Agent (CBA): Lists all 

computers in UDD's Computers tree that don't have the CBA agent installed 

on them. 

All Custom Reports 

Lists all of the custom reports you've created or imported. For more information, see 

"Creating custom asset reports" in the next section. 

User Reports 

Lists all reports for all Management Suite users, organized into subgroups by user. 

User subgroups are named with their login IDs (i.e., computername\user account, or 

domain\user account). Each user group contains the reports that appear in that 

user's My Reports group. 

As with the User Devices and User Queries groups, the User Reports group can be 

seen ONLY by a Management Suite administrator (a user with the LANDesk 

Administrator right). Administrators can access a user's reports group to run reports 

against that user's scope, as if they were that user. In this way, an administrator can 

preview exactly what a user will see when they run a report. 

136


Creating custom asset reports 

You can create your own custom inventory asset reports based on column 

configurations that you create and that determine the inventory data that displays in 

the network view. These reports are saved as generic .CSV files. 

If you have Crystal Reports (version 9) installed, you can also create more 

sophisticated asset reports based on core database queries. If you do not have 

Crystal Reports installed, this feature is disabled. 

Creating .CSV reports 

To create a .CSV asset report 

1. In the Reports window, click Reports, and then click the New CSV Report 

toolbar button. 

2. In the New .CSV Report dialog, enter a name for the report. 

3. Select whether to report on all devices or only selected devices. 

4. Select whether you will use the current column configuration in the network 

view, or if you will select a different column configuration. 

5. Click OK to save the .CSV file with a name and directory location you specify. 

Note: You can also export a .CSV asset report for use with other reporting tools. 

About the New CSV Report dialog 

Use this dialog to create a .CSV asset report. 

• File Name: Enter a unique file name at the end of the existing path. If the 

directory path does not exist, you're prompted whether you want to create it. 

• Report on devices: Specifies whether to run the report on all devices, or 

only on currently selected devices in the network view. 

• Column configuration: Specifies which inventory data to report on, based 

on column configuration. You can use the current column configuration or 

select another one of your column configurations. 

• OK: Saves the report and closes the dialog. 

• Cancel: Closes the dialog without saving the report. 

137

USER'S GUIDE 

Creating Crystal reports 

To create a Crystal Reports asset report 

1. In the Reports window, click Reports, and then click the New Crystal 

Report toolbar button. 

2. In the New Crystal Report dialog, enter a unique name for the report. 

3. Select the core database query that you want to base the report on. You can 

create a new query or use an existing one. If you do not select a query, the 

report will generate results for all devices in the user's scope. 

When creating a Crystal Report, you must set at least once column for the 

report. 

4. Click Launch Crystal Reports to start the Crystal Reports wizard. 

5. Follow the steps noted on the New Crystal Report dialog. You can also click 

Help on the Crystal Reports wizard if you want more detailed information. 

About the New Crystal Report dialog 

Use this dialog to create a Crystal Reports asset report. 

• Name: Enter a unique name for the report. 

• Query Name: Specifies the data that will be reported on for selected devices. 

You can either create a new query, edit and existing query, or simply select 

an existing query. 

• Launch Crystal Reports: Starts the Crystal Reports wizard. Follow the steps 

on the dialog to create the report. 

Running reports 

You can run any report from the Reports window. You can also run asset reports 

directly from a device in the network view. 

From the Reports window, right-click the report you want to run, and then click Run 

(or, click the Run toolbar button). The report data displays in the Report View. 

From the network view, right-click the device, click Run Asset Report, and then 

double-click the report in the Report dialog that you want to run. The report data 

displays in the Report View. 

138


Using the Report View 

The Report View provides toolbar features that let you: 

• Browse: Lets you read the report, page by page, or by report component 

(client, software, user, etc.). 

• Print: Opens your standard default printer dialog. 

• Export: Opens an export dialog where you can save the report data to a 

Crystal Reports file, PDF file, Excel spreadsheet, Word document, or RTF file. 

• Search: Allows you to search for a specific text string anywhere in the report 

data. 

Importing and exporting reports 

The Management Suite Reports tool supports both importing and exporting Crystal 

reports. Crystal reports are stored as XML report files. With import and export, you 

can transfer reports from one core database to another. 

A report can be imported to the My Reports, All Custom Reports, and User Reports 

groups. 

To import a Crystal report 

1. Right-click the reports group where you want to place the imported report. 

2. Select Import from the shortcut menu (or from the toolbar). 

3. Navigate to the report file (.XML) you want to import and select it. 

4. Click Open to add the report to the selected group in the network view. 

You can export individual reports as well as entire reports groups and their contents. 

To export a Crystal report 

1. Right-click the Crystal report (or reports group) you want to export. 

2. Select Export from the shortcut menu (or from the toolbar). 

3. Navigate to the location where you want to save the report. 

4. Type a name for the report. 

5. Click Save to export the report. 

139

Chapter 5: Administering remotely 

Use LANDesk Management Suite's Remote Control feature to easily resolve client 

problems from one location. Read this chapter to learn about: 

• Remote controlling clients 

• Starting a remote control session 

• Viewing Session Messages 

• Executing programs remotely 

• Chatting with remote clients 

• Transferring files to remote clients 

• Shutting down and rebooting remote clients 

• Configuring session options 

• Changing client remote control security 

• Configuring Mac OS X remote control options 

• Using remote control logging 

• Troubleshooting remote control sessions 

141

USER'S GUIDE 

Remote controlling clients 

Use Remote Control to remotely access a client from the console. You can only 

remote control clients that have the Remote Control agent installed. During a remote 

control session, the remote client actually has two users—you and the end user. You 

can do anything at the remote client that the user sitting at it can do. All of your 

actions are in realtime on that client. 

Management Suite enables you to remote control these client types: 

• Windows NT/2000/2003/XP clients 

• Windows 95/98 clients 

• NetWare servers 

• Mac OS 8, 9.2.2, 10.2.x, and 10.3.x clients 

Video support 

Remote Control doesn't support DOS graphics. It also doesn't support full-screen 

DOS windows. 

To be remote controlled, clients must: 

• Have the LANDesk agents loaded—These agents are installed and set up 

by: 

• Creating a client configuration task in the console and pushing it to the 

client. 

• Mapping a drive from the client to the core server and running the 

appropriate client configuration. 

• Allow remote control—If their remote control client configuration allows it, 

users can set remote control access and control parameters using the Remote 

Control Settings application. Users can access this application at the client by 

clicking Start | Programs | LANDesk Management | Remote Control 

Settings or by directly running EDTININT.EXE. 

LANDesk Management Suite 8 no longer supports NetWare security for remote 

control. 

142

CHAPTER 5: ADMINISTERING REMOTELY 

Macintosh support 

The table below describes Macintosh support for Remote Control viewer features: 

Feature 

Remote 

control 

Mac OS 8 and 

9.2.2 

Yes 

Mac OS X 10.2.x 

and 10.3.x 

Yes 

File transfer Yes Yes 

Remote 

execute 

Yes 

Yes 

Chat No Yes 

Remote 

reboot 

No 

Yes 

Mac OS 8 and 9.2.2 clients don't support chat or remote reboot 

The chat and reboot Remote Control viewer window buttons don't work when 

controlling Mac OS 8 and 9.2.2 clients. 

Starting a remote control session 

If the Remote Control agent is loaded, the Session Messages window tells you that 

the agent is found and what protocol it's using. You will also see a magnifying glass 

icon appear on the client you selected. 

To see if the Remote Control agent is loaded 

1. In the console's network view, click the client you want to check. 

2. Click View | Session Messages. 

For more information about the Session Messages window, see "Viewing Session 

Messages" later in this chapter. 

To start Remote Control 

1. In the console's network view, select the client you want to control. Click 

Device | Remote Control to open the Remote Control Viewer window. 

2. In the edit field at the top of the Viewer window, type in the name or IP 

address of a remote client. 

3. Click Tools | Remote Control to remotely access the client. 

Once you've taken control of a remote client, its screen appears in the Viewer 

window. Because the Viewer window usually isn't as big as the remote client's 

screen, you'll either need to enable Autoscroll to scroll up, down, and side to side, or 

use the Move Remote Screen icon to maneuver more easily around the different 

areas of the remote screen. 

143

USER'S GUIDE 

If you want to speed up the viewing rate or change the Viewer window settings, use 

the items under the Options menu. To remotely chat, transfer files, or reboot the 

client, use the items under the Tools menu. 

To view different areas of a remote client screen 

You must currently be remote controlling a client for this option to work. 

Or 

• Click Options | Autoscroll. When toggled on, Autoscroll enables you to place 

your cursor along the yellow/black border of the Viewer window and scroll up, 

down, or side to side. The closer your cursor gets to the border, the faster the 

scrolling will occur. 

1. On the right side of the edit field (where you entered the name of the remote 

client), click the Move Remote Screen icon. 

2. Your cursor becomes a hand that you can click, drag, and release to view 

various areas of the remote screen. 

To stop a remote control session 

• Click Tools | Remote Control again. Even though this action ends the active 

session, you will still have a connection to the remote client until you enter a 

new client name or IP address, or close the Viewer window. 

Viewing session messages 

You can use the Viewer window's session messages section to view a history of 

status messages sent to the status bar (such as Remote Control agent packet 

exchanges). In addition to other information this history contains, it lets you: 

• Diagnose problems with the session 

• Check whether the Remote Control agent is loaded 

• Check the status of the Remote Control agent 

To view Session Messages from the console 

• In the Viewer window, click View | Session Messages. 

144


Saving session messages 

While you're in a remote control session, you have the option of saving the session 

messages. These messages may be useful if you need to troubleshoot any issues 

related to using remote control on a particular client. 

To save session messages 

1. In the Viewer window, click File | Save Session Messages. 

2. In the Save As dialog, type in a filename and save as a .TXT file. The session 

messages are saved to the My Documents folder by default. 

Executing programs remotely 

In the Viewer window, you can start any program on a remote client. Among other 

things, this lets you: 

• Run diagnostic tools from your management console 

• Assist the remote client's user 

To execute programs remotely 

1. In the Viewer window, click the View menu. Ensure that the Remote 

Execute option is enabled. 

2. In the toolbar's Run field, enter the path for the program you want to run. If 

you need to browse to the program, click the browse icon to the left of the 

field. 

3. To run the program on the remote client, click the remote execute icon to the 

left of the Run field. 

Chatting with remote clients 

You can use the Remote Control Viewer window to chat with a user at a remote 

client. This feature is useful if you need to give instructions to a remote user whose 

dial-up connection is using the only available phone line. Users can respond back 

using the Chat window that appears on their screen. You can only use chat on clients 

that have the Remote Control agent installed. This feature works even if you're not 

currently remote controlling a client. 

If you want to save the messages from a chat session, you can. Any text appearing 

in the gray area of the chat session can be saved to a text file. 

To chat with a user at a remote client 

1. In the edit field at the top of the Viewer window, type in the name of a client. 

2. Click Tools | Chat. A section of the Viewer window turns into a chat area. 

3. In the lower left section of the chat area, type in a short message. Click 

Send. 

145

USER'S GUIDE 

Your message will appear on the remote client's screen. A user can respond by 

typing a message and clicking Send. The user also can click Close to exit out of a 

chat session. 

To save messages from a chat session 

1. In the chat area of the Viewer window, click Save. 

2. In the Save As dialog, type in a filename and save as a .TXT file. The chat 

session is saved to the My Documents folder by default. 

Transferring files to remote clients 

You can use the Remote Control Viewer window to transfer files to and from your 

client and the remote client. In essence, this works as though you've mapped a drive 

to the remote client. You can only transfer files to/from clients that have the Remote 

Control agent installed. This feature works even if you're not currently remote 

controlling a client. 

To transfer files to a client 

1. In the edit field at the top of the Viewer window, type in the name of a client. 

2. Click Tools | File Transfer. Windows Explorer appears. 

3. Select a file to transfer by clicking the filename. Right-click and select Copy. 

4. Scroll down the Windows Explorer tree to Remote Computers. You should 

see the name of the remote client you're currently controlling. 

5. On the remote client, select a folder to paste the file to, then right-click and 

select Paste. 

Similarly, you can also transfer files from a remote client to your client. 

To configure file transfer settings 

1. Click Tools | File Transfer. Windows Explorer appears. 

2. Click Remote Computers | Settings. The File Transfer Settings dialog 

appears with a General tab and a Session Log tab. 

3. For the General tab, select from these options: Show actual icons, Monitor file 

system changes, Use data compression, and View network shares. 

4. For the Session Log tab, select from these options: Log copy activity, Log 

deletion activity, Log directory creation activity, and Log renaming activity. 

When you select the Session Log tab and then configure session log activities, there 

is no actual log kept for those activities. Instead, a record of these activities (which 

can be saved) is recorded in session messages area of the Remote Control Viewer 

window. 

146


Shutting down and rebooting remote clients 

You can remotely shut down or reboot clients. When you do, a message box appears 

on the client warning them that their system will shut down in 10 seconds. They can 

click a Shutdown button or a Cancel button. If the user clicks neither button the 

shutdown or reboot happens when the countdown reaches 0. 

If the client has applications open with unsaved data, those applications will probably 

interrupt the shutdown when they prompt for the user to save. You may have to 

remote control the client and save/close applications or have the user do it for the 

shut down or reboot to work. 

To shut down a client 

• In the network view, click the client you want to shut down. From that client's 

shortcut menu, click Shut Down. 

To reboot a client 

• In the network view, click the client you want to reboot. From that client's 

shortcut menu, click Reboot. 

147

USER'S GUIDE 

Configuring session options 

Use items under the Options menu to enhance the quality of a remote control 

session. You can speed up the viewing rate and change the Viewer window settings 

using these options. 

• Autoscroll: Enables the Viewer window to scroll as you move the cursor 

closer to the window border. The closer you move to the border, the faster 

the scrolling occurs. Toggle on/off; item is on when a check mark appears 

next to it in the menu. 

• Hotkey settings: Enables you to accomplish quickly the common tasks 

associated with remote control, such as refreshing or restarting the Viewer 

window. 

• Performance settings: Speeds up a remote control session by reducing 

colors and images transferred from the remote client's screen. 

• Blank client screen: Blanks the client's screen so only the user running the 

viewer can see the user interface display on the remote client. Toggle on/off; 

item is on when a check mark appears next to it in the menu. 

• Keyboard and mouse lockout: Locks the client's keyboard and mouse so 

that only the user running the Viewer window can control the remote client. 

Toggle on/off; item is on when a check mark appears next to it in the menu. 

• Synchronize clipboards: Synchronizes the keyboards between the 

management console and remote client so you can paste information between 

the two clients. Toggle on/off; item is on when a check mark appears next to 

it in the menu. 

To configure session options 

1. In the Viewer window, click the Options menu. 

2. Click the options you want to enable or configure. 

Adjusting the view options 

The Remote Control Viewer window has various viewing options that you can adjust 

for a remote control session. 

• Toolbar: Displays icons for the same items found in the Tools menu. 

• Status bar: Displays at the very bottom of the Viewer window. It shows the 

status of Viewer window activities as they occur. 

• Session messages: Appear in an area at the bottom of the Viewer window. 

These messages show you exactly what has occurred while the Viewer 

window has been open, and may be useful for troubleshooting when you can't 

connect to a remote client. You can save these messages to a .TXT file to 

review later. 

• Remote execute: Displays remote execute controls in the toolbar that allow 

you to browse to and execute a batch file or application on the remote client. 

148


To adjust the view options 

1. In the Viewer window, click theView menu. 

2. Enable or disable the options. You can have as many of these options enabled 

at one time as you want. All settings are immediately effective and are 

retained in the next remote control session. 

About remote control hotkeys 

Use hotkeys to perform quickly the tasks commonly used during remote control. 

Default hotkey settings already exist, but you can customize these settings to meet 

your needs. Hotkeys are enabled by default. 

• Refresh viewer: Refreshes the Viewer window. 

• Restart viewer: Refreshes the Viewer window and the data in the remote 

client screen. 

• Enable hotkeys: Toggles on/off the hotkeys configured in this dialog. Upon 

toggling this setting, you'll see a "Hotkeys: Enabled/Disabled" message in the 

Viewer window. 

• Close viewing session: Closes the remote control session with a particular 

client. 

To change hotkey settings 

1. In the Viewer window, click Options | Hotkey settings. 

2. Place your cursor in the edit field of the hotkey setting you want to change. 

Ctrl+Alt combinations work best, because they're least likely to be in use with 

another application. 

3. On your keyboard, press the new hotkey combination you want to use. This 

combination will appear as the new setting. 

4. Click OK to apply the change. 

To disable a hotkey setting 

1. In the Viewer window, click Options | Hotkey settings. 

2. Place your cursor in the edit field of the hotkey setting you want to disable. 

3. On your keyboard, press the Backspace key. "None" will appear in the edit 

field. 

4. Click OK to apply the change. 

149

USER'S GUIDE 

To use hotkeys 

1. You must be actively remote controlling a client to use hotkeys. 

2. With the focus on the Viewer window, press the hotkey combination for any 

one of the available actions. 

About the Viewer window focus... 

If you find that the hotkeys don't work, it could be that the focus isn't on the Viewer 

window. If the border is blue/black, the focus isn't on the window. Click your cursor 

inside the window to change the border to yellow/black. You should now be able to 

use hotkeys. 

About remote control performance settings 

The performance settings speed up a remote control session on remote clients. If the 

viewing rate is too slow, you can select a compression method to reduce overhead. 

By default, compression methods aren't enabled. 

• Suppress client wallpaper: Speeds up the viewing rate by suppressing the 

remote client's background wallpaper. Ornate wallpapers can substantially 

slow down a remote control session. 

• Jpeg compression: When you're controlling a client that displays bitmaps, 

this option replaces the need to suppress client wallpaper by compressing 

large images more efficiently. It's also good for large splash screens. Some 

image artifacting might occur with this option, such as when you move the 

cursor over a bitmapped image. Works on Windows NT/2000/2003 remote 

clients only. 

• Color depth reduction: If you're connecting via a slow link or Dial-Up 

Networking connection, this option reduces the amount of transferred color 

information. The closer you get towards full reduction, the more color 

artifacting you might see. Works on Windows NT/2000/2003 remote clients 

only. 

To enable compression methods 

1. In the Viewer window, click Options | Performance Settings. 

2. Click Suppress client wallpaper if you want to speed up the viewing rate. 

3. For Jpeg compression, move the slider rule towards Full compression to 

achieve the most image compression, as well as the fastest viewing rate. 

4. For Color depth reduction, move the slider rule towards Full reduction to 

achieve the most color reduction, as well as the fastest viewing rate. 

150


Changing client remote control security 

Management Suite has a high level of control over clients when granted access 

rights. The client controls remote access security. It stores its remote access security 

settings in the registry. 

Users can use the Remote Control Settings application to require that they grant 

permission to anyone trying to remote control their client. When a console attempts 

to remotely control such a client, a message appears on the client screen indicating 

who the console user is and asking whether to grant remote control access. This 

provides a simple authentication between the management console and the client. 

When remotely controlling Windows NT/2000/2003/XP clients, Management Suite 

can provide additional security through the User Manager by permitting only certain 

viewers remote access. 

For more information on remote control security and client configurations, see 

"Deploying remote control" in chapter 2. 

To change a client's security settings 

1. From the client's Windows task bar, or while controlling the client, click Start 

| Programs | LANDesk Management | Remote Control Settings. 

2. Click the settings you want. 

3. Click Apply to make the new security settings effective immediately. 

4. Click OK. 

You can also edit the remote control settings by running EDTININT.EXE from the 

operating system's command line. If you're changing the security settings for a 

Windows NT/2000/2003/XP client, make certain that you, as the administrator, are 

in the Remote Control Operators group. 

151

USER'S GUIDE 

Configuring Mac OS X remote control options 

The Mac OS X Remote Control client agent has options that are similar to those 

found on Windows clients. You can configure the following remote control options: 

• Open applications and files: Permit an administrator to remotely open files 

on this client. 

• Copy items: Permit an administrator to remotely copy files to and from this 

client. 

• Delete and rename items: Permit an administrator to remotely delete or 

rename files that reside on this client. 

• Lock keyboard and mouse: Permit an administrator to lock your keyboard 

and mouse during a remote control session. This option prevents you from 

interfering with remote actions. 

• Blank screen: Permit an administrator to make your screen go blank during 

a remote control session. This option is useful if your client contains sensitive 

documents that an administrator may need to open remotely without letting 

others read if they happen to walk by your client monitor. 

• Restart and shut down: Permit an administrator to remotely restart or shut 

down your client. 

• Control and observe: Permit an administrator to remote control and 

observe your actions on this client. 

• Show when being observed: When a remote control session is 

active, display a visual cue in the menubar (OS X only). 

• Give control to user: Permit an administrator to remote control this client in 

these situations: 

• Always: From any domain, whenever necessary. 

• From same domain: From the same domain only. 

• By session: On a session-by-session basis. Each time an 

administrator tries to start a remote control session, a dialog pops up 

letting you prevent the session or allow it to continue. 

• Depth: Select the color depth that should be transmitted to the remote 

control viewer window in the console or the Web console. The higher the color 

depth, the more bandwidth that remote control requires and consumes. At 

the beginning of a remote control session, the color depth changes to the 

selected value. 

To configure Mac OS X Remote Control agent settings 

1. On the Macintosh OS X client, open System Preferences and select the 

LANDesk Client panel. 

2. On the Remote Control tab, set your preferences. 

152


Using remote control logging 

By default, Management Suite logs remote control actions, including the client 

remote controlled and the console doing the remote controlling. You can disable 

remote control logging if you want or purge remote control log entries older than a 

date you specify. If logging is enabled, you can view these remote control reports 

(Tools | Reports > All Remote Control Reports): 

• Remote Control History by Client 

• Remote Control History by Console 

• Remote Control History for Managed Computer 

• Remote Control Summary 

To enable or disable remote control logging 

1. Click Configure | Remote Control Logging. 

2. Check or clear the Enable remote control logging option, depending on 

your preference. 

To purge the remote control log 

1. Click Configure | Remote Control Logging. 

2. Enter the date you want purged. All entries older than this date will be 

deleted. 

3. Click Purge Now to execute the purge. 

153

USER'S GUIDE 

Troubleshooting remote control sessions 

This section describes problems you may encounter when remote controlling a client 

and possible solutions. 

I can't remote control a client 

Check that the client has the LANDesk agents loaded. 

To check that the LANDesk agents are loaded: 

• In the console's network view, click Properties from the client's shortcut 

menu. Click the Agents tab and view the loaded agents. 

To load the Remote Control agent 

• Create a client configuration task in the console and push it to the client, or 

map a drive from the client to the core server and run the appropriate client 

configuration task. 

Remote Control Viewer window has either black spots or missing characters 

This is usually caused by a video driver incompatibility. 

To resolve incompatibility with video drivers 

1. Get the most recent video driver from the manufacturer. 

2. Make certain that you have the most recent LANDesk agents and display 

drivers. 

Images from target client don't appear accurately in the Remote Control Viewer 

window 

This is usually caused by a video driver incompatibility. 

To resolve incompatibility with video drivers 

1. Get the most recent video driver from the manufacturer. 

2. Make certain that you have the most recent LANDesk agents and display 

drivers. 

Can't transfer files between the console and a target client 

Check to see if you're running Norton AntiVirus*, and if its Integrity Shield is turned 

on. If the Integrity Shield is turned on, you must have temporary privileges that let 

you copy to the directory that the Integrity Shield is protecting. 

154


Target client hangs or another application won't work after LANDesk agents are 

loaded 

This can be caused by conflicts between Management Suite and other remote access 

applications. 

To resolve conflicts between Management Suite and other applications 

1. Get the most recent software version from the manufacturer. 

2. Make certain you have the most recent LANDesk agents. 

155

Chapter 6: Distributing software and files 

This chapter explains how to use LANDesk Management Suite to distribute software 

and files to clients throughout your network. 


• Enhanced Software Distribution 

• Using Targeted Multicast with Enhanced Software Distribution 

• Setting up a package-building computer 

• Package-building overview 

• Running the Package Builder wizard 

• Setting up the delivery server 

• Configuring clients to receive packages 

• Distributing a package 

• About byte-level checkpoint restart and dynamic bandwidth throttling 

• Working with Mac OS X distribution scripts and packages 

• Distributing files with a file transfer script 

• Uninstalling software distribution packages 

157

USER'S GUIDE 

Enhanced Software Distribution 

Enhanced Software Distribution (ESWD) enables you to deploy software and file 

packages to clients running the following operating systems: 

• Windows 95B/98SE 

• Windows NT (4.0 SP6a and higher) 

• Windows 2000/2003/XP 

• Mac OS X 10.2.x. and 10.3.x 

Software distribution features include: 

• LANDesk Targeted Multicasting features that minimize bandwidth use when 

distributing large packages to many users—without dedicated hardware or 

router reconfigurations 

• Deployment task scripting enables detailed control over how tasks complete 

• Easy task scheduler integrates with the inventory database to make target 

selection easy 

• Real-time status reporting for each deployment task 

• Distribution to Macintosh* OS 10.2 clients 

• Mobile device support, including bandwidth detection, checkpoint restart and 

automatic task completion 

• Full-featured package builder 

• Ability to distribute any package type, including MSI, setup.exe and other 

installers 

• Both push and pull distribution to support your deployment plans 

ESWD uses package-building technology to create a standalone executable program 

for the required software installation. Once a package is built, it's stored on a Web or 

network server called a "delivery server." Through the console, you can schedule 

distribution using the Scheduler. The core server communicates the package's 

location (URL) to the client, and then copies only the files the client needs from the 

delivery server. 

For example, if you're reinstalling a software program because some of its files were 

corrupted or missing, the system copies only the damaged or missing files, not the 

entire program. This technology also works well over WAN links. You can store the 

package on multiple servers, and then schedule clients to use the server appropriate 

to their needs (that is, location proximity, bandwidth availability, and so on). 

ESWD will also resume interrupted package downloads. For example, if a mobile 

client was in the process of downloading a large package and that client disconnects 

from the network, once the client reconnects the download resumes right where it 

left off. 

The following steps outline the software distribution process: 

1. Install the Package Builder software. 

2. Create a software package. 

3. Stage the package on the delivery server to be sent out to the clients. 

4. Use the console to select a package for installation on clients, then create a 

task to deploy this package. 

5. Schedule the package for delivery to clients. 

158

CHAPTER 6: DISTRIBUTING SOFTWARE AND FILES 

6. When the scheduled time occurs, the Scheduler contacts the ESWD agent on 

each client and informs it that the package is ready for installation. 

7. The ESWD agent downloads the package from the delivery server and 

processes it on the client by installing or removing the packaged files. 

8. After the package is processed, the ESWD agent sends the result to the core 

server, where it's recorded in the core database. 

The following components of software distribution run or reside on the core server: 

• LANDesk Custom Job processor: This program (CUSTJOB.EXE), launched 

by the Scheduler, starts a distribution job. 

• LANDesk Scheduler service: The console communicates with this program 

(SCHEDSVC.EXE) to schedule package distribution. 

• Distribution package script: This small .INI script file is created when you 

select a software distribution package in the Manage Scripts window. This 

script file is sent to clients, and they use the commands in the script to 

download and install the package. 

• Software distribution packages: You build these packages on the packagebuilding 

computer, but they aren't moved automatically to the delivery 

server. 

Using Targeted Multicast with Enhanced Software Distribution 

LANDesk Targeted Multicast technology makes it possible to distribute large 

packages to many users across the network with a minimum of network traffic. 

Targeted Multicast features require no additional hardware or software infrastructure, 

and require no router configurations to allow multicast packets. You get the 

potentially extraordinary benefits of multicast technology with none of its traditional 

headaches. 

Targeted Multicast is designed to work with your existing software distribution 

packages. When you use Targeted Multicast, you can easily distribute software, even 

in WAN environments with multiple hops and low connection speeds (56k). Targeted 

Multicast uses HTTP for delivery from a Web site to a subnet representative. 

Management Suite's inventory scanner provides all the subnet information to the 

Targeted Multicast service. 

Targeted Multicast provides unique benefits that standard methods of "multicast" 

don't provide. Inventory-based targeting of clients enables you to send a package to 

a selected group of computers that fit specific criteria via a multicast. Targeted 


deliveries. 

When compared to conventional software distribution methods, Targeted Multicast 

significantly reduces the time and bandwidth needed to deliver software packages. 

Instead of sending a package across the wire for each client, only one transfer is 

made for each subnet. Bandwidth savings increase as the number of clients on each 

subnet increases. 

You can activate Targeted Multicast by checking the Use Multicast to distribute 

this package option on the Create Script page that you'll see when creating a 

distribution package script. Checking this option adds a few multicast-specific pages 

to the create script wizard. 

159

USER'S GUIDE 

When you start a distribution using Targeted Multicast, you'll see the Multicast 

Software Distribution window. This window contains detailed information about how 

the distribution is proceeding. For more information about what each field means, 

click the Help button on the Multicast Software Distribution window. 

Both Windows and Macintosh OS 10.2 clients support Targeted Multicast. 

Using peer download 

Management Suite 8 adds a new feature to Targeted Multicast, peer download. Peer 

download forces targeted clients to install a package from the clients' local cache or 

from a peer on the same subnet. This option conserves network bandwidth, but for 

the package installation to be successful, the package must be in the local cache or a 

peer's cache. One way of using this option is to first copy the package to a client on 

each subnet with the Use Multicast to copy files to the local multicast cache 

directory option earlier in the wizard. 

If you don't select the Peer Download option, the Targeted Multicast client agent 

will still attempt to conserve bandwidth by checking the following locations for 

package files in this order: 

1. Local cache 

2. Peer on the same subnet 

3. Package server 

Copying files to the local multicast cache folder 

You have the option of copying one or more files to the local multicast cache folder 

using multicast. This option copies a file to the target clients' local cache. It doesn't 

install the file or do anything else with it. This option is useful for getting files to 

multicast domain representatives or a client in each multicast domain. You can do an 

initial deployment to domain representatives and then redo the deployment with the 

peer download option to ensure clients only download the package from a peer on 

their subnet. 

Configuring Targeted Multicast 

Before using Targeted Multicast, you need to make sure the Targeted Multicast 

components are in place on the subnet you're distributing to. Targeted Multicast 

requires Management Suite 8 agents and a multicast domain representative. 

You can throttle multicasts by changing the Minimum number of milliseconds 

between packet transmissions option in the Configure Advanced Multicast 

Options page of the Migration Tasks wizard. 

To manually specify which computers will be multicast domain representatives 

1. In the network view, click Configuration > Multicast Domain 

Representatives. 

2. Add domain representatives by dragging the computers you want to be 

representatives from the network view into this category. 

160


Targeted Multicast will use the first computer per subnet in the Multicast Domain 

Representatives group that responds. 

Only windows computers can be multicast domain representatives. If you are using 

multicast to distribute packages to Macintosh computers, make sure there is at least 

one Windows computer in the multicast domain that can act as a domain 

representative for the Macintosh computers. If you only have a few Windows 

computers in a predominantly Macintosh environment, it's best to manually specify 

Windows domain representatives in the Multicast Domain Representatives group. 

About the Management Suite Services Multicast tab 

You can also customize Targeted Multicast options in the Configure Management 

Suite Services dialog. 

To configure the Targeted Multicast service, click Configure | Services | Multicast 

tab. 

• Use Multicast domain representative: Uses any domain representatives 

specified in the Configuration > Multicast Domain Representatives 

network view group. 

• Use cached file: Queries each multicast domain to find out who might 

already have the file, therefore not needing to download the file to a 


• Use cached file before preferred domain representative: Changes the 

order of discovery to make Use cached file the first domain representative 

selection option attempted 

• Use broadcast: Sends a subnet directed broadcast to find any computer in 

that subnet that could be a multicast domain representative. 

• Log discard period: The number of days that entries in the log will be 

retained before being deleted. 

If all of these multicast discovery methods fail to find a multicast representative, the 

multicast server contacts each client in the target list to determine if it can be a 

multicast representative. 

161

USER'S GUIDE 

Setting up a package-building computer 

The package-building computer should be a dedicated computer with a clean 

installation of its operating system. The clean installation is necessary because the 

package-building process captures all elements added or modified on the packagebuilding 

computer. 

Because you can distribute packages only to clients running the same operating 

system as the package-building computer, you should have a separate packagebuilding 

computer, or a separate drive partition, for every operating system you 

distribute to. You can also use a single computer with multiple OS images as your 

package-building computer. 

Any preinstalled software on the package-building computer reduces the Package 

Builder's ability to recognize changes. For this reason, your package-building 

computer must be as generic and clean as possible. This rule also applies to the 

CONFIG.SYS and AUTOEXEC.BAT files and other configuration files that the 

application installation process may modify. 

To install the package-building software 

1. From your package-building computer, browse to ENUSETUP.EXE in the 

LDMAIN\install\Package_Builder folder of the core server. 

2. Double-click ENUSETUP.EXE, then click Next. 

3. Type in the location of the folder where you want to install the packagebuilding 

software, then click Finish. 

Setup puts three items on the package-building computer: 

• Package Builder wizard: Used to automatically create software distribution 

packages. It takes a "before" snapshot of the computer's state, has you install 

the software, takes an "after" snapshot of the computer's state, and builds a 

package from the differences in the snapshots. 

• Enhanced Package Builder: Used to manually create, modify, and edit 

software distribution packages. 

• Package Builder wizard help: Online help that describes the Package 

Builder wizard. 

Once the Package Builder software is installed on your computer, you can use this 

computer to create and edit software distribution packages. The Package Builder 

stores packages on the local hard disk by default. Once these packages are built, you 

must move them from the package-building computer to the package share on your 

delivery server. 

162


Package-building overview 

You can use the Package Builder wizard to automate the process of taking snapshots 

and compiling them into standalone packages. As shown below, the process includes 

four steps: 

1. Taking a pre-installation snapshot 

2. Installing the application or making a computer configuration change 

3. Taking a post-installation snapshot 

4. Restoring the package-building computer 

1. Taking a pre-installation snapshot 

To build a software package, use the Package Builder to scan the local hard drive. 

You can specify exactly which portions of the drive are scanned in the Scanning 

Options page. This scan checks the system registry and all the directories and files 

on the local computer. After you install new software on the system, the Package 

Builder uses this information to detect what changes were made to the computer; it 

then compiles these changes to create the software distribution package. This 

information is stored in the Temporary Work Directory. Specify this directory in the 

Options page of the Package Builder wizard. 

Package Builder scans all local drives by default. If you don't plan to make any 

changes to a local drive during the installation, remove it from the scan to speed up 

the pre-scan process. For best results, allow the Package Builder to scan the drive 

partition where the operating system is stored, plus the drive where you intend to 

install the software or change the configuration. 

If, at any time during the package-building process, the hard drive space on the 

package-building computer gets low, the Package Builder will stop, display a 

warning, allow you to provide more drive space, then continue the package-building 

process. 

Even if you remove all the local drives from the scan list, the Package Builder still 

scans the system files and folders, as well as the computer's registry. 

2. Installing the application or making a computer configuration 

change 

Once the pre-installation snapshot is created, the Package Builder prompts you to 

install the application software to distribute as a package. 

You can install multiple applications in a single package, but you should install only 

suite-type applications with this process. If you install multiple applications as one 

distribution package and later want to omit one, you must first remove the entire 

group and then install a new group of applications. If you want to install multiple 

packages to your managed clients, you should edit the software distribution script so 

that it installs several different packages during the distribution. 

163

USER'S GUIDE 

The Package Builder monitors the installation during this step, then waits until the 

installation is finished to continue with the wizard pages. You can then customize the 

finished program. For example, if the install program creates an uninstall icon that 

you prefer not to distribute to clients, you can delete the icon before the postinstallation 

snapshot in step 3, omitting it from the package. You can also add new 

icons to specific program groups, which provides a single point of access for all your 

users. 

You need to provide any setup information requested by the system, and answer all 

questions presented during the software setup. The Package Builder cannot perform 

these tasks for you, but it will save the information as part of the package. 

If you want to change only some of the system settings on clients, or if you want to 

copy a collection of specific files, you can create a package without using the 

snapshot process. 

When you're satisfied that the application software or the configuration changes are 

ready, return to the wizard and click Next to start the post-installation snapshot. 

3. Taking a post-installation snapshot 

In this step, the Package Builder takes a second snapshot of the package-building 

computer and compares it with the pre-installation snapshot. By analyzing the 

differences, the Package Builder can identify any changes that have occurred on the 

computer, and then build a package distribution configuration script. This file has a 

.CFG file extension, and is located in the c:\Program Files\Intel\Package 

Builder\Working folder on the package-building computer. 

This .CFG script file describes the changes to the registry, the file system, the 

desktop, and other system resources. It does not create a removal control file 

however, so you must add an uninstall option manually, either when you edit the 

script or when you schedule it for distribution. 

Once these changes are saved, the Package Builder wizard offers the option to 

compile the .CFG file into an executable file, or to open it in Package Builder to make 

additional changes. Click Edit to open the new .CFG file in Package Builder and make 

your modifications. When you're satisfied with the installation, click Build to create 

the package. 

Once finished, a page appears showing that the package was created and stored in 

the default directory on the package-building computer. 

164


4. Restoring the package-building computer 

Once you finish the package-building session, you should restore the packagebuilding 

computer to its pre-installation state. This process ensures that the 

computer is in a clean state for the next package build. ESWD doesn't include a 

process for restoring the computer to a clean state; therefore, you should use a 

computer-imaging program such as the LANDesk imaging tool that is part of OS 

Deployment, Symantec's Ghost*, and so on to restore the client's operating system. 

If you use a utility like Ghost to restore the package-building computer, you will also 

delete the .CFG file that was used to create the package. If you want to keep these 

files available, either to use in future packages or to edit at a later time, you can 

store them on a network share drive. Just specify a network location in the Options 

page of the wizard to preserve these files. 

By default, each new system scan is stored in a new working directory, but you can 

use the same folder again if you prefer to overwrite the old system scan. Some users 

keep software images of multiple operating systems on a single package-building 

computer. This solution provides optimum flexibility when creating software 

packages, without dedicating multiple computers specifically for software package 

building. 

165

USER'S GUIDE 

Running the Package Builder wizard 

As described earlier, building a software distribution package is a two-phase process. 

The first phase creates an installation script (.CFG file) in the Package Builder 

working directory. This script contains all the client instructions for installing the 

software. The second phase builds the software distribution package. The package 

contains the instructions plus the files. 

In addition to the packages created with the Package Builder wizard, the ESWD 

agent supports scheduled or policy-based deployments for three other types of 

packages: 

• Single-file and multi-file MSI packages 

• Legacy packages from previous versions of LANDesk Management Suite 

• Self-extracting executables 

If you're using these package types, skip this task and see "Setting up the delivery 

server" later in this chapter. 

To run the Package Builder wizard 

1. From your package-building computer, click Start | Programs | LANDesk 

Management | Package Builder wizard. 

2. Click Scan Options to configure the scan process. On this page, you can 

select which directories the wizard monitors for changes and whether the 

wizard creates a backup to return the client to its present state after the 

package has been created. When you're finished modifying the form, click 

OK. 

At least one logical or physical disk drive must be monitored 

The Package Builder wizard needs to monitor at least one logical or physical disk 

drive to track system information changes. If you clear the default drive selection in 

the Scan Options page, and set it to monitor no drives, the wizard will exit. 

3. Click Build Options to configure user-specific settings for Windows NT and 

Windows 2000/2003/XP systems. You can select to have these settings 

applied to the logged-in user (or the default user if no one is currently logged 

in) or to all users. These user-specific settings include Start Menu items, 

shortcuts, and registry settings for the HKEY_CURRENT_USER key. To return, 

click OK. 

4. Click Next. The wizard will check out your system. 

5. Select the method you want to use to install the application: 

• If the installation program is locally available (such as a SETUP.EXE 

program), click Browse to locate the installation program, select it, 

and then click Monitor. 

• If the installation program is on an autorun CD, click Next and insert 

the CD. 

• To make other types of changes for a software distribution package 

(such as copying files or creating desktop shortcuts), click Next and 

run the appropriate utility. 

166


6. Follow the prompts to install the software. 

7. When the installation is complete, enter a name for the package. We suggest 

you enter a name that includes both the software and the operating system; 

for example, WinZip_Win2K for a package that installs WinZip on a Windows 

2000/2003 client. 

8. Click Compare. 

9. When the .CFG file has been created, click OK and then Build. 

Note: The .CFG file can be customized and then built into a package. For 

more information, see "Scripting guide for .CFG files" in Appendix C. 

10. When the build completes, the wizard will put the package in the Onefile 

folder of the Package Builder Working directory. The package will be an .EXE 

file with the name you selected. Click Finish. You can manually test this 

package by clicking the .EXE file. 

The next task is to set up the delivery server and copy this package to it. 

167

USER'S GUIDE 

Setting up the delivery server 

The delivery server is the server that stores the software distribution packages. It 

can be either a Web server or a Windows NT/2000/2003 server. 

Delivery 

server 

Web server 

Network 

server 

Requirements 

Microsoft Internet Information Server 5.0 or higher running on Windows NT or 

Windows 2000/2003 

Windows NT 4.0 or Windows 2000/2003 

To configure a Web server for software distribution 

These steps explain how to create a virtual directory on a Web server and enable it 

for browsing. In general, virtual directories need to allow reading and directory 

browsing. Execute must not be set or the share won't work correctly. You also may 

want to disable write permissions so clients can't change the directory's contents. 

1. Create a directory on the Web server where you want to store your software 

distribution packages. The usual location for such a directory on an IIS Web 

server is a subdirectory in the c:\inetpub\wwwroot directory. 

2. Copy the packages to this directory. 

3. From the Control Panel, double-click Administrative Tools and then 

Internet Services Manager. 

4. In the right panel, double-click the icon with the client's name and then click 

Default Web Site. 

5. In an empty area in the right panel, right-click and select New, then click 

Virtual Directory. 

6. From the wizard, click Next and then enter an alias for your directory. Click 

Next. 

7. Either enter the path or browse to a path and click Next. 

8. In the Access Permissions dialog, enable Run script and Browse. This 

enables you to browse packages when creating the software distribution 

script. Click Next and Finish. 

9. To enable Port 80 on the Web server, in the left panel, right-click Default 

Web Site. 

10. Click Properties. In the Web Site Identification dialog, the TCP Port box 

should display 80. If it doesn't, click Advanced to add the port. 

11. Ensure that the Web site is available by opening a browser and entering the 

URL for your Web server and virtual directory. For example, if the name of 

your Web server is Test and the name of the virtual directory is Packages, 

enter the following URL: 

http://Test/Packages 

A list of the packages you have copied to this directory should appear. 

168


The size and number of packages you put in this directory is limited only by available 

disk space. Subdirectories can be created to logically group packages. Each 

subdirectory that's created must have the above access permissions set. 

Once you copy the packages to a package share on a Web server, they're staged and 

ready to be copied to the target clients. When scheduled, the URL or UNC path of the 

package is passed to SDCLIENT.EXE (the client agent) as a command-line 

parameter. SDCLIENT.EXE manages the file transfer, starts the installation, and 

reports the status. Although the HTTP protocol is used for the file transfer, the status 

report is returned through CBA. 

The Web server communicates with the client to ensure that the package copies 

correctly. If the package transmission is interrupted during the download, the Web 

server can use the HTTP protocol to restart the download at the point where it 

stopped. The Web server does not check, however, to ensure that the package was 

installed correctly. That traffic is UDP-based, and it returns the status to the core 

server using CBA. 

To configure a network server for software distribution 

Clients that do not have a browser must receive distribution packages from a UNC 

path on a Windows NT/2000/2003 network server. This can be the same directory as 

the one you set up on your Web server. For UNC path-based distributions to work 

correctly, you must enable a null-session share folder on your network server. Use 

the SYSSHRS.EXE utility to create a null-session share folder. 

1. To set up a shared folder on your network server, right-click the folder you 

want to share and then click Sharing. 

2. Click Share this folder and click Permissions. 

3. Add the Everyone and the Guest groups, but grant them only read 

permissions. Apply the changes. 

4. From your network server, click Start | Run and browse to the 

LDMAIN\Utilities directory on your core server. 

5. Run the SYSSHRS.EXE utility. 

Note: Although this utility states that it's for Windows NT clients, it also 

works on Windows 2000/2003 clients. 

6. Check the shared folder you set up and click Apply and then Close. 

7. Copy the software distribution packages to this directory on the network 

server. 

The size and number of packages you store on the network server is limited only by 

the available disk space. 

For more information about the SYSSHRS.EXE utility, download the SHARES.EXE 

package from http://www.landesk.com/support/downloads/detail.phprid=52 and 

extract the documentation. 

169

USER'S GUIDE 

Configuring Windows 2003 Web servers for software distribution 

Windows 2003 Server handles virtual directories differently than Windows 2000. On 

a Windows 2003 server, if you select a directory and from its shortcut menu make it 

a Web share, the directory registers itself in IIS 6 as a Web application rather than a 

virtual directory. The problem is that as a Web application, when trying to select an 

executable file, the Web server attempts to run the file as a Web application rather 

than download the file to the user. The resolution is to go into IIS, change the 

shared directory from a Web application to a virtual directory, and turn off execute 

permissions. 

When hosting files on a Windows 2003 server, files without a registered MIME file 

type will fail to multicast unless you do the following. 

To register MIME file types 

1. Launch Internet Information Services (IIS) Manager. 

2. Expand the local computer in the tree. 

3. Click Web Sites > Default Web Site. 

4. From the package Web share's shortcut menu, click Properties. 

5. Click the HTTP Headers tab. 

6. Click MIME Types. 

7. Click New. 

8. In the Extension box, enter an asterisk (*). 

9. In the MIME Type box, enter any name. 

10. Click OK twice and apply the changes. 

170


Configuring clients to receive packages 

Clients receiving the software distribution packages must have the following 

LANDesk agents installed: 

• Common Base Agent (CBA) 

• Bandwidth Detection agent 

• Enhanced Software Distribution agent 

If you're planning to use Targeted Multicast, also ensure that the Targeted Multicast 

agent is installed on clients. 

To deploy the agent to multiple clients, you'll want to use an automated process. For 

example, one method is to put the commands in the logon script so that they're 

executed when clients log in to the network. For more information, see the 


To configure one client, follow the instructions below. 

To install the client software 

1. From the client, map a drive to the LDLogon directory on the core server. 

2. Run WSCFG32.EXE and select to install the following agents (if they aren't 

already installed): 

• Common Base Agent 

• Bandwidth Detection 

• Enhanced Software Distribution 

• Targeted Multicast 

171

USER'S GUIDE 

Distributing a package 

These instructions explain how to create a software distribution script. For the script 

to execute correctly, the software distribution package must exist on either a 

network or Web server and the clients must have the ESWD agent installed. 

To create a package distribution script 

1. Create the package you want to distribute. 

2. Click Tools | Manage Scripts. 

3. Click the New Distribution Script button. 

4. Select the software distribution package by clicking Web Share or File 

System Share: 

• For a Web server, type the URL to your Web server directory in the 

box, and press Enter. Select the package. (Directory browsing must 

be enabled on the Web server. For more information, see "Setting up 

the delivery server" earlier in this chapter.) 

• For a network server, type the path to the package, or click Browse 

and browse to the package's location. (UNC paths must be enabled on 

the network server. For more information, see the "Setting up the 

delivery server" earlier in this chapter). 

• Click Next when you have selected your package. 

5. In the Create Script page, click Install or Uninstall depending on what type 

of package you're distributing. 

6. Enter a Script name. 

7. Check Use Multicast to distribute this package if you'll be using Targeted 

Multicast. If you're using multicast, you also can check the Only copy a 

single file using Multicast. Use this option if you only want to distribute a 

single file. Click Next. 

8. Finish the wizard. Click Help for more information on each page. Once you 

finish, your new script will appear in the All Other Scripts branch of the 

Manage Scripts tree. 

To schedule a script for distribution 

1. In the Manage Scripts window, click Scripts > My Scripts or All Other 

Scripts, and the script you want to distribute. 

2. Click the Create Task button. This displays the Scheduled Tasks window 

with the script you selected. 

3. In the network view, locate the clients you want to update, then drag and 

drop their icons into the right pane of the Scheduled Tasks window 

4. From the Scheduled Tasks window, click the Set Start Time toolbar button 

to display the Schedule Task dialog. 

5. Set the timing options you want. Click Start Now and OK if you want to start 

the client update as soon as possible. 

This dialog shows whether the job is complete, and also provides important error 

codes if an install fails. You can use these error codes to troubleshoot package 

deployment problems. Once this dialog indicates that the job is complete, your 

package is deployed. For more information about client error codes, see 

"Understanding Enhanced Software Distribution error codes" in Appendix C. 

172


You can use queries to create a list of clients to deploy a package to. For information 

on creating queries, see chapter 3, "Using queries." 

About byte-level checkpoint restart and dynamic bandwidth 

throttling 

Management Suite 8 and later versions support distribution byte-level checkpoint 

restart and dynamic bandwidth throttling. Checkpoint restart works with distribution 

jobs that ESWD first copies to the client cache directory (by default, 

C:\LDCLIENT\SDMCACHE). Normally, ESWD and MSI packages don't get copied to 

the client cache directory before the package gets installed, because these package 

types only download the package portions they need, minimizing the amount that 

gets downloaded. All other package types and files get copied to the client cache 

first, and checkpoint restart allows interrupted distributions to resume at the point 

where they left off. 

Dynamic bandwidth throttling specifies that the network traffic a client creates 

has priority over distribution traffic. This option also forces a full download of the file 

into the client's cache, which also enables byte-level checkpoint restart, where 

downloads resume where they left off if interrupted. If you select this option and 

leave the Minimum available bandwidth percentage at 0, once the client initiates 

network traffic, the distribution cuts back to about one packet per second until the 

traffic stops. Increasing the minimum available bandwidth preserves approximately 

the amount of client bandwidth you specify for distribution if distribution needs 

network bandwidth and there is contention for bandwidth on the client. 

If you're reinstalling or repairing an ESWD package or an MSI package, you may not 

want to use the dynamic bandwidth throttling option, because these package types 

normally only download the files they need. Using dynamic bandwidth throttling in 

this case would force a full download of the package when a repair might normally 

only require a small portion of the package. 

Dynamic bandwidth throttling isn't available on Windows 95/98 computers. 

173

USER'S GUIDE 

Working with Mac OS X distribution scripts and 

packages 

You can create a script to distribute single-file executable packages to Macintosh OS 

X clients, either through normal distribution or through Targeted Multicast. Each 

script will distribute only one file, and the client will try to execute the file once the 

client receives it. You must install Management Suite's OS X client on target 

computers before you can distribute files to them. 

Macintosh OS X distribution scripts are handled the same way Windows distribution 

scripts are. The scripts are saved as text files, and you can edit them manually if you 

need to once they're created. You can schedule OS X distribution scripts in the 

Scheduled Tasks window and drag OS X clients into the Scheduled Tasks window as 

distribution targets. 

To create an OS X software distribution script 

1. Create the package you want to distribute. 


3. Click the New Macintosh Distribution Script button. 

4. Select the software distribution package created: 

• For a Web server, type the URL to your Web server directory in the 

URL box, and press Enter. Select the package. (Directory browsing 

must be enabled on the Web server. For more information, see 

"Setting up the delivery server" earlier in this chapter.) 

• For a network server, click the Browse toolbar button and browse to 

the package's location. (UNC paths must be enabled on the network 

server. For more information, see the "Setting up the delivery server" 

earlier in this chapter). 

5. In the Deploy Package wizard, select Deploy the package to Macintosh 

clients. Click Next. 

6. In the Create Script page, enter the script name. Click Next. 

7. Finish the wizard. Click Help for more information on each page. Once you 

finish, your new script will appear in the All Other Scripts branch of the 

Manage Scripts tree. 

174


Editing Macintosh scripts 

Macintosh script commands can be either a download command or a shell command. 

Download commands begin with either "http://" or "ftp://". If it's not a download 

command, it's a shell command by definition. All Macintosh script commands need to 

be prefixed by ldkahuna. For example: 

REMEXEC0=ldkahuna "http://..." 

To help Macintosh script commands execute properly, also do the following: 

• The command after the ldkahuna entry should have a quote at the beginning 

and end. 

• URLs should be escaped ("%20" for spaces, and so on). 

• Commands should also be escaped (use a backslash and a space wherever 

you want a space, and so on) 

• Put single quotes around arguments. 

Any file can be downloaded, though Management Suite won't download directories. 

Install packages (.PKG) can contain directories. They must be compressed. If the file 

downloaded has a suffix of .SIT, .ZIP, .TAR, .GZ, .SEA, or .HQX, Management Suite 

will decompress the file before returning. (Users should make sure that Stuffit 

Expander* has its check for new versions option disabled; otherwise a dialog may 

interrupt script execution.) 

The OS X agent won't autorun any files. The user can use the shell command "open" 

to launch files or applications and "installer" to install .PKG files. 

It's also possible for the download file to be a shell script written in Perl, and so on. 

After downloading the file to clients, you can follow up with a shell command to 

execute the file. Shell commands run as root. 

Files are downloaded to /Library/Application Support/LANDesk/sdcache/, which you 

need to be aware of in your shell commands. 

175

USER'S GUIDE 

Distributing files with a file transfer script 

If you just want to copy files to clients, you can use a file transfer script. You can 

transfer any type of file, including text files, to a directory you specify on the client. 

File transfer scripts support Targeted Multicast. 

To distribute files 


2. In the All Other Scripts shortcut menu, click Create File Deployment 

Script. 

3. Enter a Script name and Destination directory. Click Next. 

4. Enter the Multicast Domain Options you want. Click Next. 

5. Select the files you want to deploy by selecting a Web path or a File share 

path, entering the path, and adding the files you want to the list box. Click 

Next. 

6. Read the Finished page summary and click Finish. 

About the Create File Deployment Script page 

Use the File Deployment Script wizard (Manage Scripts window > All Other Scripts 

shortcut menu > Create File Deployment Script) to deploy individual files of any type 

to a client directory you specify. 

• Script name: Enter a descriptive name for the script you're creating. 

• Destination directory: Enter the client directory you want the files placed 

in. 

176


Uninstalling software distribution packages 

ESWD has the following methods for uninstalling packages that have been created 

and distributed to your clients: 

• Uninstall command in Package Builder 

• Uninstall option in the console 

• Uninstall package with Package Builder wizard 

Uninstall command in Package Builder 

You can enable the Package Builder Uninstall command on all packages distributed to 

clients. If you use this command, packages create their own uninstall executable in 

the application's default directory on the client when they're installed. You can then 

create a script to activate that uninstall file on the client and remove the package. 

Advantages to this method include: 

• The uninstall is triggered by the script, and the installed files are completely 

removed. 

• All file counters are correctly decremented during the uninstall. This means 

that shared .DLLs that affect other programs on the client aren't removed. 

Disadvantages to using this method include: 

• The Uninstall command must be included when you create the initial package. 

• Uninstall prompts the user to remove the application. If the user responds 

"No," the package isn't uninstalled. You can't hide this prompt from users. 

• The uninstall file is on the client, so a user could uninstall the software 

package without your knowledge. The uninstall file shows up in Control Panel 

| Add/Remove Programs. 

• You must know the correct path to access the file. 

The following example illustrates the syntax for creating a script that triggers the 

uninstall file to uninstall WinZip on the client: 

[MACHINES] 

REMEXEC0="C:\Program Files\WinZip\UninstallINSTALL.EXE" 

REMEXECO is the Remote Execute command. 

"C:\Program Files\WinZip\Uninstall INSTALL.EXE" is the complete path to the 

uninstall file. Quotes are required if there are spaces in the path names. The default 

name for this file is "Uninstall" + the name of the software distribution package. 

Once you have created a script that targets an uninstall package, schedule it to be 

sent to your users, and the package will be uninstalled. 

177

USER'S GUIDE 

Uninstall option in the console 

You can use the tools in the console to uninstall distributed packages. From the 

console, click Tools | Manage Scripts, and click the New Distribution Script 

button. Select the .EXE package that installed the software. In the Create Script 

window, click Uninstall. This sets a "remove all" flag in the package so that 

everything installed in the installation script is removed. 

The advantages of this method include: 

• The uninstall executable is not on the client. 

• This executable can uninstall software distribution packages that were not 

built with the Uninstall command. 

Uninstall package with Package Builder wizard 

If the above methods do not produce the desired results, there is one other option. 

You can use the Package Builder wizard to create a package of the uninstall process 

on the package-building computer, then distribute it to your clients. 

This is not a recommended procedure 

If the application you're uninstalling uses shared .DLLs, this method could remove 

.DLLs that are required by other applications. 

To create an uninstall package 

1. Start the Package Builder wizard on your package-building computer. The 

application you want to remove from your clients should be already installed 

with the same defaults as your clients. 

2. Click Next to start the pre-snapshot phase, then click Next again. Don't click 

the Browse button. If you click Browse, you will start the installation process 

for another application; this procedure is for uninstalling an application. 

3. When the pre-snapshot is complete, press Alt+Tab to switch to another 

application. Don't click the Browse button. 

4. Click Start | Settings | Control Panel to display the Control Panel window. 

5. Double-click the Add/Remove Programs icon to display the Properties 

dialog. In the Install/Uninstall tab, click the application you want to 

remove, and click Add/Remove. 

If the application has its own uninstall program, you should run it now. 

6. Once the application is uninstalled, press Alt+Tab to return to the Package 

Builder wizard. 

7. Enter the name for this uninstall package, and click Compare to start the 

post-snapshot phase. Once this is complete, the Congratulations dialog 

appears. Click OK to close it. 

8. When the Ready to Build dialog appears, click Build, then click Finish to 

complete the package-building process. 

You can distribute this package to clients. 

178


179

Chapter 7: Using the Web console 

About the Web console 

The Web console offers a subset of Management Suite's functionality from the 

convenience of a Web browser. The Management Suite console is your main resource 

for managing computers, but the Web console is useful when the management 

console isn't available. For more information, see "Phase 6: Installing the Web 

console" in the Installation and Deployment Guide. 

Once set up, you can access the Web console via a browser from most computers on 

your network. Use the Web console to do the following: 

• Remote control computers 

• Run inventory queries 

• View reports about computer inventory 

• Schedule and deploy software packages to computers 

• View individual computer inventory summaries 

• Remotely "wake up" powered off computers 

Once you've installed the Web console and set up an account, you can access the 

Web console from any computer running Internet Explorer 5.5 or later. 

To run the Web console 

1. From a networked computer, open a Web browser. 

2. In the Address field at the top of the browser, enter the URL that will connect 

you to the site hosting the Web console pages. Normally, 

http://webservername/remote. 

3. If a login dialog appears, enter your Windows username and password for the 

core you're connecting to and click OK. 

4. Once you authenticate, links in the left navigation pane appear for the tasks 

you have rights to perform, such as creating queries, remote controlling 

clients, deploying software, and viewing reports. 

If you don't know the URL to the Web console pages 

Contact the person who installed the Web console, most likely the network 

administrator for your site. 

If you can't see some of the left navigation pane links 

It's because your network administrator is most likely using LANDesk Management 

Suite's role-based administration or feature-level security option that limits you to 

performing certain tasks that you have the rights to do. For more information about 

role-based administration and feature-level security, see "Phase 6: Installing the 

Management Suite Web console" in the Installation and Deployment Guide. 

181

USER'S GUIDE 

Getting started 

Logging in 

Users always authenticate to the Web console using a Windows NT account. The 

accounts that can access the Web console are controlled by the Access Control Lists 

(ACLs) that are placed on the Web console directories. The Web console files are 

located under the inetpub\wwwroot\remote directory, and if a user has access to 

these files, they will be able to access and use the Web console. 

The following sections describe these issues in more detail: 

• User management when communicating with a core server 

• User management when communicating with a rollup core 

• User management when the core/rollup server and the Web console aren't on 

the same server 

User management when communicating with a core server 

When the Web console is configured to use the database, it uses the same user role 

and scope management as the Management Suite console. This means that the user 

roles and scopes are created and managed within the Management Suite console. 

When a user accesses the Web console who doesn't have an account in the 

Management Suite console, a Management Suite user account will be created using 

the default rights and scopes as configured in the Management Suite console. The 

administrator can then change the rights and scopes for that user at a later time 

using the Management Suite console. 

The rights and scopes defined in the database override the Windows NT local group 

memberships. This means that even if a user is assigned to the rc_user group 

(feature-level security), they must also have remote control rights in the 

Management Suite console to use remote control. 

User management when communicating with a rollup core 

The Management Suite console doesn't use the rollup database, only the Web 

console does. This means that the rollup core uses local groups to control rights. 

There is no scope you can define in the Web console for a rollup core server. For 

more information, see "Setting up feature-level security for rollup databases." 

User management when the core/rollup core and Web console 

aren't on the same server 

When the core/rollup core and the Web console are located on different servers, all 

user authentication to the Web console is done using Windows NT domain accounts. 

Additionally, the Web console must be given rights in the domain to delegate. 

The reason this is required is that the Web console needs to access the registry and 

LDMAIN share on the core server. In order to do this, the account used to 

182

CHAPTER 7: USING THE WEB CONSOLE 

authenticate to the Web console must be valid on the core server. If a local account 

on the Web console were used, it wouldn't be possible to authenticate to the core 

server, so Windows NT domain accounts are needed. 

183

USER'S GUIDE 

Selecting a core 

If your Web console connects to a single core server, clicking Login on the left 

navigation pane re-logs you in to that server. If your Web console can connect to 

multiple core servers, you can select an available core server from the Core list and 

click Connect. You may have to provide Windows authentication credentials for the 

server you are connecting to if you aren't connected already. 

For more information on how the Web console handles logins, see "Logging in to the 

Web console." 

For more information on configuring the Web console to connect to multiple cores, 

see "Configuring the Web console for multiple cores." 

Finding a client 

To quickly locate a specific client that has been scanned in the database, use Find 

Computer located at the top of each Web page. From the drop-down list, select an 

identifier, such as Device Name. In the text box, enter corresponding information 

for the client you're looking for, then click Find. 

If you only know part of a client's name or address 

Use a wild card character in the text box to view all clients matching your entry. You 

can use an asterisk (*) or percent sign (%) as a wild card. Asterisks are valid for 

convenience only; the Web console replaces them with percent signs to comply with 

the SQL query language. 

If just one client is found, an Inventory Summary page will appear with a list of that 

client's inventory. If several clients are found, they'll appear in a list. To view an 

inventory summary of a client, click its name. 

Select from these identifiers when locating a client: 

• Device Name: Computer name of the client you're looking for. 

• IP Address: IP address of the client you're looking for. 

• Model: The computer model returned by the inventory scanner. The scanner 

can't always identify the model. 

• Display Name: Descriptive name given to a client, for example, Admin 

Desk1 - 2nd Floor. 

• Login Name: Login name of the user whose computer you're looking for. If 

the user is in the database, all computers associated with that login name will 

appear. 

• Device ID: Unique ID that the inventory scanner assigns to each client in the 

database. 

184


Adding clients to the target cart 

The target cart is a feature that enables you to distribute software to a select group 

of "target" clients without having to query for that group. The recommended number 

of clients that you should add to the target cart is 250 or fewer. The clients will stay 

"in" the cart until your Web console session times out (20 minutes by default). 

Once the cart has clients in it, you can select to distribute software to those clients 

via the software distribution wizard. All the clients in the cart will receive the 

software package. 

Add clients to the target cart list by using the Find Computer feature found at the 

top of any Web console page. Search for one particular client, or search for several 

using the wildcard characters of % or *. 

If just one client is found, the Inventory Summary page for that client appears. Click 

the add device toolbar button to add the client to the target cart list. 

Or, if several clients are found, select the ones you want to add to the cart, then 

click Add to Target Cart. If the returned client list spans multiple pages, you must 

click Add to Target Cart for each page. You can't select clients on multiple pages 

and click Add to Target Cart just once for all of the pages. 

In either case, the Target Cart window will appear with the client(s) added to the list. 

Click Close Window. 

With one or more clients in the target cart, you can select Use Target Cart during 

the software distribution wizard to distribute a package to just those clients, 

eliminating the need for a query. 

185

USER'S GUIDE 

Using remote control 

To use remote control from the Web console, you must first install the Remote 

Control Viewer. You need Administrator privileges on the local computer to install the 

viewer, which you're prompted to set up when you access the remote control page 

for the first time. 

The viewer works on Windows 95/98 and Windows NT/2000/2003/XP computers that 

are running Internet Explorer 5.5 or higher. The remote control agent also must be 

installed on each client you want to control. If necessary later on, you can uninstall 

the Remote Control Viewer from Control Panel's Add/Remove Programs applet. Look 

for "Remote Control Viewer" in the program list. 

To remote control a client 

1. On the left navigation pane, click Remote control. 

2. In the empty text box, enter the name or IP address of the client you want to 

control, then click Remote control. This action establishes a remote control 

session. If you close your browser after the session has started, the session 

will continue running. 

Note that you can remote control a computer that hasn't been scanned into the 

database (as long as it has the remote control agent installed). You can also remote 

control more than one computer at a time. After starting one session, return to the 

Web console, enter another computer's name or IP address, and click Remote 

control. 

186


Waking up a client 

If your clients support Wake on LAN* technology, you can use the Web console to 

remotely wake them up. This feature is useful when you want to remote control or 

send a software distribution package to a client that's currently powered off. 

When you attempt to wake up a client, you're actually sending a Wake on LAN 

technology packet to that client's network adapter. If the adapter and client are 

enabled for Wake on LAN, the client powers up. If the adapter and client aren't 

enabled for Wake on LAN, the client remains off. 

To remotely wake up a client, first locate it in the database. Do this by using the 

Find Computer feature at the top of any Web console page. Once you locate the 

client, you can attempt to wake it up from the Inventory Summary page by clicking 

the Wake on LAN toolbar icon. 

187

USER'S GUIDE 

Installing and configuring clients 

Selecting client features 

Before you can manage clients with the Web console, you need to install 

management agents on them. Management agents are installed with a client agent 

package, which is a single-file executable. Clients install the agents by running a 

client configuration package you created. 

The Web console has limited client configuration package support 

The Web console only creates a basic configuration package with the features below. 

To create client configurations that include other features or to customize feature 

options, use the Management Suite console's client setup option (Tools | Client 

Setup). 

The first time you configure clients, they need to run the package manually. The 

package doesn't ask users any questions. Once you've installed the software 

distribution agent on clients, you can update the management agents on those 

clients by creating a new package and using software distribution to install it. If 

clients receive the remote control or software distribution agents for the first time, 

they'll be prompted to reboot after the package finishes installing. 

Use the Client configuration page to name a client configuration package and select 

the features you want in it. You can choose from these features: 

• Remote control: Check this if you want to be able to remote control clients. 

• Inventory scanner: Check this if you want clients to report inventory data 

to the core server. You can then do queries on the inventory data. The 

inventory scanner adds clients to the database so you can manage them from 

the Web console. This feature also deploys custom data forms. 

• Enhanced software distribution: Check this if you want to distribute 

software to clients. You can distribute single files or single executables. In the 

case of executables, once a client receives it, the client will run the program. 

• Software license monitoring: Check this if you want to monitor software 

usage on clients. You can configure applications to monitor and clients report 

this information to the inventory database. 

To start creating a client configuration package 

1. Enter a File name for the package. Once the Web console creates the 

package, it's stored in the "\Program Files\LANDesk\ManagementSuite" folder 

on the core server. 

2. Check the features you want the package to install. 

3. Click Next to configure the client features. 

188


Installing client agents 

Once you've created a client configuration in the Web console, you need to install it 

on clients. The best way to install client agents depends on if you're installing them 

for the first time or refreshing an existing client agents installation. 

Client agent packages are a single self-extracting executable file. By default they're 

stored in the "\Program Files\LANDesk\ManagementSuite" folder on the core server. 

Running the executable installs the client agents silently, without requiring any user 

interaction. 

If you manually run the same client agent package on a client more than once, a 

dialog appears asking whether to reinstall or heal the package. Reinstalling the 

package recopies all files. Healing the package only copies changed files. Either 

choice will work. 

Installing agents for the first time 

If users are installing the client agent package for the first time, they must install 

them while logged in with an account that has administrative privileges. The client 

agents won't install correctly under a non-administrative account. If your users can't 

log in with administrative privileges to install the package, a user who can will need 

to do the install. 

You can make the client agent package available to clients by putting it on a file 

server or a Web server. 

Updating existing agents 

If an existing client agent installation includes software distribution, you can update 

the agents by creating a new client configuration and distributing it from the Web 

console. This installs the agents silently, and in this case, users don't need to install 

the agent while logged in with administrative privileges. 

Once you've installed a client agent package, installing other client agent packages 

only adds agents to clients. You can't uninstall an agent by creating a new client 

agent package that doesn't include the agent you want removed. 

After creating a new client agent package, copy it to the distribution package 

delivery server. For more information, see "Setting up a distribution package delivery 

server." 

189

USER'S GUIDE 

Uninstalling agents 

If you need to uninstall agents from clients, follow this procedure. 

To uninstall agents from a client 

1. Log in at the client with administrative rights. 

2. Map a drive to the core server's LDLOGON share. 

3. Open a command prompt, change to the LDLOGON share's drive letter, and 

enter the following: 

wscfg32 /f /n /u 

4. The uninstall will run silently, and when it finishes it will reboot the client. 

190


Managing inventory data 

Creating custom queries 

Custom queries are useful when you want inventory details about hardware and 

software installed on your client computers. Use a custom query to build a list of 

clients with similar inventory. For example, if you wanted to upgrade clients to a 750 

MHz processor, you could query for all computers in your database with processor 

speeds of less than 750 MHz. 

You can query on any of the inventory items (known as "attributes") that the 

inventory scanner stores in the database. 

Creating a query is a four-step process: 

1. Create a search condition: Specify a set of inventory attributes that will be 

the basis of your query. 

2. Select attributes to display: Refine or "filter" the query so that the results 

display the attributes most useful to you, such as IP addresses or computer 

device names. 

3. Sort results by attributes (optional): Specify how you want the query 

results sorted. (Only applies if, in Step 2, you selected to display more than 

one type of attribute in the query results.) 

4. Run the query: Run the query you just created. You can also save it for later 

use, or clear all of the query information to begin again. 

Step 1: Creating a search condition 

A search condition is a set of inventory attributes and associated values that you 

query for. You can use one search condition or group several together to form the 

basis of a query. 

The following steps take place on the Edit Query page. 

To create a search condition 

1. Under Step 1, click Edit. A window appears showing a list that represents all 

of the inventory data currently in the database. 

2. Drill down this list to select the attributes that will be your search condition. 

For example, to locate all clients running a particular type of software, you 

would select Computer.Software.Package.Name. 

3. After selecting the attributes, you'll notice that a series of fields appear in the 

right side of the window. From these fields, select an operator and value to 

complete the search condition. For example, to locate all clients running 

Internet Explorer 5.0, the attributes would be 

"Computer.Software.Package.Name," the operator "=," and the value 

"Internet Explorer 5." 

4. At the bottom of the window, click Add to fill in the empty field with your 

search condition. 

5. You can continue to refine the query by creating another search condition, 

then adding it to the first with a boolean operator (AND or OR). Also use the 

buttons to add, delete, replace, group, or ungroup the conditions you create. 

191

USER'S GUIDE 

6. When you're finished, click OK. 

Step 2: Selecting attributes to display 

For step 2, select the attributes that will be most useful for identifying computers 

returned in the query results. For example, if you want results that help you 

physically locate each computer matching the search condition set in Step 1, you 

would specify attributes such as each computer's display name 

(Computer.DisplayName) or IP address (Computer.Network.TCPIP.Address). 

The following steps take place on the Edit Query page. 

To select attributes to display 

1. Under Step 2, click Edit. A window appears showing a list that represents all 

of the inventory data currently in the database. 

2. Drill down this list to select an attribute to display in the query results list. 

Remember to select attributes that will help you identify the clients returned 

in the query. 

Note: If you're using an Oracle database, make sure you select at least one 

attribute that is natively defined by the inventory scanner (for example, 

Computer.Display Name, Computer.Device Name, Computer.Device ID, 

Computer.Login Name, and so on). 

3. After you've selected an attribute, click >> to move it into the empty field on 

the right side of the window. If you want to enumerate your query results list, 

click Include Count. 

4. Stop with one attribute to display, or continue to add more. Use the arrow 

buttons to add or remove attributes, click Move Up/Move Down to change 

the order of attributes, and click Add Count/Remove Count to view sum 

totals of the results. 

5. When you're finished, click OK. 

You can also add column heading(s) to your query results list. 

To add column headings 

1. Under Step 2, click Edit Column Headings. 

2. In the Column Headings field, type a column heading and click Add. Type a 

heading for each column that will appear in your results list. The number of 

columns that will appear is determined by the number of attributes you 

specified to appear in the results. 

3. Click OK. 

At this point, you may want to save your query; the next procedure in the querycreation 

process is optional and applies only to query results that contain two or 

more columns. To save your query, click Save Query at the bottom of the page. A 

window will appear prompting you to type a name for this query. Type a name, then 

click Save in the top right corner of the window. 

192


Step 3: Sorting results by attribute 

This procedure is necessary only if you defined more than one attribute and column 

heading in Step 2 and now want to sort the results alphabetically or numerically 

within one of those columns. 

For example, let's say you specified two different attributes to display in the query 

results: the IP address and the processor type of each returned computer. In Step 3, 

you could sort alphabetically by processor type in the results. 

If you skip this step, the query will automatically sort by the first attribute selected in 

Step 2. 

To sort results by attribute 

1. Under Step 3, click Edit. A window appears showing the attributes you 

selected in step 2. 

2. Select which attribute you want to sort by, then click >> to move it over to 

the empty text box. 

3. Click OK. 

Step 4: Running the query 

After creating your query, you can run, save, or clear it to start over. 

To save the query for future use, click the save toolbar button. The query will now 

appear in the list on the Custom Queries page. If your query is a modified version of 

another, click the save as toolbar button to give it a new name. 

By default, saved queries are only visible by the person who saved them. If you 

check Public query before saving, the saved query will be visible to all users. 

The Management Suite console and the Web console share queries. If you save a 

query in the Management Suite console, it will also be visible in the Web console, 

and the reverse is true too. 

To view the results of this query, click the run toolbar button. 

To clear the query parameters from the Edit Query page, click the clear toolbar 

button. If the query has already been saved, it's cleared from this page but remains 

in the Custom Queries list. 

193

USER'S GUIDE 

Exporting and importing queries 

You can export and import any queries created with the Web console. All queries 

export as XML files. If you export the same query filename more than once, it will 

overwrite the file. To avoid this, you may want to copy the file to another location 

once it's exported. 

The export and import features are useful in two scenarios: 

• If you need to reinstall your database, use the export/import features to save 

your existing queries for use in a new database. 

For example, you could export the queries, then move them to a directory 

unaffected by a database reinstall. After reinstalling the database, you could 

move the queries back into the queries directory on your Web server, then 

import them into the new database. 

• You can use the export/import features to copy queries to other databases. 

(Useful if you're not set up to view two or more databases with the Web 

console.) 

For example, you could export a query to a queries directory on your Web 

server, then e-mail or FTP it to someone. That person could then place the 

queries into the queries directory on another Web server, then import them 

into a different database. You could also map a drive and directly copy 

queries into the queries directory on another Web server. 

To export a query 

Complete these steps while connected to a database that has a query you want to 

export. 

1. In the left navigation pane, click Inventory > Custom queries. 

2. On the Custom Queries page, click the query name you want to export. 

3. On the Edit Query page, click the export toolbar button to export the query 

to disk. 

4. On the Query Exported page, right-click the query to download it as an XML 

file to a selected directory. The query becomes the XML file. 

Note that If you export the same query more than once, it will overwrite the file. To 

avoid this, you may want to copy the file to another location once it's exported. 

If you want to eventually import the query back into a database, you must move it 

to the queries directory recognized by the Web server, by default 

c:\inetpub\wwwroot\remote\queries. 

194


To import a query 

Complete these steps while connected to a database to which you want to import a 

query. 


2. On the Custom Queries page, click new query. 

3. On the Edit Query page, click the import toolbar button. If you originally 

exported multiple queries at once, you must click the import all toolbar 

button. 

4. Select the query you want to import. If you want to verify the parameters of 

this query before importing it, click View. 

5. Click Import to load the query in the Edit Query page. 

6. Once the query is loaded, scroll down and click Save Query to save it into 

this database. 

Copying queries between cores 

If your Web console is set up to view multiple cores, you can copy queries from one 

core to another using the following procedure. 

If your Web console isn't set up to view multiple cores, you must use the export and 

import features to copy a query to another core. 

To copy a query from one core to another 

Complete these steps while connected to a core that has a query you want to copy. 


2. From the Custom Queries page, load the query you want to copy by clicking 

its name in the list. 

3. On the Edit Query page, ensure that the query is loaded. 

4. In the left navigation pane, click Login and log on to another database. 


6. On the Custom Queries page, click Edit Current. 

7. On the Edit Query page, ensure that the query from the other core is loaded. 

8. Scroll down and click Save Query As to save the query in this core. 

Exporting query results to CSV files 

To view your query results data in a spreadsheet application, export the data as a 

Comma Separated Values (CSV) file. From the Query Results page, click the save as 

CSV toolbar icon to save your information as a CSV file. You can then use an 

application like Microsoft Excel* to import and work with the CSV file. 

195

USER'S GUIDE 

Viewing reports 

Reports allow you to quickly access a graphical representation of the assets on your 

client computers. The reports are created from data the scanner stores in the 

database. You can view, print, and email reports. 

To view a report 

1. In the left navigation pane, click Inventory > Reports. Report categories 

will appear in the right pane. Click a category heading to view the list of 

reports. An icon will appear next to each report to indicate the report type. 

A report with a chart icon next to it will display as a pie or bar chart. In a 

chart, you can click on any colored bar or pie section to drill down to a 

summary. 

A report with a document icon next to it will display as text. 

2. Click the report name to view the report. 

3. For the hardware or software scan date summaries, click the start and end 

dates to set the time frame, then click Run. 

To print a report, right-click the page and click Print. On the Print dialog, click Print. 

If a report spans multiple pages, you must right-click in each page to print it. 

To email a report, the recommended method is to print the report to a .PDF file, then 

attach it to the email. 

The Web console will display report charts as pie or bar charts. To set the chart type, 

click Configure > Preferences then change the chart type and click Update. 

In order to view the interactive bar and pie charts displayed in many reports, you 

must have Macromedia Flash Player* 7 installed. 

196


Using custom forms 

You can create a custom form to gather additional information that corresponds with 

the scanned asset data. With custom forms, you can request information specific to a 

particular company or situation. 

Use inventory scanner client configurations to send custom forms to clients. You can 

specify a form to include in the inventory scanner options. When you deploy the 

inventory scanner to a client, the custom form appears as part of the client 

installation. Once a client finishes the form, the inventory scanner runs and sends 

the form information to the core server, making it available for queries and reports. 

Clients can use the Form Viewer to see what forms they've completed or still need to 

do. Clients can run the Form Viewer from Start | Programs | LANDesk 

Management | Custom Data Forms. Clients can select a form they've received, 

then click Open to edit the form. The inventory scanner sends the new form 

information to the core server the next time it runs. 

You can view or query custom form data from an inventory tree view under Custom 

Data > Forms. 

Click Manage > Custom forms to access the Custom forms page. You can create, 

edit, and delete forms from this page. 

• To edit an existing form, select the form, then click edit. 

• To create a new form, click new. In the New Form dialog, enter a name for 

the new form, then click OK. 

• To delete an existing form, select the form, then click delete. You will be 

prompted to confirm your decision. 

Adding form fields 

When you create a new form or edit an existing form, use the options on the Custom 

form .frm page to add form fields. 

Click add field to add a new field to the custom form. In the Form dialog, specify the 

attributes of the field, then click Submit. 

• In the Question edit box, enter the word, phrase, or sentence that will 

appear on the form to ask the user to enter information. 

• In the Inventory name edit box, enter the name of the new form field. The 

name will not appear on the form, but will allow you to query the database for 

the information users enter in the form. 

• In the Description edit box, enter information about the new form field. This 

information will appear if the user clicks the Help button on the form while 

filling out that field. 

• In the Type drop-down list, select a field type. There are three types of 

fields: edit, list box, and combo box. An edit field allows users to input freeform 

text. A list box field generates a drop-down list with predefined options. 

A combo box field provides options, but also allows users to type in an option 

that is not listed. 

197

USER'S GUIDE 

• If you are creating a select field, enter the options in the Options edit box. 

Separate each option with a standard ANSI comma. These options will appear 

in the drop-down list. No options are needed for text fields. 

• Check Make the control a required field to fill out if you want to require 

the user to complete that field. If this option is checked, the form will prompt 

the user to complete the field before the user can submit the form. 

Click edit field to change any field in the custom form. When you are finished 

making changes, click Submit. Click delete field to remove a field from the custom 

form. You can use the move up and move down buttons to change the order of the 

form fields. Click page break to insert a page break. After inserting a page break, 

you can move the page break up or down or delete the page break the same way 

you can move and delete form fields. 

Click edit name to change the title of the form and the instructions that appear 

above the form fields. When you are finished making changes, click Submit. 

After adding fields to the form, click done. 

198


Deleting computers from the database 

To remove computers from the database, click Manage > Delete computers in the 

left navigation pane. From the Delete computers page, you view the contents of the 

target cart. It is recommended that you double-check which computers are in the 

target cart before you delete them from the database. Once you delete inventory 

data from the database, you can't undo the action or recover the data. 

To delete all of the computers in the target cart from the database, click Delete. You 

will be prompted to confirm your decision. Each computer that appears in the Target 

Cart will be deleted, whether or not it is selected in the Target Cart. 

If you get the error, "Unable to delete computers." 

You will see this error if you try to delete computers from the database when there 

are no computers in the target cart. You can only delete computers you have first 

added to the target cart. 

199

USER'S GUIDE 

Monitoring software licenses 

Monitoring software license compliance 

IT administrators often find it challenging to track product licenses installed on 

numerous clients across a network. They run the risk not only of over-deploying 

product licenses, but also of purchasing too many licenses for products that turn out 

to be unnecessary. You can avoid these problems by using software license 

monitoring to monitor product licenses and usage across your organization. 

The power of compliance monitoring rests in its data-gathering capabilities. Use the 

data to track overall license compliance and to monitor product usage and denial 

trends. The software monitoring agent passively monitors product usage on clients, 

using minimal network bandwidth. The agent continues to monitor usage for mobile 

clients that are disconnected from the network. 

Monitoring features include: 

• Ability to scan for both known and unknown applications. 

• Application launch denial to keep unauthorized software from running even on 

clients disconnected from the network. 

• Full integration with the Web console for current, complete information about 

installed applications. 

• Extensive application usage and license compliance reporting. 

• Extensive license monitoring and reporting features, including number of 

times each licensed application was launched, last date used, and total 

duration of application usage. 

• Easy configuration of license parameters, including number purchased, license 

type, quantity and serial number. 

• License purchase information, including price, date purchased, P.O. number, 

and reseller information. 

• Installation tracking and reconciliation, including the license holder and 

physical location of the client the license is installed on, as well as additional 

notes. 

• Aliasing to track software when vendor information or filenames change. 

The Web console's software license compliance feature doesn't have all of the 

features the Management Suite console version has. For advanced software license 

compliance configuration, maintenance, and reporting, use the Management Suite 

console. 

How software license monitoring works 

The software license monitoring agent, when installed, records data about all 

installed applications on a client and stores this data in the client's registry at: 

HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\WinClient\Software 

Monitoring\MonitorLog 

Application usage data that you don't monitor is eventually overwritten with newer 

data in the client's registry. 

200


The client inventory scanner updates the core server with software license 

monitoring data when it does a software scan (by default, once a day). The inventory 

scanner uses a text file called LDAPPL3.INI to define which applications it should 

scan for. When the inventory scanner runs, it checks with the core server to see if 

the LDAPPL3.INI has been updated. If it has, the scanner gets the new version. The 

scanner uses file deltas and compression to minimize the amount of network traffic 

used. 

You shouldn't edit the LDAPPL3.INI file directly. For more information, see 

"Customizing and exporting LDAPPL3.INI" 

Before configuring products 

Before you configure products, make sure some (preferably most) of your clients 

have returned an inventory scan. By default, the inventory scanner will return 

application information for all executables on each client (a MODE=ALL scan). Until 

your clients have returned inventory scans, the LDAPPL3.INI won't contain a 

complete list of the files your clients have installed. You can't monitor a file until it's 

in the LDAPPL3.INI. 

The first MODE=ALL inventory scan can be several megabytes in size. The inventory 

scanner will only send deltas after the first scan, so subsequent scan files will be 

much smaller. For more information on changing the scanner mode, see "Editing the 

LDAPPL3.TEMPLATE file." 

About mobile clients 




monitored and sends that data to the core server. 

201

USER'S GUIDE 

Software license monitoring views 

The software license monitoring views are designed to let you monitor and manage 

the software that's installed on your clients. Navigate these views from the left 

navigation window, where you can accomplish these main tasks from the software 

license monitoring tree: 

• Compliance: In this tree view, you can monitor usage and license 

compliance for products across your organization, set up product license 

downgrading, deny usage of applications on clients, and view license 

compliance, usage, and denied application trends. 

• Aliases: In this view, you can create product or vendor aliases. An alias 

ensures that you can correctly account for all installed executables from a 

specific vendor if the vendor name changes, or for a product if its vendor and 

name change. This feature is especially useful if you're monitoring products in 

the Compliance tree and need to maintain accurate information about your 

licenses. 

202


Creating product and vendor aliases 

Use the Aliases page to create product or vendor aliases. An alias ensures that you 

can correctly account for all installed products by: 

• Normalizing executable file data: An alias lets you make consistent the 

information the core database needs to correctly identify an installed product. 

For example, the file information provided by a vendor isn't always consistent. 

Files scanned into the core database for various Microsoft products may show 

the vendor name as being Microsoft Corp, Microsoft (R), or just Microsoft. If 

you were to run a query on "Microsoft (R)" products, you would get only a 

partial list back of Microsoft products installed across your network. By 

creating a vendor alias of "Microsoft Corp" for all of your Microsoft products, 

you ensure that those products all have exactly the same vendor name. 

• Updating executable file data: An alias lets you update file information if 

the product name or vendor changes after installation. For example, 

sometimes vendor or product names change because a company has been 

newly acquired or divested, or a company has renamed its product after 

several versions. If this occurs with your client applications, use aliasing to 

associate new vendor or product names with the originals, ensuring that the 

core database can continue to identify your executables accurately. This 

feature is especially useful if you're monitoring products in the Compliance 

tree and need to maintain accurate information about your licenses. 

About the Aliases page 

The Aliases page shows the original vendor and name for a product, as well as any 

new vendor and/or product names that you may have added. A software scan must 

occur before a new alias will appear in the compliance tree or in reports that include 

data about your client's software. 

You can create two types of aliases: 

• Vendor: An alias for all installed products of a certain vendor (enter the 

original vendor name and a new vendor name). 

• Product: An alias for a specific product (enter original vendor and product 

names, as well as new ones). A product alias that includes a new vendor will 

always take precedence over an alias created for all products of a certain 

vendor. 

To create an alias 

1. From the left navigation pane, click Monitor software > Aliases. 

2. Enter the original vendor and original product name, as well as the new 

vendor and/or new product name for the application. You must enter 

information for all alias fields, even if the original and new values are the 

same. Click OK. 

You can delete an alias by selecting an alias and clicking the delete alias button. 

After you delete an alias, the core database reverts to using the original vendor and 

product name after the next software scan. 

203

USER'S GUIDE 

Monitoring products for compliance 

Setting up a product 

In the left tree pane under Compliance, set up a hierarchical tree of product groups 

and individual products. You can group products any way you want, for example: 

• By company, such as Adobe or Microsoft 

• By specific categories, such as Unauthorized Files or Accounting Department 

• By product suite, such as Microsoft Office 

Within these groups, add the products that you want to monitor for usage or denial 

trends. For example, under an Adobe group, you might add products such as 

Photoshop* and Illustrator*. 

By default, these product groups are created during installation to help you get 

started: 

• LANDesk Management Suite 7.0: This group contains product and file 

containers for Management Suite 7.0. You need to enter only your license 

information to begin monitoring Management Suite 7.0 license compliance on 

your clients. 

• LANDesk Management Suite 8: This group contains product and file 

containers for Management Suite 8. You need to enter only your license 

information to begin monitoring Management Suite 8 license compliance on 

your clients. 

• Microsoft Office: This group contains product and file containers for Office* 

2000 Premium and Office XP Professional. You need to enter only your license 

information to begin monitoring Office license compliance on your clients. 

To set up a product 

1. From the left navigation pane, click Monitor software > Compliance. 

2. If don't want to use an existing product group, create one as described in 

"Managing product groups." 

3. Click the group you want to create the product in. Click the new product 

toolbar button. 

4. Enter the product information, as described in "Managing products." 

5. Continue configuring the product by following the steps in "Selecting product 

files to monitor". 

6. Add license information by following the steps in "Adding product license 

information." 

7. Export the LDAPPL3.INI by following the steps in "Customizing and exporting 

LDAPPL3.INI" 

204


Selecting product files to monitor 

Use the Add Files to Product window (under a product, click the Files tree item) to 

specify which files should be monitored to determine when a product is running. If 

you selected the Match all files option in the product properties dialog, all files you 

select must be on the client for software license monitoring to register a match. If 

you don't select the Match all files option, the presence of any file in the list on a 

client is considered a product match. 

If you're tracking different products that use the same file, you need to treat the 

products sharing the file differently. For example, if you're tracking license usage for 

MSDE and SQL 2000, and they both use SQLSERVR.EXE of the same size, you should 

also track a .DLL or other application file that's unique to each product. The Web 

console won't monitor these other files for compliance (only executables are 

monitored for compliance), but the unique file will help the scanner distinguish the 

MSDE license from the SQL 2000 license. 

Note: If you add files to a product other than .EXEs, you must first edit the 

LDAPPL3.TEMPLATE file to include those files in a software scan. Information relating 

specifically to the scanner's inventory parameters is contained in the 

LDAPPL3.TEMPLATE file. This template file works with the LDAPPL3.INI file to identify 

a client's software inventory. By default, LDAPPL3.INI only scans for executables. For 

more information, see "Editing the LDAPPL3.TEMPLATE file." 

To select files to monitor 

1. In the Find box, enter a search string. You don't have to enter the full file 

name, and you can use an asterisk as a wildcard character. 

2. Select the inventory column you want to search in, either Vendor, Product 

name, File name, Version, or Size. 

3. Select the file list you want to search in, either All, Discovered, or Not in 

product. 

4. Click the search button beside the In column list to begin your search. 

Depending on the number of matches, it might take a while for the results to 

appear. 

5. Check the box beside files that indicate this product's presence on clients. 

6. If you want to indicate that a file can't be on a client to match this product, 

check the file's Exclude from product box. The Exclude from product 

checkboxes are in the last column. For more information, see "Tracking 

licenses using the match all files option." 

You can search for files in these file lists: 

• All: All predefined files in the LDAPPL3.INI (even if they haven't been 

discovered on clients), and all files that have been discovered on clients. 

• Discovered: Only files that have been discovered on clients, even if they're 

for products that aren't defined in the LDAPPL3. 

• Not in product: All files that aren't currently being monitored in the 

Compliance tree. Use this list to search for files that you may want to begin 

monitoring for license compliance and usage/denial trends. This view doesn't 

include files on the denied list. 

205

USER'S GUIDE 

By default, the Files pane shows information on about ten products at a time. You 

can use the scroll bar to scroll through the list. If you want to make the pane longer 

and wider so you can see more file information, click the resize button to expand 

the Files window. This button toggles between the smaller and larger views. 

Tracking licenses using the match all files option 

Normally, software license monitoring considers the presence on a client of any file in 

a product's Files list a product match. You may encounter a situation where you need 

to track licenses for two or more products that contain an executable of the same 

name and size. In such a case, you also need to monitor a file unique to each 

product. By selecting Match All Files in the Product properties dialog and using both 

the executable and a unique file to identify license usage, you specify that all files 

associated with a product (as found in its Files container) need to be installed on a 

client before a product license is considered used. This ensures that the scanner can 

correctly track the products licenses. 

The following two examples help explain when you would select Match All Files: 

• If you're tracking license usage for MSDE and SQL 2000, and they both use 

SQLSERVR.EXE of the same size, you should also track a .DLL or other 

application file that's unique to each product. The Web console won't monitor 

these other files for compliance (only executables are monitored for 

compliance), but the unique file will help the scanner distinguish the MSDE 

license from the SQL 2000 license. 

Note: If you add files to a product other than .EXEs (in order to use the 

Match All Files option), you must first edit the LDAPPL3.TEMPLATE file to 

include those files in a software scan. By default, LDAPPL3 only scans for 

executables. For more information, see "Editing the LDAPPL3.TEMPLATE file." 

• If you're monitoring 10 licenses for Office XP Standard (that includes Word, 

Excel, Outlook, and PowerPoint), as well as 10 licenses for Office XP Pro (that 

includes the same applications, in addition to Access), you face the problem 

of wanting to monitor two distinct product licenses that contain executables of 

the same name and size. The scanner can't distinguish between license types 

by tracking individual files, nor by using just the Match All Files option for 

both products. 

In this case, you must go one step further by adding an Office XP Pro 

executable to the Files container of XP Standard (for example, Access) and 

marking that executable as Exclude from product. This ensures that the 

Software Monitoring agent won't record an Office XP Pro license as an XP 

Standard license, which would occur if only Match All Files was turned on. For 

more information on marking a file as excluded, see "Selecting product files 

to monitor." 

206


Adding product license information 

You need to add license information to monitor a product for license compliance. If 

you only want to track product usage, you can skip this procedure. 

After you set up license information for a product, if you ever see a red icon with an 

exclamation point appearing next to the product group, this means that one of the 

products in the group isn't license compliant. Expand the product group to find the 

non-compliant product, then view its associated information in the right pane. 

To add product license information 

1. Click Monitor software > Compliance > product group > product 

name. 

2. Click the New License toolbar button. 

3. In the License Properties dialog, use the tabs to enter the license, purchase, 

and tracking information that's relevant to your organization. 

4. When finished, click OK. 

5. If you want to ensure that all executables associated with a product are 

installed on a client before that product's license is monitored for compliance, 

you can. In the left pane, right-click the product name and select Match All 

Files. For more information, see "Tracking licenses using the match all files 

option." 

About the License Properties dialog 

The License Properties dialog has three tabs: 

• License 

• Purchase Info 

• Tracking 

Use the license tab to configure license properties for your product. 

• License Number: Enter a number that constitutes your product license. 

• License Type: Enter a type of license you have for the product, such as: 

competitive upgrade, freeware, new purchase, OEM, product upgrade, public 

domain, shareware, unknown. 

• Quantity: Enter the number of product licenses purchased. 

• Serial Number: Enter an additional number that may constitute your product 

license. 

Use the Purchase Info tab to configure purchase properties for your product license. 

• Purchase date: Enter a date the product was purchased by your company. 

• Unit price: Enter a price of each purchased license for the product. 

• Order number: Enter an order number used to make the purchase. 

• Reseller: Enter the name of purchase place. 

207

USER'S GUIDE 

Use the Tracking tab to configure tracking properties for your product license. 

• Owner: Enter a person or department in your company responsible for 

storing the boxed product. 

• Location: Enter a physical location where the boxed product is stored. 

• Notes: Enter any additional information associated with the product license, 

such as downgrade rights. 

Customizing and exporting LDAPPL3.INI 

The client inventory scanner uses a text file called LDAPPL3.INI that contains 

software inventory information. The LDAPPL3.INI is populated initially with most 

popular application executable filenames and file information. When the scanner runs 

on clients, it uses a local LDAPPL3.INI copy to match client executable filenames with 

the software inventory information. 

The master LDAPPL3.INI resides in the core server's LDLogon share. Whenever you 

make a change to software license monitoring information, you must export a new 

LDAPPL3.INI file. 

To export a new LDAPPL3.INI 

1. From the left navigation pane, click Monitor software | Compliance. 

2. Click publish list in a software license monitoring window. 

3. On the Publish list page, click Next. 

Changes you make won't take effect on clients until they receive the updated 

LDAPPL3.INI. 

When you export a new LDAPPL3.INI, the core server uses the LDLogon share's 

LDAPPL3.TEMPLATE text file to create the framework for the exported LDAPPL3.INI. 

The core server then populates this framework with file information and software 

license monitoring information from the core database. Finally, the core server writes 

the exported LDAPPL3.INI file to the LDLogon share, replacing any existing version. 

The next time clients do a software scan, they automatically receive the updated 

LDAPPL3.INI. 

You shouldn't edit the LDAPPL3.INI directly in a text editor, because the data is 

stored in the core server's core database. The next time the server writes a new 

version of this file, changes made directly with an editor will be lost. All changes to 

the LDAPPL3.INI should be made in the LDAPPL3.TEMPLATE file and from the Web 

console's software license compliance view. 

Understanding inventory file scan modes 

When the inventory scanner encounters a file that isn't defined in the LDAPPL3.INI, 

the scanner determines what file information it can and then reports the new file 

information to the core server. This is the default scan mode (MODE=ALL scanning). 

Since you can only monitor software licenses for files defined in the database on the 

core server, using a MODE=ALL scans allows you to keep the database up to date 

with files on your clients. 

208


If you don't use software license monitoring or you're only interested in scanning for 

applications defined in the LDAPPL3.INI, you can use a MODE=LISTED scan to 

slightly reduce scan overhead. This scan ignores undefined files. For more 

information on changing scan modes, see "Editing the LDAPPL3.TEMPLATE file." 

By default, LDAPPL3.INI contains descriptions of executables only. If you want the 

scanner to also identify other types of application files (.DLLs, .COMs, .SYSes, and so 

on), you can edit the LDAPPL3.TEMPLATE file to include all files of that type in a 

scan. For more information, see "Editing the LDAPPL3.TEMPLATE file." 

Making the LDAPPL3.INI file available to clients 

Each client that runs the inventory scanner has a local copy of LDAPPL3.INI. The 

clients' LDAPPL3.INI is initially installed as part of the default client configuration 

setup. Both the client and core version of this file must be synchronized for the 

scanner to know which files to scan or deny on clients. The core server and client 

LDAPPL3.INI synchronization uses delta matching so only the changes are 

transmitted. File compression further reduces the core's LDAPPL3.INI by 70 percent, 

which enables the scanner to update the clients' corresponding LDAPPL3.INI without 

using significant bandwidth. 

If you don't want to wait for the next inventory scan to update your client 

LDAPPL3.INI files, you can make the edits available to clients by scheduling a job to 

push LDAPPL3.INI down to clients. 

209

USER'S GUIDE 

Viewing license compliance and product 

usage/denial trends 

IT Management Suite includes extensive software license monitoring reporting 

features. You can view these reports by navigating to Inventory > Reports, and 

clicking Software Licensing. 

The software license monitoring reports provide the following information, among 

other things: 

• Application usage by computer 

• Applications used less than a certain number of times (useful for identifying 

unused licenses) 

• Denied product execution attempts and the associated users 

• License usage by computer and by product 

210


Denying product execution 

You can prevent clients from executing files you specify. When you add a product or 

edit a product's properties, you can check the Denied product option. When clients 

try to run a denied product, the product won't launch on their system and they'll see 

a message box telling them their system administrator has prevented access to that 

program. You can restore normal access to a product by clearing the Denied 

product option. 

All files in the Files list of a denied product will be denied on clients. The Match all 

files product option state doesn't affect denied products. 

You must publish the LDAPPL3.INI and clients must receive the updated version 

before changes take effect. 

211

USER'S GUIDE 

Distributing software and files 

Setting up a distribution package delivery server 

The delivery server is the Web server that stores packages you want to distribute. 

These steps explain how to create a virtual directory on a Web server and enable it 

for browsing. In general, virtual directories need to allow reading and directory 

browsing. Execute can't be set or the share won't work correctly. You also may want 

to disable write permissions so clients can't change the folder's contents. 

To configure a Windows NT/2000 Web server for software distribution 

1. Create a folder on the Web server where you want to store your software 

distribution packages. The usual location for such a folder on an IIS Web 

server is a subfolder in the c:\inetpub\wwwroot folder. 

2. Copy the packages to this folder. 

3. From the Control Panel, double-click Administrative Tools and then 

Internet Services Manager. 

4. In the right panel, double-click the icon with the client's name and then click 

Default Web Site. 

5. In an empty area in the right panel, right-click and select New, then click 

Virtual Directory. 

6. From the wizard, click Next and then enter an alias for your folder. Click 

Next. 

7. Either enter the path or browse to a path and click Next. 

8. In the Access Permissions dialog, enable Run script and Browse. This 

enables you to browse packages when creating the software distribution 

script. Click Next and Finish. 

9. To enable Port 80 on the Web server, in the left panel, right-click Default 

Web Site. 

10. Click Properties. In the Web Site Identification dialog, the TCP Port box 

should display 80. If it doesn't, click Advanced to add the port. 

11. Ensure that the Web site is available by opening a browser and entering the 

URL for your Web server and virtual directory. For example, if the name of 

your Web server is Test and the name of the virtual directory is Packages, 

enter the following URL: 

http://Test/Packages 

A list of the packages you have copied to this folder should appear. 

The size and number of packages you put in this folder is limited only by available 

disk space. You can use subfolders to logically group packages. Each subfolder you 

create must have the above access permissions set. 

Once you copy the packages to a package share on a Web server, they're staged and 

ready to be copied to the target clients. When scheduled, the URL or UNC path of the 

package is passed to SDCLIENT.EXE (the client agent) as a command-line 

parameter. SDCLIENT.EXE manages the file transfer, starts the installation, and 

reports the status. 

The Web server communicates with the client to ensure that the package copies 

correctly. If the package transmission is interrupted during the download, the Web 

212


server can use the HTTP protocol to restart the download at the point where it 

stopped. 

Additional Windows Server 2003 Web configuration for software distribution 

Windows Server 2003 handles virtual directories differently than Windows 2000. On 

Windows Server 2003, if you select a directory and from its shortcut menu make it a 

Web share, the directory registers itself in IIS 6 as a Web application rather than a 

virtual directory. The problem is that as a Web application, when trying to select an 

executable file, the Web server attempts to run the file as a Web application rather 

than download the file to the user. The resolution is to go into IIS, change the 

shared directory from a Web application to a virtual directory, and turn off execute 

permissions. 

On Windows 2003 Web servers, you also need to enable anonymous authentication 

for the package folder. 

To enable anonymous authentication 

1. Click Start | Administrative Tools | Internet Information Services 

(IIS) Manager. 

2. Click local computer > Web Sites > Default Web Site > your package 

directory. 

3. From your package directory's shortcut menu, click Properties. From the 

Directory Security tab, click Edit for Authentication and access control, 

and check the Enable anonymous access checkbox on the Authentication 

Methods window. 

213

USER'S GUIDE 

Scheduling and deploying software packages 

Using the Web console, you can accomplish these software distribution tasks: 

• Schedule and deploy software packages to your clients. 

• View scheduled jobs. 

• View distribution scripts. 

• View distribution logs. 

The advantage the Web console gives you over the Management Suite console is that 

you can deploy packages to clients in a rolled up database. This means that you can 

potentially send a package to thousands of clients at once. 

You can use the Web console to schedule and deploy packages only; you must still 

create the packages on a dedicated computer using Package Builder. Before using 

the Web console to schedule and deploy packages, you need to create a package 

using Package Builder and store it on your Web server. For more information, see 

"Setting up a package-building computer" and "Setting up the delivery server" in 

chapter 6 of the User's Guide. You can distribute a single file package per job. 

Ideally, your package should be a single-file self-extracting and self-installing 

executable. If the file has an executable extension, software distribution will run the 

file on clients once they receive it. If the file doesn't have an executable extension, 

it's copied locally to the client's \ldclient\sdmcache folder. 

Note that these distribution features aren't available when deploying software from 

the Web console: 

1. The ability to select additional files to be multicast. 

2. Peer download (only install from cache or peer). 

3. Dynamic bandwidth throttling: 

• Minimum available bandwidth percentage to use on the client 

• Delay between packets (peer) 

• Delay between packets (source) 

4. Multi-file MSI deployment using Multicast. 

Using the software distribution wizard 

Once you've created a package, use the five-step software distribution wizard to 

schedule and deploy it from the Web. The wizard includes these steps: 

1. Setting up a package to deploy 

2. Selecting clients to receive the package 

3. Scheduling a time and date for the distribution job 

4. Verifying the distribution job values and making any necessary changes 

5. Viewing the distribution job results 

214


To start the software distribution wizard 

1. From the left navigation pane, click Distribute software. 

2. On the Software Distribution page, click Distribute a package. 

The Software Distribution - Packages page appears. From here, you can begin the 

wizard that enables you to schedule and deploy a software package. 

Configuring domain-level software distribution and Windows 

2003 servers 

If you're going to distribute software from the Web console, the Web server you 

installed the Web console on must be able to access and change software distribution 

files on the core server. This is an issue if your Web server and core server are on 

different computers, or if your Web server is running Windows 2003 Server. To allow 

this, you need to register a component on the Web server. 

To configure domain-level software distribution 

1. Go to the Web server you installed the Web console on. 

2. From the Windows Control Panel's Administrative Tools, double-click 

Component Services. 

3. Click Component Services > Computers > My Computer > COM+ 

Applications. 

4. From the COM+ Applications shortcut menu, click New | Application. 

5. On the wizard welcome page, click Next. 

6. Click Create an empty application and click Next. 

7. Enter a name for the new application. "LANDesk" is fine. Click Server 

application and click Next. 

8. Click This user. You must enter a domain-level account with administrative 

privileges on the core server. If the account isn't domain-level, software 

distribution from the Web console won't work. Click Next. 

9. Click Finish to close the wizard. You'll see a new COM+ Application tree node 

named "LANDesk" or whatever you chose. 


Applications > LANDesk > Components. 

11. From the Components shortcut menu, click New | Component. 

12. On the Wizard welcome page, click Next. 

13. Click Import component(s) that are already registered. 

14. From the component list, click Schcom.Schint.1, then click Next. 

15. Click Finish to close the wizard. You should see Schcom.Schint.1 as a 

registered component. 


Applications > LANDesk > Roles. 

17. From the Roles shortcut menu, click New | Role, enter "Everyone" as the 

name for the new item. 

18. Click Roles > Everyone > Users. From the Users shortcut menu, click New 

| User, enter "Everyone" as the object name, and click OK. 

19. Restart IIS or reboot. 

215

USER'S GUIDE 

Using Targeted Multicast® with software distribution 

LANDesk Targeted Multicast® technology makes it possible to distribute large 

packages to many users across the network with a minimum of network traffic. 

Targeted Multicast features require no additional hardware or software infrastructure, 

and require no router configurations to allow multicast packets. You get the 

potentially extraordinary benefits of multicast technology with none of its traditional 

headaches. 

Targeted Multicast is designed to work with your existing software distribution 

packages. When you use Targeted Multicast, you can easily distribute software, even 

in WAN environments with multiple hops and low connection speeds (56k). Targeted 

Multicast uses HTTP for delivery from a Web site to a subnet representative. The 

Management Suite inventory scanner provides all the subnet information to the 

Targeted Multicast service. 

Targeted Multicast provides unique benefits that standard methods of "multicast" 

don't provide. Inventory-based targeting of clients enables you to send a package to 

a selected group of computers that fit specific criteria via a broadcast. Targeted 


deliveries. 

When compared to conventional software distribution methods, Targeted Multicast 

significantly reduces the time and bandwidth needed to deliver software packages. 

Instead of sending a package across the wire for each client, only one transfer is 

made for each subnet. Bandwidth savings increase as the number of clients on each 

subnet increases. 

Both Windows and Macintosh OS 10.2 clients support Targeted Multicast. 

You can activate Targeted Multicast by checking the Use Multicast to distribute 

this package option on the Software Distribution - Packages page that you'll 

see when creating a distribution package script. 

How Targeted Multicast works 

The Targeted Multicast feature divides your network into multicast domains. Each 

multicast domain consists of clients that can hear each others' broadcast traffic. 

Routers typically block multicast traffic, so a multicast domain often corresponds to a 

subnet on your network. Targeted Multicast discovers these multicast domains 

automatically when you schedule a job for multicast distribution. You don't need to 

make any changes to your network configuration for Targeted Multicast to work 

correctly. 

Each multicast domain requires a multicast domain representative. A representative 

is the client in a multicast domain that multicasts the file being distributed to other 

clients in the same multicast domain. Any client that has the software distribution 

agent on it can be a multicast domain representative. Targeted Multicast selects 

multicast domain representatives automatically for each multicast distribution. 

Clients acting as representatives don't require any additional software on them. 

When finding a multicast domain representative, Targeted Multicast first looks for a 

client in each multicast domain that already has the package in its software 

distribution cache. Clients cache packages that are distributed to them before 

installing the package. If Targeted Multicast finds a client that does have the package 

cached, Targeted Multicast uses that client as the multicast domain representative. 

216


Using a cached package saves bandwidth and time, because the server won't have to 

first send the package to the multicast domain representative. 

If Targeted Multicast can't find a client with a cached package, it sends out a subnetdirected 

broadcast to find a client that can act as a domain representative. 

If all of these multicast discovery methods fail to find a multicast representative, the 

server contacts each client in the target list to determine if it can be a multicast 


Because of the additional steps Targeted Multicast goes through when distributing 

packages, multicast package distribution may take longer than a normal package 

distribution. This is especially true for small packages or distributions that only target 

a few clients. Enable the multicast option when you are distributing packages 

(especially large ones) to many clients simultaneously or when it's important to 

minimize the network bandwidth used. 

When you start a distribution using Targeted Multicast, you'll see the Multicast 

Software Distribution window. This window contains detailed information about how 

the distribution is proceeding. 

Viewing scheduled jobs 

You can view, delete, or reschedule any of the distribution jobs scheduled with the 

Web console. 

To view scheduled jobs 


2. On the Software Distribution page, click View scheduled jobs. 

You'll see a table that lists the distribution jobs scheduled to deploy packages. The 

table includes these columns: 

• ID: This identification number is a sequential, arbitrary number that's 

assigned to each scheduled job. 

• Task: The script name for a particular distribution job. Click a name to view 

the clients that this job was scheduled for. The icons in this column indicate 

the following: 

• Job will occur only once. 

• Job is scheduled to recur on a regular basis. 

• Status: Shows the current status of the distribution job. The status of 

Partially Completed means that the package deployed successfully on some 

clients and failed on others. To determine which clients installed the package, 

click the task name and view the status of each client the job was scheduled 

for. 

• Last execution: Shows the day and time that the distribution job is 

scheduled for. 

Click Refresh page to refresh the scheduled jobs list. 

217

USER'S GUIDE 

Viewing distribution scripts 

You can view, delete, or create a new job for any of the scripts used to deploy as 

packages. These scripts are stored by default in the "C:\Program 

Files\LANDesk\ManagementSuite\scripts" folder on your core server. 

To view distribution scripts 


2. On the Software Distribution page, click View distribution scripts. 

To delete a script from the list, click the script, then click Delete script. If the 

deletion fails, it's probably because of a pending job. Before you can delete the 

script, you must delete the job from the Software Distribution - Scheduled Jobs 

page. 

To view the contents of a script in the list, click the script and click View script. You 

can only view, not edit the contents. 

To create a new job for the script, click the script, click Create new job, then step 

through the wizard again to configure different job settings for this particular script. 

Viewing distribution logs 

You can view or delete distribution logs that are created during software distribution 

jobs. These logs are stored by default in the "C:\Program 

Files\LANDesk\ManagementSuite\log" folder on your core server. 

To view distribution logs 


2. On the Software Distribution page, click View distribution logs. 

To view or delete a log in the list, select the log, then click View Distribution Log 

or Delete Distribution Log respectively. If you just deployed a package to clients 

and the log hasn't yet appeared in the list, click Refresh page. 

218


Customizing the Web console 

Using rollup databases 

The database Rollup Utility (DBROLLUP.EXE) enables you to take multiple source 

databases and combine them into a single destination core rollup database. A core 

server database can support about 10,000 clients, and the rollup core client limit 

depends on your hardware and acceptable performance levels. The source database 

can be either a core server or a rollup core server. 

The system requirements for a destination database may be substantially greater 

than the system requirements for a standard database. These requirements can vary 

considerably depending on your network environment. If you need more information 

about hardware and software requirements for your destination database, contact 

your LANDesk Software support representative. 

Setup installs the database Rollup Utility automatically with the rollup core. The 

Rollup Utility uses a pull mechanism to access data from cores you select. For 

database rollups to work, you must already have a drive mapped to each core you 

want the Rollup Utility to get data from. The account you connect with must have 

rights to read the core server's registry. 

The Rollup Utility checks with a registry key on the core server for database and 

connection information 

(HKLM\SOFTWARE\LANDesk\ManagementSuite\Core\Connections\local) and uses 

that key's information to access the database associated with each core you add to 

the Rollup Utility. For Oracle databases, the TNS definition on the server you're 

running the Rollup Utility from must match the TNS definition on the core server the 

utility is accessing. 

You can use the rollup utility to select the attributes you want rolled up from the 

cores. The attribute selections you make apply to all cores. Limiting the number of 

attributes shortens the rollup time and reduces the amount of data transferred 

during rollups. If you know you won't be querying on certain attributes, you can 

remove them. 

The Rollup Utility always rolls up the selected attribute data and Software License 

Monitoring data. You can't customize the Software License Monitoring rollup. Rollup 

also doesn't include any queries or scopes you've defined. Any console users with 

rights to the rollup database have access to all data within that database. You can 

use feature-level security to limit access to Web console features. For more 

information, see "Setting up feature-level security for rollup databases." 

Once you've added the core servers you want to roll up and the attribute list for 

those servers, you can click Schedule to add a scheduled rollup script for each core 

server. From a Web console, you can then schedule these rollup scripts to run at the 

time and interval you want. Rollup scripts are only visible from the Web console and 

reside on the rollup core. 

219

USER'S GUIDE 

To launch the Rollup Utility 

1. On a rollup core, run the Rollup Utility (\Program 

Files\LANDesk\ManagementSuite\dbrollup.exe). 

2. Select an existing rollup core server to manage from the list, or click New to 

enter the name of a new rollup core. 

3. Once you select a rollup core, the Source cores list shows cores you've 

configured to roll up to the selected rollup core. 

To configure the attributes that you want to roll up 

1. From the Rollup Utility, select the rollup core you want to configure. 

2. Click Attributes 

3. By default, all database attributes are rolled up. Move attributes from the 

Selected Attributes column to the Available Attributes column that you 

don't want to roll up. 

4. Click OK when you're done. Moving attributes to the Available Attributes 

column deletes associated data from the rollup database. 

To configure the source core servers for a rollup core 

1. From the Rollup Utility, select the rollup core you want to configure. 

2. Once you select a rollup core, the Source cores list shows cores you've 

configured to roll up to the selected rollup core. Click Add to add more cores 

or select a core and click Delete to remove one. Clicking delete immediately 

removes the selected core and all of that core's data from the rollup 

database. 

To schedule database rollup jobs from the Web console 

1. From the Rollup Utility, select the Rollup core you want to configure. 

2. In the Source cores list, select the core you want to schedule for rollup and 

click Schedule. If you don't select any cores, by default all cores in the list 

will be scheduled when you click Schedule. Clicking Schedule adds a rollup 

script for the selected core to the selected rollup core. 

3. From a Web console, connect to the rollup core server. 

4. In the left navigation pane, click Schedule rollup jobs. 

5. Click the rollup script you want to schedule. The script names begin with the 

source core name followed by the destination rollup core name in 

parentheses. Click Schedule roll up. 

6. Select when you want the roll up to happen and whether it should 

automatically reschedule or not. Click Continue to next step. 

7. Verify the script schedule and click Finish. 

220


Increasing the rollup database timeout 

With large rollup databases, the Web console's query editor may time out when it 

tries to display a large list, such as the Software Package Name list. When this 

happens, the list you are trying to display won't show any data. If you experience 

timeouts you need to increase the database timeout value. This needs to be done 

wherever the IIS service or the Web console server is being installed. At the 

following registry key: 

HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\Core 

Add a new DWORD, Timeout, with a decimal value of 1800. This value is in seconds. 

You can adjust this value based on your query types and database performance. 

Stop and restart IIS for the change to take effect. 

About the Rollup Utility 

Use the database Rollup Utility (run from the rollup core) to manage data rollups 

from core servers. 

• Rollup core: You can manage multiple rollup cores from the Rollup Utility. 

Select the core you want to manage. You first must have a drive mapped to 

each rollup core. 

• New: Click to add a new rollup core that you want to manage. You first must 

have a drive mapped to the rollup core you're adding. Enter the rollup core's 

computer name and click OK. 

• Attributes: Click to select the attributes you want rolled up. The attributes 

list is global for all core servers the selected rollup core uses. Move individual 

attributes or attribute trees from the Selected Attributes column (these 

attributes will be rolled up) to the Available Attributes column (these 

attributes won't be rolled up). 

• Reset database: Click to reset the selected rollup database. This deletes all 

data and rebuilds all tables. 

• Add: Click to add a core that you want to include data from in the selected 

rollup core. 

• Delete: Click to remove the selected core and its data from the selected 

rollup core's database. WARNING: This option deletes the selected core's 

data when you click OK. Data from other core servers remains in the rollup 

database. 

• Schedule: Click to add a rollup script for the selected core. If you don't have 

a core selected in the Source Cores box, this option creates rollup scripts for 

all cores in the Source Cores box. 

• Rollup: Click to do an immediate rollup from the selected core. If you don't 

have a core selected in the Source Cores box, this button rolls up all cores 

immediately. 

• Close: Click to close the Rollup Utility. 

221

USER'S GUIDE 

Setting up feature-level security for rollup 

databases 

If you're using the Web console with a core database, the Web console uses the rolebased 

administration settings you've made in the Management Suite console to 

control access to features and clients. For more information, see "Role-based 

administration" in chapter 1 of the User's Guide. If you're using the Web console with 

a rollup core database and you want to control access to features for that rollup 

database, you need to set up feature-level security as described below. 

The Web console administrator can set feature-level security by assigning users to 

any of the groups created during installation. By default, anyone with administrator 

privileges on the core server automatically has access to all Web console features 

their Web console license allows. All other users must be assigned to these groups, 

or they're denied access to the features. The groups are: 

• rc_user for using Remote control. A user with administrator privileges has to 

actually download the Remote Control Viewer onto the computer before users 

in this group can remote control a client. 

• sd_user for viewing Software distribution logs, scheduled jobs, and scripts. 

To further restrict security, these users can only configure settings and 

distribute packages if they have administrator privileges. 

• inv_user for creating and running custom queries. 

• report_user for viewing reports and configuring how they look. 

These groups are based on Windows NT groups. By default, they're set up as local 

groups on the Web server, though you can set them up on the domain controller as 

global groups. 

Assigning users 

You can only assign domain users to these groups; if you assign users that are local 

to the Web server, they won't authenticate. Local users can't log in to a remote client 

(in this case to access the Web console) as a local user on a Web server. 

By default, anyone in the Administrators group automatically has access to all Web 

console features. 

Setting up authentication 

To use feature-level security, you must set up authentication by disabling 

anonymous authentication on the Web server, but leave Windows 2000 Security 

enabled (this is Integrated Windows Authentication on Windows 2000). Setup should 

set these options automatically. 

222


Working with multiple cores 

After you've installed the Web console on a Web server, you can edit the 

configuration file \Inetpub\wwwroot\remote\xml\core.asp to connect to additional 

databases. By default, this file points to the core server only. Once you add more 

servers to it, you'll be able to connect to additional databases with a drop-down list 

in the Web console. If you ever change the information referenced in this file, you'll 

need to update core.asp with the new information. 

Note that all entries in core.asp must be single-line entries. Multiple-line entries will 

cause an error to occur. 

Here's a sample core.asp: 

 

 

 

 

 

 

 

Entry 

item name= 

server= 

database= 

user= 

password= 

Description 

The server name you want the Web console to connect to. This also is the text 

string that appears in the drop-down list of databases in the Web console's Login 

page. 

For SQL Server, this is the database servername\database instance name. If 

your database is in SQL's default instance, don't specify a database instance 

name. For Oracle, this is the Oracle host string (the service\instance name). 

The SQL database name you created on the Web server. This option is blank for 

Oracle databases. 

The default user ID for the database. 

The password associated with the default user ID. 

isoracle= Whether the database is Oracle (1) or not (0) 

software= 

For future use. Leave blank. 

rollup= Whether the database is a core rollup (1) database, or not (0). 

223

USER'S GUIDE 

To add databases to core.asp 

1. Locate core.asp on the Web server in the directory where the Web console is 

installed (by default C:\Inetpub\wwwroot\remote\xml). 

2. Open core.asp in a text editor, such as Notepad. 

3. Copy an existing item name line from core.asp (similar to the example 

above), then paste it under the existing text. Change the line to match the 

information for the additional database(s). 

4. Save the updated core.asp as a text file. 

224


Setting preferences 

Set preferences to change the way the Web console displays information. Click 

Configure > Preferences to access the Preferences page. 

In Beginner mode, instruction paragraphs appear at the top of each page to explain 

how to use the buttons, menus, and dialogs. Also, each button in the toolbar displays 

a name to tell what action that button performs. Expert mode hides the instruction 

paragraphs on each page and displays only icons, not names, on toolbar buttons. 

When you view a report, run a query, or search using Find Computer, the Web 

console displays a list of machines with the asset information you requested. 

Depending on your monitor size, plans to print information, and personal 

preferences, you may want to change the number of rows the Web console displays 

on each page. 

To set the preferences: 

1. From the drop-down list, click Beginner for Beginner mode or Expert for 

Expert mode. 

2. Enter the number of rows to display on each page. 

3. From the drop-down list, click 3D Pie to see reports as three-dimensional pie 

charts, 3D Bar to see reports as three-dimensional bar charts, 2D Pie to see 

reports as two-dimensional pie charts, or 2D Bar to see reports as twodimensional 

bar charts. 

4. Click Update. 

The Console preferences updated page will display the new preferences. 

Preferences are stored as cookies. 

The console preferences are stored in the web browser’s cookies directory. 

225

USER'S GUIDE 

Troubleshooting tips 

The following troubleshooting tips are for issues that most frequently occur with the 

Web console. 

After I log in, a blank page appears; I can't access any features. 

The entries in the CORE.ASP file are probably incorrect. Edit the file and make sure 

the information is correct for the database you're trying to connect to. 

The scanner can't connect to the server. 

If the scanner can't connect to the server, verify that the web application directory is 

configured correctly. If you're using https, you must have a valid certificate. Verify 

that you have a valid certificate. 

I get an invalid session when viewing the Web console. 

It's possible the browser session has timed out. Click Login in the left navigation 

pane to start a new session. 

The Web console times out too frequently. 

You can change the default session timeout for the Web console's Web pages. The 

IIS default is 20 minutes of inactivity before a login expires. To change the IIS 

session timeout: 

1. On the Web server, open the IIS Internet Service Manager. 

2. Expand the default Web site. 

3. Right-click the Remote folder, then click Properties. 

4. Under the Directory tab, click Configuration. 

5. Click the Application Options tab, then change the session timeout to the 

value you want. 

I cannot view the Remote control page in the Web console. 

In order to view the Remote control page, you must enable ActiveX controls. Some 

browsers have ActiveX controls disabled by default. If the Remote control page does 

not load correctly, enable ActiveX controls on your browser by changing the security 

settings. 

I followed the Software Distribution steps, but the Web console did not 

create a package. 

The Web console uses the IUSR and IWAM accounts on Web console server. These 

accounts are originally created based on the computer name. If you have ever 

changed the computer name, you must follow the steps below in order to 

successfully create software distribution packages. 

1. If you have .Net Framework installed, uninstall it. 

2. Uninstall IIS. 

3. Reinstall IIS. 

4. Reinstall the .Net Framework if you uninstalled it. 

A scheduled software distribution job did not run. 

If you schedule a software distribution job and it does not start, verify that the Intel 

Scheduler Service is running on the server. 

Inventory data is incomplete. 

You may find that certain inventory data doesn't appear in your query results or 

226


reports when you switch between rollup databases. This occurs if you have more 

than one rollup database on your network, and each has a different schema. To 

prevent this from happening, any custom data you add to one rollup database must 

be added to all others. 

Custom queries page not found error with an Oracle database. 

If you try to use custom queries, and you see a "page not found" error, an Oracle defect might be 

causing the problem. Follow these steps to fix it. 

1. Log in to Windows as a user with administrator privileges. 

2. Launch Windows Explorer from the Start menu and and navigate to the 

ORACLE_HOME folder. This is typically the Ora92 folder under the Oracle 

folder (i.e. D:\Oracle\Ora92). 

3. From the ORACLE_HOME folder's shortcut menu, click Properties. 

4. Click the Security tab. 

5. In the Name list, click Authenticated Users. On Windows XP, the Name list 

is called Group or user names. 

6. In the Permissions list under the Allow column, clear the Read and 

Execute option. On Windows XP, the Permissions list is called Permissions 

for Authenticated Users. 

7. Re-check the Read and Execute option under the Allow column (this is the 

box you just cleared). 

8. Click Advanced, and in the Permission Entries list, make sure you see the 

Authenticated Users listed there with Permission = Read & Execute and 

Apply To = This folder, subfolders and files. If this isn't the case, edit that line 

and make sure the Apply onto box is set to This folder, subfolders and 

files. This should already be set properly, but it's important that you verify 

this. 

9. Click the OK until you close out all of the security properties windows. 

10. Reboot your server to make sure that these changes have taken effect. 

227

Chapter 8: Monitoring software license 

compliance 

Software License Monitoring gives you the tools to implement complete, effective 

software asset management and license compliance policies. 

Software license monitoring features include: 

• Ability to scan for both known and unknown applications, and a disposition 

tool to define and track previously unknown applications. 

• Application launch denial to keep unauthorized software from running even on 

clients disconnected from the network. 

• Full integration with LANDesk asset management for current, complete 

information about installed applications. 

• Extensive application usage and license compliance reporting. 

• Extensive license monitoring and reporting features, including number of 

times each licensed application was launched, last date used, and total 

duration of application usage. 

• Easy configuration of license parameters, including number purchased, license 

type, quantity and serial number. 

• License purchase information, including price, date purchased, P.O. number, 

and reseller information. 

• Installation tracking and reconciliation, including the license holder and 

physical location of the client the license is installed on, as well as additional 

notes. 

• Aliasing to track software when vendor information or filenames change. 


• Creating product and vendor aliases 

• Monitoring products for compliance 

• How compliance monitoring works 

• About the Compliance tree 

• Selecting products to monitor 

• Downgrading product licenses 

• Viewing license compliance and product usage / denial trends 

• Editing software inventory 

• About LDAPPL3 

• Editing LDAPPL3 

• Adding files to LDAPPL3 

• Exporting and importing Software License Monitoring window data 

• Using Software License Monitoring with Macintosh clients 

229

USER'S GUIDE 

Monitoring software license compliance 

The Software License Monitoring window is designed to let you monitor and manage 

the software that's installed on your clients. Navigate the window from the left pane, 

where you can accomplish three main tasks from the Software License Monitoring 

tree: 

• Aliases: In this view, you can create product or vendor aliases. An alias 

ensures that you can correctly account for all installed executables from a 

specific vendor if the vendor name changes, or for a product if its vendor and 

name change. This feature is especially useful if you're monitoring products in 

the Compliance tree and need to maintain accurate information about your 

licenses. 

• Compliance: In this tree view, you can monitor usage and license 

compliance for products across your organization, set up product license 

downgrading, deny usage of applications on clients, and view license 

compliance, usage, and denied application trends. 

• Inventory: In this tree view, you can edit LDAPPL3, a software description 

file stored on your core server. The inventory scanner uses LDAPPL3 to 

identify your clients' software inventory. 

You can also import and export data appearing in the Software License Monitoring 

window to and from other Management Suite 7/8 core servers you may have on your 

network. This feature is useful if you need to ensure that core databases are 

synchronized on all of your version 8 core servers. 

230

CHAPTER 8: MONITORING SOFTWARE LICENSE COMPLIANCE 

Creating product and vendor aliases 

Use the Aliases view to create product or vendor aliases. An alias ensures that you 

can correctly account for all installed products by: 

• Normalizing executable file data: An alias lets you make consistent the 

information the core database needs to correctly identify an installed product. 

For example, the file information provided by a vendor isn't always consistent. 

Files scanned into the core database for various Microsoft products may show 

the vendor name as being Microsoft Corp, Microsoft (R), or just Microsoft. If 

you were to run a query on "Microsoft (R)" products, you would get only a 

partial list back of Microsoft products installed across your network. By 

creating a vendor alias of "Microsoft Corp" for all of your Microsoft products, 

you ensure that those products all have exactly the same vendor name. 

• Updating executable file data: An alias lets you update file information if 

the product name or vendor changes after installation. For example, 

sometimes vendor or product names change because a company has been 

newly acquired or divested, or a company has renamed its product after 

several versions. If this occurs with your client applications, use aliasing to 

associate new vendor or product names with the originals, ensuring that the 

core database can continue to identify your executables accurately. This 

feature is especially useful if you're monitoring products in the Compliance 

tree and need to maintain accurate information about your licenses. 

About the Aliases view 

The right pane of the Aliases view shows the original vendor and name for a product, 

as well as any new vendor and/or product names that you may have added. A 

software scan must occur before a new alias will appear in the Software License 

Monitoring window or in Asset reports that include data about your client's software. 

You can create two types of aliases in the Alias Properties dialog: 

• Vendor: An alias for all installed products of a certain vendor (enter the 

original vendor name and a new vendor name). 

• Product: An alias for a specific product (enter original vendor and product 

names, as well as new ones). A product alias that includes a new vendor will 

always take precedence over an alias created for all products of a certain 

vendor. 

Aliases you create will show up in the tree views for Aliases, Compliance, and 

Inventory, as well as in any asset reports that include client software data. 

To create an alias 

1. In the console, click Tools | Software License Monitoring. 

2. In the left pane's Aliases shortcut menu, click Create Alias. 

3. In the Alias Properties dialog, enter the original vendor and original product 

name, as well as the new vendor and/or new product name for the 

application. Click OK. 

231

USER'S GUIDE 

To delete an alias 


2. In the left pane, click Aliases. 

3. In the right pane's alias's shortcut menu, click Delete. 

After you delete an alias, the core database reverts to using the original vendor and 

product name after the next software scan. 

About the Alias Properties dialog 

Use the Alias Properties dialog (from the Aliases tree item's shortcut menu, click 

Create Alias) to create an alias for a product executable. Aliasing ensures that the 

scanner can correctly identify client applications if their product or vendor names 

have changed since being installed. 

If name changes occur to your client's software, use aliasing to associate new vendor 

or product names with the originals. The scanner will then associate the new names 

with any executables that match the original information in the core server's core 

database, ensuring that your software is accurately identified. 

This feature is most useful when monitoring product licenses in the Compliance view, 

ensuring that the scanner can continue to identify those products. 

• Original vendor: Enter the name of the product's original vendor. 

• Original product name: Enter the original product name. 

• New vendor: Enter the new vendor name. 

• New product name: Enter the product's new name. 

232


Monitoring products for compliance 

IT administrators often find it challenging to track product licenses installed on 

numerous clients across a network. They run the risk not only of over-deploying 

product licenses, but also of purchasing too many licenses for products that turn out 

to be unnecessary. You can avoid these problems by using the Compliance tree to 

monitor and report on product licenses and usage across your organization. 

Compliance features include: 

• Passive, low-bandwidth monitoring: The Software Monitoring agent 

passively monitors product usage on clients, using minimal network 

bandwidth. The agent continues to monitor usage for mobile clients that are 

disconnected from the network. 

• Reporting: The power of compliance monitoring rests in its data-gathering 

capabilities. Use the data to track overall license compliance and to monitor 

product usage and denial trends. 

• Product license downgrading: For certain products, you can set up license 

downgrading so that newer versions of a product can loan a license to older 

versions, keeping your clients license compliant at all times. 

How compliance monitoring works 

The Software Monitoring agent installs on your clients as part of the default client 

configuration setup. The agent records data about all installed applications on a 

client and stores this data in the client's registry at: 

HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\WinClient\Software 

Monitoring\MonitorLog 

Use the Software License Monitoring window to monitor the most important of these 

installed applications. Application usage data that you don't monitor is ignored and 

eventually overwritten with newer data in the client's registry. 

After you indicate the product files and licenses that you want to monitor, the 

following occurs: 

• Management Suite detects clients that are running the applications you want 

to monitor and imports this list into the Software License Monitoring window. 

The client list is static until the next software scan occurs. 

• During the next scan, the scanner reads the client data collected by the 

Software Monitoring agents and sends this data up to the core server. 

Management Suite then updates the Software License Monitoring window with 

information for the specific licenses and products you're monitoring. 

About mobile clients 




monitored and sends that data to the core server. The Software License Monitoring 

window is then updated with the latest license compliance, usage, and denied 

application data for those mobile clients. 

233

USER'S GUIDE 

About the Compliance tree 

The Compliance tree shows the following details: 

• Left pane: Shows a hierarchical tree of product groups containing licensed 

products that you want to monitor. By expanding the tree and clicking one of 

the following items under a specific product, different types of data appear in 

the right pane: 

• Files: Files that are monitored for a given product. Files appear here 

when you drag and drop them from any of the categories under 

Inventory > Files. Once a file appears here, it also appears in the In 

Monitored Product category under Inventory > Views. 

• Licenses: The license details for a given product. 

• Downgrade Products: The loaned or borrowed licenses for a given 

product. If you have two versions of the same product installed on 

your network, you can set up the older version to borrow a license 

from the newer version. By exercising your downgrade rights, you 

prevent the older version from exceeding its license count. 

• Usage Report: The client usage data for a given product. 

• Denial Report: The denied usage data for a given product. 

• Right pane: Depending on what you select in the left pane, this pane shows 

product executables that you're monitoring, license compliance details, 

license downgrades, or product usage/denial trends. 

Selecting products to monitor 

To begin monitoring products for license compliance and usage/denial trends, you 

must complete three different procedures within the Software License Monitoring 

window: 

1. Set up a tree view for product groups and individual products 

2. Select product files to monitor 

3. Add product license information 

Setting up the tree view 

In the left pane under Compliance, set up a hierarchical tree of product groups and 

individual products. You can group products any way you want, for example: 

• By company, such as Adobe or Microsoft 

• By specific categories, such as Unauthorized Files or Accounting Department 

• By product suite, such as Microsoft Office 

Within these groups, add the products that you want to monitor for usage or denial 

trends. For example, under an Adobe group, you might add products such as 

Photoshop* and Illustrator*. 

By default, these product groups are created during installation to help you get 

started: 

234


• LANDesk Management Suite 7.0: This group contains product and file 

containers for Management Suite 7.0. You need to enter only your license 

information to begin monitoring Management Suite 7.0 license compliance on 

your clients. 

• LANDesk Management Suite 8: This group contains product and file 

containers for Management Suite 8. You need to enter only your license 

information to begin monitoring Management Suite 8 license compliance on 

your clients. 

• Microsoft Office: This group contains product and file containers for Office* 

2000 Premium and Office XP Professional. You need to enter only your license 

information to begin monitoring Office license compliance on your clients. 

To restore default tree view settings 

If you ever delete these default product groups and later decide that you want them 

back, simply import DEFAULTS.XML from the C:\Program 

Files\LANDesk\ManagementSuite\ldlogon folder of your core server. Importing this 

XML into the Software License Monitoring window will restore the product groups, as 

well as the original LDAPPL3 data that shipped with Management Suite 7. An XML 

import will merge this data with data already existing in the window's Compliance 

and Inventory trees. 

To set up a tree view 


2. In the Compliance shortcut menu, click New Group. 

3. Enter the new product group name. 

4. To add products under this group, right-click the group name and select one 

of the following: 

• New Product: To add a product that you want to monitor for usage 

trends. 

• New Denied Product: To add a product that you want to monitor for 

denial trends. 

5. Enter the product name. Once you do this, you'll notice that: 

• Under a new product, containers for Files, Licenses, Downgrade 

Products, Usage Report, and Denial Report appear. You can add 

executables to the Files container and add license information to the 

Licenses container. If this product has downgrade rights, you can also 

set up those rights by clicking the Downgrade Products container. 

• Under a newly denied product, containers for Files, Licenses, 

Downgrade Products, Usage Report, and Denial Report appear. You 

can add executables to the Files container and then add the same 

executables to the Inventory > Files > To Be Denied category. 

Note that you don't have to add executables in a denied product to the 

To Be Denied category. They will be denied if the product is marked 

as Deny use of this product. 

To edit the tree view 

235

USER'S GUIDE 

• To edit properties for a product: In the left pane, in the product name 

shortcut menu click Properties. Enter the product name, version, publisher 

name, if you want to deny its use to clients, and if you want to match all files 

(that is, require that all files associated with this product be installed on the 

client before a license is counted as used). Click OK. 

• To delete or rename a product group or product: In the left pane, in the 

group or product name shortcut menu, click Delete or Rename. 

About the Product Properties dialog 

Use the Product Properties dialog (right-click a product and click Properties) to view 

and change the properties for a product you select. 

• Product name: Shows the name of the product you're viewing. 

• Version: Shows the product version number. 

• Publisher: Shows the vendor that created the product. 

• Deny use of this product: Whether SLM is denying execution for this 

product on clients. 

• Match all files: Whether multiple files must be on the client before a license 

is counted as used. 

Selecting product files to monitor 

You can select product files to monitor from categories under the Inventory tree. 

After you begin to monitor a file in the Compliance tree, that file also appears in the 

Inventory > Views > In Monitored Product category. 

To select product files to monitor 

1. Click Compliance > product group > product. 

2. In the Files shortcut menu, click Add Files. 

3. Use the Find box to enter a word, then use the In Column drop-down menu 

to specify if the word is part of the file's vendor, product, or filename. You can 

also use the File List drop-down menu to specify the Inventory tree category 

you want to search. 

4. Click the Search toolbar button. 

5. Select the file from the returned list, then click Add to add it to the files list of 

this product. 

After you add the files, Management Suite immediately detects the clients currently 

running those executables (as indicated by the last software scan) and populates the 

Software License Monitoring window with that information. After the next software 

scan, you can view the Usage Report to see clients that have run the file(s), or the 

Denial Report to see clients that have attempted to run the file(s). To view these 

clients, click Compliance > product group > product > Usage Report or Denial 

Report. 

You can also find out which products are using the same version of a file by using the 

Find in Product option. 

236


To find which products are using a file 

1. Click Compliance > product group > product > Files. 

2. Select the file you want to search on, and from its shortcut menu click Find 

in Product. The cascading menu shows you which products contain that 

same file and file version. Clicking a product takes you to that file in the 

product. 

To find where files are installed on clients 

1. Click Compliance > product group > product > Files. 

2. Select the file you want to search on, and from its shortcut menu click Where 

Installed. 

About the Add files to Product window 

Use the Add Files to Product window (right-click a product and click Add Files) to 

specify which files should be monitored to determine when a product is running. 

• Find: Enter the filename or search keyword you want to look for. 

• In Column: Select the inventory column you want to search in, either 

Vendor, Product Name, File Name, Version, or Size. 

• Discovered But Not In Product: Shows files that also appear in the To Be 

Dispositioned list but aren't currently being monitored in the Compliance tree. 

Use this list to view files that you may want to begin monitoring for license 

compliance and usage/denial trends. 

• To Be Scanned: Shows files in your core server's LDAPPL3 that the scanner 

can identify on clients. 

• To Be Dispositioned: Shows files that have been discovered on clients, but 

are unknown to LDAPPL3. You must move these files into other categories 

before the scanner can identify them. 

• Discovered on Computers: Shows all files that have been discovered on 

clients, even if they're for products that aren't defined in the LDAPPL3. 

• In Monitored Product: Shows files that are already being used to monitor 

products. 

• File information pane: Shows files that match your Find string and the File 

List you've selected. 

Adding product license information 

Finally, you need to add license information to monitor a product for license 

compliance. If you only want to track product usage, you can skip this procedure. 

After you set up license information for a product, if you ever see a red icon with an 

exclamation point appearing next to the product group, this means that one of the 

products in the group isn't license compliant. Expand the product group to find the 

non-compliant product, then view its associated information in the right pane. 

237

USER'S GUIDE 

To add product license information 

1. Click Compliance > product group > product. 

2. In the Licenses shortcut menu, click New License. 

3. In the License Properties dialog, use the tabs to enter the license, purchase, 

and tracking information that's relevant to your organization. 

4. When finished, click OK. 

5. If you want to ensure that all executables associated with a product are 

installed on a client before that product's license is monitored for compliance, 

you can. In the left pane, right-click the product name and select Match All 

Files. For more information about using the Match All Files option, see the 

next section. 

About the License Properties dialog 

The License Properties dialog has three tabs: 

• License 

• Purchase Info 

• Tracking 

Use the license tab to configure license properties for your product. 

• License Number: Enter a number that constitutes your product license. 

• License Type: Enter a type of license you have for the product, such as: 

competitive upgrade, freeware, new purchase, OEM, product upgrade, public 

domain, shareware, unknown. 

• Quantity: Enter the number of product licenses purchased. 

• Serial Number: Enter an additional number that may constitute your product 

license. 

Use the Purchase Info tab to configure purchase properties for your product license. 

• Purchase date: Enter a date the product was purchased by your company. 

• Unit price: Enter a price of each purchased license for the product. 

• Order number: Enter an order number used to make the purchase. 

• Reseller: Enter the name of purchase place. 

Use the Tracking tab to configure tracking properties for your product license. 

• Owner: Enter a person or department in your company responsible for 

storing the boxed product. 

• Location: Enter a physical location where the boxed product is stored. 

• Note: Enter any additional information associated with the product license, 

such as downgrade rights. 

238


Tracking licenses using the Match All Files option 

You may encounter a situation where you need to track licenses for two or more 

products that contain an executable of the same name and size. In such a case, you 

also need to monitor a file unique to each product. By selecting Match All Files and 

using both the executable and a unique file to identify license usage, you specify that 

all files associated with a product (as found in its Files container) need to be installed 

on a client before a product license is considered used. This ensures that the scanner 

can correctly track the products licenses. 

The following two examples help explain when you would select Match All Files: 

• If you're tracking license usage for MSDE and SQL 2000, and they both use 

SQLSERVR.EXE of the same size, you should also track a .DLL or other 

application file that's unique to each product. Management Suite won't 

monitor these other files for compliance (only executables are monitored for 

compliance), but the unique file will help the scanner distinguish the MSDE 

license from the SQL 2000 license. 

Note: If you add files to a product other than .EXEs (in order to use the 

Match All Files option), you must first edit the LDAPPL3.TEMPLATE file to 

include those files in a software scan. By default, LDAPPL3 only scans for 

executables. For more information, see "Editing the LDAPPL3.TEMPLATE file 

"in Appendix A. 

• If you're monitoring 10 licenses for Office XP Standard (that includes Word, 

Excel, Outlook, and PowerPoint), as well as 10 licenses for Office XP Pro (that 

includes the same applications, in addition to Access), you face the problem 

of wanting to monitor two distinct product licenses that contain executables of 

the same name and size. The scanner can't distinguish between license types 

by tracking individual files, nor by using just the Match All Files option for 

both products. 

In this case, you must go one step further by adding an Office XP Pro 

executable to the Files container of XP Standard (for example, Access) and 

marking that executable as Not In Product. This ensures that the Software 

Monitoring agent won't record an Office XP Pro license as an XP Standard 

license, which would occur if only Match All Files was turned on. 

To mark an executable as Not in Product 

1. In the right pane, select the file. 

2. Right-click and select Not in Product. 

239

USER'S GUIDE 

Downgrading product licenses 

The Software License Monitoring window lets you "downgrade" licenses for certain 

products: if you have two versions of the same product installed on your network, 

you can set up the older version to borrow a license from the newer version. 

By exercising your downgrade rights, you prevent the older version from exceeding 

its license count. For example, you could configure Office XP to provide licenses to 

Office 97 when Office 97 licenses are exceeded, ensuring that clients can still run 

Office 97 applications while staying within compliance. The caveat is that you can't 

set up circular borrowing or borrowing in the opposite direction, where the newer 

version borrows from the older version. 

This feature is useful only for products where the vendor permits license 

downgrading. Microsoft, for example, allows this for many of its products. To verify 

that license downgrading is permissible for a product, refer to your license 

agreements. 

The following scenarios (in addition to the one mentioned above) describe when you 

can downgrade licenses: 

• Products #1 and #2 borrow from product #3: For example, you could 

configure Office 97 and Office 2000 to borrow licenses from Office XP. 

• Product #1 borrows from products #2 and #3: For example, you could 

configure Office 97 to borrow licenses from Office 2000 and Office XP. 

• Product #1 borrows from product #2, and product #2 borrows from product 

#3: For example, you could configure Office 97 to borrow licenses from Office 

2000, then configure Office 2000 to borrow from Office XP. 

To downgrade a product license 


2. Click Compliance > product group > product > Downgrade Products. 

3. Click Add. Select a product that you can give licenses to, then click Add. 

4. To set up a second or third product to give licenses to, repeat step 3. The 

order in which the downgraded products appear in the list is important. 

Products ranked lower in the list will only get licenses if the products above 

them haven't used all of the available licenses. To move a product up or down 

in the list, select it and click Move Up or Move Down. 

License downgrading will begin after the next software scan, which you can track 

from this view. Information about the products will appear in the lists for Downgrade 

Licensed Product and Upgrade Licensed Product. 

240


About the Downgrade Products window 

Use the Downgrade Products window (click a product in the tree and click 

Downgrade Products) to configure tracking properties for your product license. 

• Licenses: Shows the total number of licenses available from the products 

you're using to borrow licenses. 

• Installations: Shows how many licenses are being used for the product 

you're configuring. 

• Add button: Click this to specify which products can borrow licenses from the 

product you're configuring. 

• Remove button: Click this to remove a product from the list. 

• Move Up/Down buttons: Select a Downgrade Licensed Product and click 

Move Up or Move Down to prioritize which product will receive the borrowed 

licenses. 

Viewing license compliance and product usage/denial trends 

One of the most powerful features of the Software License Monitoring window is the 

ability to track overall license compliance and monitor product usage and denial 

trends. The following types of data appear in the right pane of the Compliance tree: 

• Overall license compliance: Shows overall license compliance for all 

defined product groups 

• Product group license compliance: Shows compliance at the product 

group level 

• Product usage report: Shows usage information at the client level 

• Product denial report: Shows denied executables at the client level 

To view overall license compliance 


2. Click Compliance. In the right pane, overall compliance data for all defined 

groups will appear, such as: 

• Product group: Names of the defined product groups 

• Complies: Shows if licenses are compliant for a product group 

• Out of Compliance: Number of out-of-compliance licenses for a 

product group 

• Licenses not Deployed: Number of licenses not being used for a 

product group 

241

USER'S GUIDE 

To view product group license compliance 


2. Click Compliance > product group. In the right pane, overall compliance 

data for this group will appear, such as: 

• Licensed Product: Names of products under this group 

• Licenses: Number of licenses available to your organization for 

products in this group 

• Installations: Number of installations currently on clients for products 

in this group 

• Out of Compliance: Number of out-of-compliance licenses on clients 

for products in this group 

• Licenses not Deployed: Number of licenses not being used for 

products in this group 

• Loaned: Number of licenses loaned by this product to an older version 

of the same product 

• Borrowed: Number of licenses borrowed by this product from a newer 

version of the same product 

• Not Used: Number of clients that haven't run the installed product yet 

To view a product usage report 


2. Click Compliance > product group > product > Usage Report. In the 

right pane, usage data for this product will appear, such as: 

• Machine: Name of client 

• Last Used: Last time the .EXE was run on the client 

• Last User: Username of last user to log in to the client 

• # Executions: Number of times the .EXE has run on the client 

• Duration (minutes): Number of minutes the .EXE has run on the 

client 

• Last Reset Date: The last time this information was cleared from the 

core database and client registry (by right-clicking Compliance and 

selecting Reset Usage Information). The date comes from the core 

server. 

You can sort these columns by clicking the column header. You can also right-click a 

client name to open a window showing the inventory on that client. 

242


To view a product denial report 


2. Click Compliance > product group > product > Denial Report. In the 

right pane, denial data for this .EXE will appear, such as: 

• Machine: Name of client 

• Last User: Username of last user to log in to the client 

• # Denials: Number of times an attempt was made to execute the 

.EXE on the client 

• Last Reset Date: The last time this information was cleared from the 

core database and client registry (by right-clicking Compliance and 

selecting Reset Usage Information). The date comes from the core 

server. 

You can sort these columns by clicking the column header. You can also right-click a 

client name to open a window showing the inventory on that client. 

Printing or exporting data in report format 

You can print any of the Compliance tree data in report format or export it to a 

variety of file types, such as Crystal Reports*, Adobe Acrobat*, Microsoft Excel*, and 

so on. 

To print or export data 


2. Click Compliance and expand the tree to view the product data that you 

want to print or export. (This data will appear in the right pane.) 

3. Click the Print toolbar button to open the data in report format. 

4. To print the report, click the Print toolbar button. 

Resetting usage and denial report data 

If you ever want to clear the data for your monitored products' usage or denial 

reports, you can. Clearing the data lets you reset the counter so you can begin 

tracking applications from a certain point on. The reset affects all clients, and it 

clears the client registries and the core database of all past usage and denial report 

data. For this reason, it's important to print or save any usage or denial reports you 

may want to keep before resetting. When you reset the usage and denial report 

data, you do so for all monitored products in the Compliance tree. 

To reset usage and denial report data 


2. Right-click Compliance and select Reset Usage Information. 

3. When prompted, click Yes to complete the reset. 

4. Click the Make Available for Clients toolbar button to make the most recent 

changes available to clients the next time they run an inventory scan. 

243

USER'S GUIDE 

After you reset, you'll need to force a scan to clear the report data from your client 

registries, then you'll have to force a second scan before the new data is actually 

recorded in the Software License Monitoring window. 

On large databases, the reset can take a long time. If the reset times out, your DBA 

can reset the usage manually by entering these SQL commands: 

UPDATE FileInfoInstance 

SET SCM_TotalSessionTime = NULL, 

SCM_SessionCount = NULL, 

SCM_SessionsDenied = NULL, 

SCM_LastUser = NULL, 

SCM_LastSessionTime = NULL 

About the Deny File Properties dialog 

Use the Deny File Properties dialog to add a file to the Inventory view's To Be Denied 

category. When you deny use of a file, all files with this name, regardless of differing 

size and version, are moved into this category. The inventory scanner then prevents 

execution of all occurrences of this filename. 

When entering a filename, include the file extension. 

About the Exclude File Properties dialog 

Use this dialog to add a file to the Inventory view's To Be Excluded category. When 

you exclude a file from being scanned, all files with this name, regardless of differing 

size and version, are moved into this category. The inventory scanner then ignores 

all occurrences of this filename. 

When entering a filename, include the file extension. 

244


Editing software inventory 

Use the Software License Monitoring window's Inventory tree to edit LDAPPL3, a 

software description file stored on your core server. The inventory scanner uses the 

data in LDAPPL3 to identify your clients' software inventory. The scanner recognizes 

software applications in three ways: 

• Filename 

• Filename and size 

• Information included in an application's executable file 

About the Inventory tree 

The Inventory tree contains two panes that show the following details. 

• Left pane: This pane shows a Files and Views tree. 

• Files: Displays the categories you can use to organize the files listed 

in the core server's LDAPPL3: 

• To Be Scanned: Files in your core server's LDAPPL3 that the 

scanner can identify on clients. 

• To Be Dispositioned: Files that have been discovered on 

clients but are unknown to LDAPPL3. You must move these files 

into other categories before the scanner can identify them. 

• To Be Excluded: The scanner ignores all occurrences of a file 

that you move here. If you delete a file from To Be Excluded, it 

appears in the To Be Dispositioned category. 

• To Be Denied: Execution is denied for all occurrences of a file 

that you move here. End users who attempt to run a denied 

executable will see the program run for a few seconds before it 

closes down. If you delete a file from To Be Denied, it appears 

in the To Be Dispositioned category. 

• Views: Displays the following file lists in the right pane: 

• Discovered But Not In Product: Files that also appear in the 

Discovered on Computers list but aren't currently being 

monitored in the Compliance tree. Use this list to view files that 

you may want to begin monitoring for license compliance and 

usage/denial trends. 

• Discovered on Computers: All executables that have been 

discovered on your clients, whether they're in LDAPPL3 or not. 

You can sort the right-pane columns to get a clear 

understanding of each file's status, such as if it's in a monitored 

product, or if it's currently in one of the LDAPPL3 categories. If 

discovered files have the status of To Be Dispositioned, this 

means they were discovered during a software scan, but aren't 

in LDAPPL3. A file must be in LDAPPL3 before it's regularly 

scanned, excluded, or denied on clients. 

• In Monitored Product: Files that are monitored for license 

compliance and usage/denial trends in the Compliance tree. 

You can't move these files from the Inventory tree; they're only 

shown for reference. 

245

USER'S GUIDE 

• Right pane: This pane changes depending on the item you select in the left 

pane. 

About LDAPPL3 

LDAPPL3 is the new version of LDAPPL.INI that shipped with older versions of 

Management Suite. Unlike the past, you shouldn't edit this new file directly in a text 

editor, because the data is now stored in the core server's core database as a 

compressed file. The next time the server writes a new version of this file, changes 

made directly with an editor will be lost. All edits to software descriptions contained 

in LDAPPL3 must be made from the Software License Monitoring window. 

As shipped with Management Suite, LDAPPL3 contains descriptions of several 

thousand applications, providing a baseline of executables that your clients may have 

installed. Use this window to select the executables listed in LDAPPL3 that you want 

the scanner to identify, exclude, or deny on clients. If an executable isn't listed in 

LDAPPL3, you can add it. 

By default, LDAPPL3 contains descriptions of executables only. If you want the 

scanner to also identify other types of application files (.DLLs, .COMs, .SYSes, and so 

on), you can manually add those files to any of the categories under the Inventory > 

Files tree after editing the LDAPPL3.TEMPLATE file to include all files of that type in a 

scan. For more information, see "Editing the LDAPPL3.TEMPLATE file" in Appendix A, 

Beginning with Management Suite 8, The inventory scanner can use HTTP for 

LDAPPL3 file transfers. This allows the scanner to support Targeted Multicast features 

like polite bandwidth and peer download. Peer download allows clients needing 

LDAPPL3 updates will check with the core server for the latest version's date, then 

clients will broadcast to peers on their subnet to see if a peer has the update in its 

multicast cache. If a peer has the update, the file transfer happens on the local 

subnet without generating network traffic across routers or WAN links. For more 

information on Targeted Multicast and peer download, see "Using Targeted Multicast 


Downloading updated LDAPPL3 files 

You can download updated LDAPPL3 files in XML format from the LANDesk support 

Web site. Go to http://support.landesk.com/support, then link to the downloads 

page for Management Suite 8. 

Editing LDAPPL3 

By default, LDAPPL3 pre-populates the Inventory > Files categories of To Be 

Scanned and To Be Excluded when you set up Management Suite. From these 

categories, you can edit LDAPPL3 by using an executable's shortcut menu to select a 

new category. 

Once you edit the core's LDAPPL3, you need to make the most recent changes 

available to clients the next time they run an inventory scan. Do this by clicking the 

Make Available to Clients toolbar button. This action compresses the core's 

LDAPPL3 by 70 percent, which enables the scanner to update the clients' 

corresponding LDAPPL3 without using significant bandwidth. (The clients LDAPPL3 is 

installed as part of the default client configuration setup.) Both the client and core 

version of this file must be synchronized for the scanner to know which files to scan 

identify, exclude, or deny on clients. 

246


If you don't want to wait for the next inventory scan to update your client LDAPPL3 

files, you can make the edits available to clients in these ways: 

• By using your client logon scripts: In the Client Setup wizard, you can 

specify that your clients' local LDAPPL3 automatically receives updates from 

the core's .INI file each time a client boots. 

• By scheduling a job to push LDAPPL3 down to clients: Use the 

Scheduled Tasks window to schedule a time to push down the core's LDAPPL3 

to each of your clients. By default, LDAPPL3 is located in the c:\Program 

Files\LANDesk\ManagementSuite\LDLogon folder of your core server. 

• By updating the LDAPPL3 automatically during inventory scans: To 

automatically update the client's LDAPPL3 during an inventory scan, add a /i 

switch to the shortcut that launches the inventory scanner on clients. 

To edit the core's LDAPPL3 file 


2. Click Inventory > Files, then click To Be Scanned to view the list of 

executables that the scanner currently detects on clients, or click To Be 

Excluded to view the list of executables that the scanner currently ignores on 

clients. These are the two LDAPPL.INI categories that are populated by 

default when you set up Management Suite. 

3. In the right pane, scroll down to locate the files that you're interested in 

moving to another Inventory > Files category. Or use the Find box to search 

for a file by entering a full or partial filename with the wildcard asterisk (*) 

and clicking the Search toolbar button. The correct executable should appear 

at the top of the list. You can edit LDAPPL3 by using an executable's shortcut 

menu to select a new category. 


changes available to clients the next time they run an inventory scan if the /i 

scanner command line parameter is used on clients. 

Adding files to LDAPPL3 

If you need to add new files to an LDAPPL3 category, you can do so by one of two 

methods. 

To add individual files 


2. Click Inventory > Files, then click the LDAPPL3 category the file should go 

into. See "About the Inventory tree" earlier in this chapter for descriptions of 

these categories. 

3. Click the New File toolbar button. 

4. In the File Properties dialog, enter the filename and properties, or browse for 

the file. By selecting the file via browsing, the fields will automatically 

populate with the filename and size. When adding files to the excluded or 

denied lists, enter the file name. 



247

USER'S GUIDE 

To add multiple files 

By running a Mode=ALL software scan, you can detect not only the client application 

files that are currently in LDAPPL3, but also all other executables that are unknown 

to LDAPPL3. The unknown files will populate the To Be Dispositioned category, where 

you can move them into other LDAPPL3 categories. 

To run a Mode=ALL software scan, you must edit the LDAPPL3.TEMPLATE file located 

in the C:\Program Files\LANDesk\ManagementSuite\LDLogon folder of your core 

server. For more information, see "Editing the LDAPPL3.TEMPLATE file" in Appendix 

A. 

About the File Properties dialog 

Use the File Properties dialog (click Inventory > Files > and the To Be scanned or 

To Be Dispositioned category, then click the New File toolbar button) to add files to 

an LDAPPL3 category. 

• Browse button: Use this button to directly select a file. Selecting a file this 

way fills in the Filename and Size fields for you. 

• Filename: Browse for or enter a filename. 

• Size (in bytes): Enter the file's size in bytes. Don't use commas or other 

separators between the digits. 

• Product Name: Enter the product name the file belongs to. 

• Vendor: Enter the vendor name for the product that uses the file. 

• Version: Enter a version name for the file. 

• Action or state: Select what you want done with the file: 

• To be Scanned: Add the file to this category to have the inventory 

scanner look for it on clients. 

• To be Dispositioned: Add the file to this category if you want to 

decide later what you want to do with the file. 

• Scan Method: Since you're editing LDAPPL3 file properties, you can't change 

the scan method. 

248


Exporting and importing Software License 

Monitoring window data 

You can import and export data appearing in the Software License Monitoring 

window to and from other Management Suite 7 and 8 core servers you may have on 

your network. This feature is useful if you need to ensure that core databases are 

synchronized on all of your Management Suite 8 core servers. 

You can export the window's Alias, Compliance, and Inventory data to an .XML file 

for importing into the core database on another core server. 

You can import an .XML file from another console that you may have on your 

network. Imported .XML files that contain updates to existing data in the core 

database will overwrite that data. New data will be appended to the existing data 

To export LDAPPL3 data to an .XML file 


2. Click the Export toolbar button and save the .XML file to a location where you 

can easily import it into another core server's core database. 

To import an .XML file containing LDAPPL3 data 


2. Click the Import toolbar button and select an LDAPPL3 file or an .XML file 

that has the data you want to import into the core database on this core 

server. 




Importing an old LDAPPL.INI into the Software License 

Monitoring window 

The software description file in Management Suite 6.62 and older versions was 

named LDAPPL.INI. If you have a legacy LDAPPL.INI file containing software 

descriptions in the [Applications] and [Ignore] sections that you want to import into 

the Software License Monitoring window, you can, but the process is somewhat time 

consuming. 

You must first edit the software descriptions in the [Applications] section that you 

want to import into the newer LDAPPL3. You can also import software descriptions 

from the [Ignore] section, which you don't have to edit before importing. Though the 

old LDAPPL.INI contained both software and hardware descriptions among other 

data, only the software descriptions from these two sections are imported into the 

Software License Monitoring window. 

249

USER'S GUIDE 

Importing customized hardware information 

If you also have customized hardware information in the old LDAPPL.INI that you 

want to import (such as BIOS information), you must add that data to the 

LDAPPL3.TEMPLATE file directly. For more information, see "Editing the 

LDAPPL3.TEMPLATE file" in Appendix A. 

There are two things you must edit in the old LDAPPL.INI to make the information 

compatible for importing into the newer LDAPPL3: 

• In the [LANDesk Inventory] section—Update the Version and Revision lines 

• In the [Applications] section—Use a comma to separate the vendor/product 

field for each application into two fields, one for vendor, one for product. For 

example: 

In the old LDAPPL.INI, if a line reads: 

, EXCEL.EXE, 9165128, Microsoft Excel, 3.0a 

You must change the line (by separating Microsoft (vendor) and Excel 

(product) with a comma) to read: 

, EXCEL.EXE, 9165128, Microsoft, Excel, 3.0a 

IMPORTANT! 

When importing software descriptions from an old LDAPPL.INI into the Software 

License Monitoring window, you must modify the data exactly as described. Make 

sure you back up your database before starting the following procedure. The 

better way to import software descriptions is to add the files individually to the 

categories under the Inventory > Files tree. For more information, see the procedure 

in the "Adding files to LDAPPL3" earlier in this chapter. 

250


To import an old LDAPPL.INI into the Software License Monitoring window 

Before starting this procedure, make a backup of your original LDAPPL.INI file. 

1. Open your LDAPPL.INI in Notepad or another text editor. 

2. In the [LANDesk Inventory] section of the file, search for the Version and 

Revision lines. 

3. Change the Version line to read 3.0 and the Revision line to read 1.00 

4. In the [Applications] section of the file, edit the software descriptions that you 

want to import. Use the example shown above to ensure that you correctly 

edit the software description fields. 

5. Delete all software descriptions from the [Applications] and [Ignore] sections 

that you don't want to import. 

6. Save and exit out of the file. 


8. In the Software License Monitoring window, click the Import toolbar button. 

9. In the Files of type box, click LDAPPL3 Files, then browse to the location of 

your saved .INI file. 

10. Select the file, then click Open to import the edited software descriptions into 

the Software License Monitoring window. Verify that the software descriptions 

imported into these categories under the Inventory > Files tree: 

• From the [Applications] section to the To Be Scanned category 

• From the [Ignore] section to the To Be Excluded category 

11. Click the Make Available to Clients toolbar button to make the most recent 


251

USER'S GUIDE 

Using Software License Monitoring with 

Macintosh clients 

Macintosh clients (Mac OS X only) support Software License Monitoring also. The 

Macintosh software monitoring agent sends information on applications clients run to 

the core server with each inventory scan. The Software License Monitoring window 

shows Macintosh applications along with Windows applications. You can deny 

Macintosh application execution the same by adding Macintosh applications to the To 

Be Denied list. 

Macintosh applications don't come prebundled in the LDAPPLl3.INI file. You will have 

to set the LDAPPL3 file mode to "all" or "unlisted" first so that Macintosh applications 

are in the database to be dispositioned. When you think that all of the Macintosh 

applications are there, you can then set the mode back to "listed." 

Macintosh clients can use the Management Suite Preferences pane's Software 

License Monitoring tab to show what applications are installed and how often they 

have been used. This tab also shows blocked applications that won't launch on the 

client. 

About the File Properties dialog 

Use the File Properties dialog (in the Inventory tree, right-click a file and click 

Properties) to view or modify properties for a file in the core's LDAPPL3 file. You 

can browse for new files to add to LDAPPL3, or modify existing file information. 

• Filename: Shows the name of the file. 

• Size (in bytes): Shows the size of the file. 

• Product name: Shows the name of the application this file executes. 

• Vendor: Shows the manufacturer or vendor of the application. 

• Version: Shows the version number of the file. 

• Action or state: Shows the inventory category you want this file in. 

• Scan method: Shows the method the scanner will use to discover this file: 

• Use LDAPPL3: Uses the filename, size, application, and version 

information available from the software description file, LDAPPL3. This 

is the default scan method. 

• Use info from file header: Uses the file description and version from 

the executable file header. 

• Use product name from file header: Uses the product name and 

version from the executable file header. 

252

Chapter 9: Deploying OS images and 

migrating profiles 

LANDesk Management Suite's OS deployment and profile migration features add 

automated remote image deployment and client profile migration capabilities to your 

network. OS deployment and profile migration streamline new client provisioning and 

existing client migration, without requiring additional end-user or IT interaction once 

the process starts. 

You can schedule deployments and migrations to occur after hours, and by using 

LANDesk's Targeted Multicasting technology to distribute images, you won't saturate 

network bandwidth by deploying the same image to multiple clients. 

Note: For information on installing the OS deployment and profile migration 

component on your core server, and configuring your OS deployment and profile 

migration environment, refer to the Installation and Deployment Guide. 


OS deployment 

• OS deployment overview 

• OS image guidelines 

• Customizing images with Sysprep and Setup Manager 

• Agent-based deployment 

• Creating imaging scripts with the OS Deployment/Migration Tasks wizard 

• Modifying scripts 

• Multicasting OS images 

• Viewing image status reports 

• PXE-based deployment 

• Using PXE representatives 

• Booting clients with PXE 

• Configuring the PXE boot prompt 

• Using LANDesk managed boot 

• Using the PXE DOS menu 

• Using the PXE holding queue 

Profile migration 

• Profile migration overview 

• Profile content 

• Creating collections 

• Migrating user accounts 

• Migrating application settings, templates and associated files 

• Migrating Desktop (PC) settings 

• Migrating files and folders 

• Creating file rules 

• Creating migration scripts with the OS Deployment/Migration Tasks wizard 

• Creating user-initiated profile migration packages 

• Running user-initiated profile migration packages 

253

USER'S GUIDE 

OS deployment overview 

The LANDesk OS deployment (OSD) feature provides two methods of deploying OS 

images to clients on your network: 

• Agent-based deployment: Uses the client's existing Windows OS and 

installed LANDesk agents to deploy images. For more information, see 

"Agent-based deployment" later in this chapter. 

• PXE-based deployment: Allows you to image clients with empty hard drives 

or unusable OSes. Lightweight .NET PXE representatives eliminate the need 

for a dedicated PXE server on each subnet. For more information, see "PXEbased 

deployment" later in this chapter. 

If you use Microsoft's Sysprep utility to create your images, OS deployment creates 

customized SYSPREP.INF files and injects them into each client's image on a per 

client basis, customizing Windows computer names, domain information, and so on 

from the core database. 

OS deployment includes a built-in imaging tool you can use to create images. OS 

deployment also supports third-party imaging tools that you may already be using, 

such as Symantec Ghost* and PowerQuest DeployCenter*. 

WARNING: OS deployment (imaging) should be used with caution. 

Operating system deployment includes wiping all existing data from a 

client's hard drive and installing a new operating system. There is a 

substantial risk of losing critical data if the OS deployment is not performed 

exactly as described in this document, or if poorly implemented images are 

used. Before performing any OS deployment, we recommend that you back 

up all data in such a manner that any lost data may be restored. 

254

CHAPTER 9: DEPLOYING OS IMAGES AND MIGRATING PROFILES 

OS deployment steps 

When planning and implementing an OS deployment operation, follow this sequence 

of steps: 

1. (Optional) Run the Microsoft Setup Manager and Sysprep utilities on the client 

whose image you want to capture. 

2. Create an image capture script with the OS Deployment/Migration Tasks 

wizard. 

3. Schedule a task with Management Suite's Scheduled Tasks tool that runs the 

capture image script on the client whose image you want to capture. (Watch 

the Custom Job Status window updates for success or failure.) 

4. Create an image deployment script with the OS Deployment/Migration Tasks 

wizard. 

5. Schedule a task with the Scheduled Tasks tool that runs the deploy image 

script on target clients where you want the image deployed. 

6. Target clients running Windows OSes and LANDesk agents will begin the 

image deployment job when scheduled (agent-based deployment). 

7. Target clients that are PXE-enabled will begin the image deployment job the 

next time they boot (PXE-based deployment). 

Read the relevant sections below for detailed information about each of these steps. 

255

USER'S GUIDE 

OS image guidelines 

You can create OS images with the LANDesk imaging tool or other imaging tools. 

When you run the OS Deployment/Migration Tasks wizard to create an imaging 

script, you are prompted to specify the image type and imaging tool. The wizard 

automatically generates command lines for the LANDesk imaging tool, Symantec 

Ghost 7.5, and PowerQuest DeployCenter 5.01.1. 

Note: When you install the OS deployment and profile migration component, files for 

the LANDesk imaging tool are automatically installed on your core server. If you 

want to run the LANDesk imaging tool from a different location, you need to copy the 

following four files: IMAGEALL.EXE, IMAGE.EXE, RESTALL.BAT, and BACKALL.BAT. 

If you have a different imaging tool, you can supply the command line for it at the 

end of the wizard. If you specify a custom command line, the wizard will put your 

custom line in the right location in the script so that you don't have to edit the script 

manually. 

Image filenames 

You should give your images unique filenames. Deploying different images with the 

same filename simultaneously on the same subnet can cause problems. Depending 

on how an imaging utility names image files, (multi-file Ghost images, for example), 

you may only have five unique characters in your filename once it is converted to a 

DOS 8.3 name format. 

OS deployment creates image names using the first eight characters of the Windows 

computer name on which the image was created. If your image spans multiple image 

files, the imaging tool may only use the first five characters. When capturing images 

from multiple clients, you have two ways of ensuring that your images have unique 

names: 

• Image one client at a time, renaming each image as it's created. 

• Before running the job, ensure that the first eight characters (or five 

characters with multi-file images) of your image Windows computer names 

are unique. 

Image file specifications and requirements 

Regardless of the imaging tool you use, the compressed image size cannot exceed 2 

GB because of DOS and disk imaging tool limitations. 

OS deployment supports NTFS, FAT, and FAT32 file systems. 

256


LANDesk agents and images 

You should not include the LANDesk agents in your images. If you use a Sysprep 

image, OS deployment will install the LANDesk agents after the image is restored. 

If your non-Sysprep images include LANDesk agents, you will need to delete the 

LDISCAN.CFG file from the root of the hard drive before imaging. You will also need 

to delete the key named "Unique ID" under HKLM/Software/Intel/LANDesk/Common 

API. If you leave these in the image, all clients using the image will have the same 

core database entry. Alternatively, if you have non-Sysprep images that already 

have LANDesk agents on them, you can enable the Reject duplicate identities 

option on the Duplicate Device ID dialog (Configure | Services | Inventory | 

Duplicate ID). 

Partitions and images 

By default, when OS deployment restores an image on a target client, it deletes any 

preexisting partitions on that client. 

The LANDesk imaging tool supports single-partition and multiple partition images (up 

to four partitions). 

Non-Windows images 

You can use OS deployment to deploy almost any image your imaging tool supports, 

not just Windows-based images. When deploying non-Windows or non-Sysprep 

images, make sure you do not select the Image is Sysprepped option on the 

Configure imaging task page of the OS Deployment/Migration Tasks wizard. 

257

USER'S GUIDE 

Customizing images with Setup Manager and 

Sysprep 

You can use Microsoft's Setup Manager and Sysprep utilities when deploying 

Windows 2000 and Windows XP images. Sysprep customizes a Windows installation 

so that when the OS reboots, it looks for an answer file (SYSPREP.INF) and 

reconfigures itself for the new client. Setup Manager creates the SYSPREP.INF 

answer file that Sysprep uses. 

Before creating OS deployment scripts, you should run Microsoft's Setup Manager 

(SETUPMGR.EXE) and create a SYSPREP.INF answer file for the images you're 

deploying. You can then use this file as the basis for any OS deployment scripts you 

create by selecting the Use existing SYSPREP.INF file as a template option on 

the Specify Sysprep file information page of the wizard. Any OS deployment 

script settings you make in the wizard override the equivalent options in the 

template SYSPREP.INF file. 

Using Sysprep on your Windows 2000/XP images allows OS deployment to query the 

core database for each client you're deploying and to migrate certain user settings, 

such as: 

• Windows computer name 

• Management Suite GUID (the unique identifier Management Suite uses to 

identify clients in the core database) 

You can also set these options globally for images you deploy: 

• Time zone 

• Volume license key 

• Registered name and organization 

• Workgroup/Domain/LDAP Organizational Unit (OU) 

OS deployment uses information from the core database and from the image 

deployment script to create a custom SYSPREP.INF for each client you're imaging. 

OS deployment then injects that SYSPREP.INF into each client's image. 

258


Creating a Sysprep image 

To create an image that uses Sysprep 

1. On the client whose image you want to capture, make configuration or 

customization changes to prepare it for imaging. 

2. At the root of the client's hard drive, make a c:\sysprep folder. 

3. From a Windows 2000 or Windows XP installation CD, open 

\Support\Tools\DEPLOY.CAB and copy SYSPREP.EXE and SETUPCL.EXE to 

the sysprep folder you created. 

4. Open a DOS command prompt and change to the sysprep folder. Run 

Sysprep. If you don't use the reboot option, you'll need to shut down the 

client from the Start menu once a message appears requesting that you shut 

down. 

5. Boot to DOS and run your imaging tool manually. 

For more information on Setup Manager and Sysprep 

Refer to Microsoft's Web site for official documentation about the Setup Manager and 

Sysprep utilities. Sysprep has many powerful features you can use that are beyond 

the scope of this document. 

259

USER'S GUIDE 

Agent-based deployment 

You can use the agent-based deployment method to deploy OS images to clients 

running Windows 98, Windows 2000, or Windows XP. 

For information on the other method of image deployment, see "PXE-based 

deployment" later in this chapter. 

Prerequisites 

If you're not using PXE to deploy images, clients must meet the following criteria: 

• Be in the core database if you have multiprocessor images. 

• Have the CBA, Enhanced Software Distribution, and Inventory agents loaded. 

OS deployment uses the Enhanced Software Distribution agent to distribute 

images. If you'll be multicasting images, you also need to have the Targeted 

Multicasting agent loaded. 

What happens during an agent-based deployment 

1. Management Suite connects to the client and runs any preconfiguration 

commands you specified in the image deployment script. 

2. OS deployment uses the Enhanced Software Distribution agent to distribute a 

virtual boot partition file to the client and modifies the boot sector to boot 

from this file, then reboots the client. 

3. The client boots to DOS, detects and loads a network driver, then retrieves 

and installs the image file from the image server. 

For non-Sysprep images, the client reboots after the imaging completes. OS 

deployment considers the job complete after this reboot. 

For Sysprep images, agent-based deployment continues in this manner: 

4. Before rebooting and loading the image, the DOS agent replaces SYSPREP.INF 

with a customized file for that client. 

5. The imaged client boots and customizes itself based on what is in the 

SYSPREP.INF file. 

6. Any post-image commands you specified in the image deployment script are 

run from the RunOnce registry key. 

7. OS deployment runs WSCFG32.EXE using your default client configuration to 

reinstall the LANDesk agents. 

260


Creating imaging scripts with the OS 

Deployment/Migration Tasks wizard 

Management Suite's OS deployment provides the OS Deployment/Migration Tasks 

wizard that lets you create both imaging (image capture and image deploy) scripts 

and profile migration scripts. All LANDesk Management Suite scripts are managed 

with the Manage Scripts tool (Tools | Manage Scripts). 

For page-by-page descriptions of the wizard's interface, refer to the "Help for the OS 

Deployment/Migration Tasks wizard" section in Appendix B. 

With the wizard you can create scripts that perform the following tasks: 

• Capture image: Creates a script that captures and stores an OS image from 

a client. Images can be captured using the built-in LANDesk imaging tool that 

installs with Management Suite, or a third-party tool such as Ghost, 

PowerQuest, or another tool of your choice. 

• Capture profile: Creates a script that captures and stores a client's unique 

user settings, application and desktop settings, and files. You can also use 

this option to access the Collection Manager dialog to create a user-initiated 

profile migration package that can be run locally at individual clients. 

• Deploy image: Creates a script that deploys a previously captured OS image 

to target clients. 

• Deploy image (with profile capture and restore): Creates a script that 

performs a comprehensive deployment and migration job (capturing profile 

data, deploying an OS image, and then restoring the profile). 

• Restore profile: Creates a script that restores previously captured profile 

data (user settings, application and desktop settings, and files) to target 

clients. 

• Generic DOS tasks: Creates a script that runs DOS commands (including 

application launches) on clients. 

Once you have created a script, you can schedule it to run on clients by using the 

Scheduled Tasks tool. 

Creating user-initiated profile migration packages 

From the OS Deployment/Migration Tasks wizard, you can also access the Collection 

Manager dialog that lets you create a user-initiated profile migration package (a selfextracting 

executable file) that can be distributed and run on clients for user-initiated 

profile migration. For more information, see "Creating user-initiated profile migration 

packages" later in this chapter. 

If you are deploying an image to PXE-enabled clients, you can add image 

deployment scripts to the PXE DOS boot menu. This menu is DOS-based and appears 

on the client during a PXE boot. For more information, see "Using the PXE DOS 

menu" later in this chapter. 

261

USER'S GUIDE 

To run the OS Deployment/Migration Tasks wizard 


2. In the Manage Scripts window, right-click All OSD/Profile Migration 

Scripts and then click New OSD/Profile Migration Script in the shortcut 

menu to open the wizard. Or, in the Manage Scripts window, click the New 

OSD/Profile Migration Script toolbar button. 

3. Select the type of script you want to create. For online help about options on 

any page of the wizard, click Help. 

4. Advance through the wizard until you reach the last page. Click Finish to 

save the script and exit the wizard. Once complete, the script appears in the 

All OSD/Profile Migration Scripts group in the Manage Scripts window. 

Administrators (users with the LANDesk Administrator right) can copy scripts to 

users' subgroups in the Users Scripts group. 

Additional notes on scripts 

• Script names need to follow Windows file naming conventions. The wizard 

uses the script name you enter as the filename. If you use characters that 

aren't allowed in Windows filenames, you'll get an error about using invalid 

characters. 

• All scripts are stored on the core server, in the \\\LDMain\Scripts 

directory. If you have multiple Management Suite consoles, the scripts will 

appear in the Manage Scripts window of each console. 

• The wizard restores the settings on each page from the last script you 

created. If you change the script type from an imaging task to a profile 

migration task or a DOS task, the wizard clears the remembered settings. 

About Generic DOS tasks scripts 

• DOS scripts reboot the selected target clients and run the commands you've 

specified. These remote commands are sent one line at a time. 

• DOS scripts run from the virtual boot partition and go through the same 

network detection process as normal OS distributions do. 

• The "Abort this job if any command fails" option stops execution if one of the 

commands returns a non-zero DOS errorlevel code. You can view DOS task 

status in the Custom Job window or with a report. 

• For more information about script commands, see the Using Custom Scripts 

whitepaper at http://support.landesk.com. 

262


Modifying scripts 

You can modify your scripts at any time, either by reopening the wizard and making 

changes, or by modifying the script directly in its .INI file and modifying any existing 

Sysprep settings in its associated .INF file. 

Note: With DOS scripts, the only changes you should make are between the 

REMPINGx=DOS and REMEXECx=reboot.com lines. The other lines in the script 

manage the virtual boot partition files and boot process. 

To modify a script via the wizard 


2. Right-click the script and click Edit in the shortcut menu (or double-click the 

script). 

3. Advance through the wizard, making your changes. 

To modify a script via an .INI file 


2. Right-click the script and click Advanced edit. The script's .INI file opens in 

Notepad. If this script has Sysprep settings associated with it, the 

SYSPREP.INF file also opens in Notepad. 

3. Make your changes 

4. Save the file(s). 

Where .INI and .INF files are saved 

.INI files are saved to the \\\LDMain\Scripts directory. .INF files are saved to 

the \\\LDMain\LANDesk\Files directory. 

263

USER'S GUIDE 

Multicasting OS images 

This section discusses deploying images using LANDesk's Targeted Multicasting 

technology. Targeted Multicasting is slower than a single distribution. Multicasting 

throttles bandwidth and stages the image on the target client's hard drive. However, 

multicasting to four or more clients will usually save enough bandwidth to make this 

worth it. 

Targeted Multicasting supports only single-partition images, not multiple-partition 

images. Also, when using Targeted Multicasting with OS deployment, images can 

span up to 10 files. 

When multicasting images, the image file is cached on the client before being 

restored. Your hard drive must have enough space for the image file and the 

restored files. 

Before using Targeted Multicasting with OS deployment, make sure the Targeted 

Multicasting components are in place on the subnet to which you are 

distributing/deploying image files. Targeted Multicasting requires Management Suite 

6.62 or higher agents on clients, and a LANDesk Management Suite 6.62 or higher 

multicast domain representative on the subnet. 

If you try to multicast to a subnet that does not have a Multicast Domain 

Representative, the deployment will start but it will not be able to finish, and you will 

have to create an OSD boot floppy. For more information, see "Creating an OSD boot 

floppy" in Appendix B. 

If your routers forward UDP-directed broadcasts, and there will be Windows clients 

that can act as multicast domain representatives on the subnet you're deploying the 

image to, you should be fine using Targeted Multicasting without designating 

multicast domain representatives. If your routers don't forward UDP-directed 

broadcasts, you must manually select your multicast domain representatives for 

each subnet, making sure the representatives you choose aren't among the clients 

you're deploying images to. 

You can manually specify which clients will be multicast domain representatives by 

adding clients to the Configuration > Multicast Domain Representatives group 

in the console. 

Make sure you don't image any multicast domain representatives in a subnet, 

because the imaging will fail and leave the clients in an unusable state. 

You can throttle multicasts by changing the Minimum number of milliseconds 

between packet transmissions option in the Configure advanced Multicast 

options page of the OS Deployment/Migration Tasks wizard. 

WARNING: If your Multicasting environment isn't configured correctly and 

the Targeted Multicasting fails, all target clients may be unbootable unless 

you follow the directions above. 

264


Viewing image status reports 

The client being imaged sends status updates to the core server. You can track 

status in the Custom Job window or with a report. As OS deployment sends imaging 

commands to clients, the commands appear in the Custom Job window. Clients being 

imaged send status updates for each script command that is sent. If image 

deployment fails for some reason, you can see the command that failed. 

Common reasons why imaging fails include: 

• Partition corruption 

• Problems the imaging tool can't handle 

• Network adapter auto-detection can't find a network adapter 

• Undetectable network adapter you specified doesn't work. (If the network 

adapter driver you specify fails to load, that client will be stuck at the DOS 

prompt. You'll have to manually reboot it.) 

OS deployment creates a status report for each job, showing if it failed or succeeded 

on targeted clients. 

To view a status report 

1. Click Tools | Reports | All LDMS Reports. 

2. Select the OS Deployment Success Rate report. 

3. From the list of log files, select the file for the job you're interested in 

viewing. 

4. Click Run. 

At the top of each report will be any jobs that failed on individual clients. Reports 

also show the details of each job, such as: 

• Machine Name: For clients already scanned into the core database, this 

name will be the device name assigned to the client. For PXE-booted clients 

that haven't been inventory scanned, the machine name will be a MAC 

address. You can use a .CSV file to import MAC addresses into the core 

database. For more information, see "Using CSVIMPORT.EXE to import 

inventory data" in Appendix B. 

• Status: Job status, either failed or OK. 

• Duration: The amount of time each command took to complete. 

• Commands: Each command that ran as part of the script. If a job failed, this 

column shows which command caused the failure. 

265

USER'S GUIDE 

PXE-based deployment 

OS deployment supports PXE booting and image deployment. PXE-based deployment 

provides another method (in addition to agent-based deployment) of automated 

remote imaging of clients on your network. With PXE support, you can boot both new 

and existing PXE-enabled clients and either execute an OS deployment script at the 

client from a custom PXE DOS boot menu, or scan clients into your core database 

and then schedule an image deployment job with the Scheduled Tasks tool. 

PXE-based deployment is a quick and easy way to image clients in a variety of 

situations. For example: 

• Initial provisioning of new clients 

• Imaging clients in a test or training lab 

• Re-imaging corrupted clients 

Management Suite offers several options for using PXE to deploy OS images. For 

more information, see "Understanding the PXE boot options" later in this chapter. 

PXE protocol basics 

PXE (Preboot Execution Environment) is an industry-standard networking protocol 

that enables clients to be booted and imaged from the network, by downloading and 

installing an executable image file from an image server, before the client boots from 

the local hard drive. On a PXE-enabled client, the PXE protocol is loaded from either 

the network adapter's flash memory or ROM, or from the system BIOS. 

PXE uses the following communication standards: DHCP (Dynamic Host Configuration 

Protocol), TFTP (Trivial File Transfer Protocol), and MTFTP (Multicast Trivial File 

Transfer Protocol). 

When a PXE-enabled client boots up, it sends out a DHCP discovery request. If a 

DHCP server implementing PXE is found, the server assigns an IP address to the 

client and sends information about available PXE boot servers. After completing the 

DHCP discovery process, the client contacts the PXE server and downloads an image 

file through TFTP. The imaging script is then executed, loading the OS image from 

the imaging server onto the client. With Management Suite, the image file is 

referenced by an OS deployment script. 

If you want to learn more about PXE and its underlying technologies and 

functionality, read the PXE Specification v2.1 located at 

http://www.intel.com/labs/manage/wfm/wfmspecs.htm. 

266


Using PXE representatives 

PXE support software is installed on your core server as part of the normal OSD 

installation. However, to enable PXE support, you must first deploy a PXE 

representative on each subnet of your network where you want PXE support 

available. PXE representatives provide scalability on your network by deploying OS 

images to clients in their respective subnets. 

Clients on each subnet use normal PXE query and file transfer methods to 

communicate with their resident PXE representative, which communicates with the 

core server using Web services (HTTP). 

Disable other PXE servers 

If there is any other PXE server currently running on your network, you must first 

disable it in order to use LANDesk PXE support. 

Deploying PXE representatives 

You need to deploy at least one PXE representative on your network, and at least 

one additional PXE representative on each subnet where you want to provide PXE 

boot support. You set up a PXE representative by running the PXE Representative 

Deployment script on the selected client. This predefined script is available in the 

Schedule Script dialog (Tools | Scheduled Tasks | click the Schedule Script 

toolbar button). 

You can have multiple PXE representatives on a subnet to help with load-balancing. 

When this is the case, the first PXE representative to respond to a client's request is 

the one that will be used to communicate with the core server. 

Note: We recommend that you do not deploy a PXE representative on your core 

server. 

There are no special hardware requirements for the client you select to be a PXE 

representative, but it must meet the following software requirements: 

• Operating system: Windows NT 4, Windows 2000, or Windows XP. 

For Windows NT and 2000, ensure that the Microsoft MSI service is running 

(XP includes MSI by default). If you have installed the latest service pack for 

either OS, MSI service should be running. Otherwise, you can deploy it to the 

target PXE representative from the Management Suite console by following 

these steps: Click Tools | Scheduled Tasks, click the Schedule Script 

toolbar button, select the MSI Service Deployment task, click OK, drag the 

target client(s) to the window, and click the Set Start Time button to 

schedule the MSI service deployment. 

• Installed LANDesk agents: Enhanced Software Distribution agent and 

Inventory Scanner agent. For information about installing agents, see the 


267

USER'S GUIDE 

To deploy a PXE representative 

1. Click Tools | Scheduled Tasks, then click the Schedule Script toolbar 

button. 

2. Select the PXE Representative Deployment script from the list, then click 

OK. 

3. In the console's network view, select the target clients on which you want to 

install the PXE representative. 

4. Drag and drop the selected clients to the Machine list in the Scheduled Tasks 

window. 

5. Click the Set Start Time toolbar button to run the script now, or schedule it 

to run at a later time. 

Updating PXE representatives 

If you modify the PXE boot option settings (on the Configure | Services | OS 

Deployment tab), you need to update all of your PXE representatives by re-running 

the PXE Representative Deployment script to propagate those changes to PXE 

representatives on each subnet. However, re-running the script is not necessary if 

you simply move PXE proxies from the Available proxies list to the Holding queue 

proxies list. For more information about the PXE holding queue, see "Using the PXE 

holding queue" later in this chapter. 

To update or remove a PXE representative 


button. 

2. To update a PXE representative, select the PXE Representative 

Deployment script from the list, then click OK. 

3. Or, to remove a PXE representative, select the PXE Representative 

Removal script, then click OK. 

4. Drag the target clients to the Scheduled Tasks window and schedule a time 

for the task to execute. 

268


Booting clients with PXE 

When a PXE-enabled client boots, the following occurs: 

1. The PXE-enabled client sends out a query for PXE services running on a PXE 

representative on the network. 

2. If a PXE representative exists on the subnet, it responds and tells the client to 

continue to boot using PXE. 

3. A PXE boot session is initiated on the client and the PXE boot prompt displays. 

The default prompt message displays for four seconds and says "Press F8 to 

view menu." (You can modify these PXE boot prompt settings on the 

Configure | Management Suite Services | OS Deployment tab.) 

4. If the F8 key is pressed before the countdown expires, a preliminary PXE boot 

menu appears, allowing you to choose from the following boot options: 

• Local boot: The client boots to the local hard drive. If no OS is 

present, an error message appears. 

• LANDesk managed boot: The client is added to the console's 

network view (displays the client's MAC address), where you can 

schedule an OS deployment script to run on it. 

• LANDesk boot menu: The client displays the boot menu you created 

with the PXE Boot Menu tool, and you can select an OS deployment 

script to run on it. For more information, see "Using the PXE Boot 

Menu" later in this chapter. 

5. If you don't press the F8 key before the countdown expires, the client will use 

the default boot option. The default boot option is determined by the following 

conditions: 

• If the client detects a scheduled imaging job for itself in the core 

database (either a failed or pending job), the default boot option 

becomes LANDesk managed boot. 

• If the client does not detect an image job for itself, the default boot 

option becomes Local boot. 

• The PXE DOS menu will never become the default boot option. 

6. The scheduled OS deployment script runs on the client. 

269

USER'S GUIDE 

Understanding the PXE boot options 

This section provides information on configuring the PXE boot prompt, and how to 

use the following PXE boot options: 

• LANDesk managed boot 

• PXE Boot menu 

• PXE holding queue 

Configuring the PXE boot prompt 

You can control how the PXE boot prompt behaves when clients attempt to PXE boot. 

When a PXE-enabled client boots up, a DHCP request attempts to initiate a PXE 

session by looking for a server (or proxy) running PXE services software (PXE and 

MTFTP services). If the client discovers a PXE server, the PXE boot prompt displays 

on the client for a specified number of seconds. By pressing the F8 function key 

during this countdown, you access the PXE boot menu and can select an OS image to 

deploy on the client. 

Note: If you have PXE representatives running on subnets of your network, and you 

want to implement PXE boot prompt changes to any of those proxies, you must run 

the PXE Representative Deployment script on the proxy. 

To configure PXE boot prompt options 

1. Click Configure | Management Suite Services, then click the OS 

Deployment tab. 

2. Enter a value (in seconds) in the Timeout option. The default value is 4 

seconds. The maximum number of seconds you can enter is 60 seconds. 

3. Type a message in the Message text box. The default message is “Press F8 to 

view menu.” The maximum number of characters you can type is 75 

characters. 

4. Click Apply to save your changes, or click OK to save your changes and close 

the dialog. 

To implement PXE boot prompt changes to a PXE representative 


button. 

2. Select the PXE Representative Deployment script from the list, then click 

OK. 

3. Drag and drop the PXE representative from the network view into the Machine 

list. 

4. Select the PXE Representative Deployment script. 

5. Click the Set Start Time toolbar button (or right-click the task and select Set 

Start Time) to either immediately run the script or schedule the script to run 

at a later time. This script updates the PXE boot option settings on the target 

PXE representatives. 

270


Using LANDesk managed boot 

LANDesk managed boot is the default boot option when a PXE-enabled client boots 

and detects a failed image deployment script or failed DOS task script for it in the 

core database. You can also select this boot option manually at the client when the 

boot option menu appears. 

Because it allows unattended deployment, LANDesk managed boot is useful for pretargeting 

clients for imaging. For example, you could pre-target new clients for a 

particular OS image even before they arrive by importing a .CSV file containing the 

clients' MAC addresses into the core database. For more information, see "Using 

CSVIMPORT.EXE to import inventory data" in Appendix B. 

To pre-target clients with the LANDesk managed boot option 

1. Before the PXE-enabled clients are connected to the network, add their 

identifications to the core database by importing a .CSV file. 

2. Schedule an image deployment job for the clients. 

3. The imaging job fails because the clients are not yet connected to the 

network. 

4. Connect the clients to your network and boot them. 

5. The clients detect a failed imaging job and default to the LANDesk managed 

boot option. 

6. The previous failed image deployment job automatically launches and images 

the target clients. 

Using the PXE Boot menu 

The PXE boot menu lets you interactively select an image deployment script for a 

client without having to schedule an image deployment job. This method might be 

useful when you have to re-image corrupted clients. Before using the PXE boot 

menu, you must first configure it by adding the OS deployment scripts you want to 

display in the menu. 

You build the PXE boot menu system by creating directories and placing preconfigured 

OS deployment scripts in those directories. The script's description 

appears as a menu item in the PXE boot menu on the client. 

271

USER'S GUIDE 

To configure the PXE boot menu 

1. Click Tools | PXE Boot Menu. 

2. To add a new directory or subdirectory to the menu system, click the New 

toolbar button (or right-click the parent directory and select New). 

Note: Subdirectories can extend four levels from the top directory. 

3. Type a name for the directory. For example, the directory name could 

describe the OS platform or version number of the images contained in that 

directory. You can also change the name of the directory at any time by 

clicking the Rename toolbar button (or right-clicking the directory and 

selecting Rename). 

4. Click Tools | Manage Scripts, then drag and drop image deployment scripts 

to the appropriate directory in the PXE Boot Menu window. 

Note: A maximum of 18 scripts can be placed in each directory. 

5. To save the PXE boot menu, click the Update toolbar button. (Note that you 

must click the Update button here in the console if you want changes to 

appear in the PXE boot menu on PXE clients when they boot.) 

To access the PXE boot menu from a client 

1. Boot a PXE-enabled client. 

2. When the PXE boot prompt displays, press the F8 key before the countdown 

expires. Select PXE DOS Menu. The menu system that you configured in the 

console's PXE Boot Menu window appears. 

3. To open a directory and view its subdirectories and images, type the number 

of the directory and press Enter. Navigate the menu system and find the 

image you want deployed on the client. You can press B to go back one level, 

or press X to exit the menu system. 

Note: If you exit the menu system without making a selection, the client will 

wait for a scheduled imaging job from Management Suite. 

4. To select an OS image (referenced in an OS deployment script), type the 

number of the script and press Enter. The script runs and the image is loaded 


272


Using the PXE holding queue 

The PXE holding queue is another method for remotely deploying OS images to PXEenabled 

clients. This method is especially useful in these situations: 

• In a controlled lab environment where you frequently need all clients reimaged 

with an identical image. 

• For imaging "bare-metal" clients in a lab that can then be moved into their 

appropriate production environment. 

By designating a subnet's PXE representative as a PXE holding queue, all the PXEenabled 

clients on that subnet will be automatically added to the PXE holding queue 

in the console's network view when they PXE boot. You can also add a client to a PXE 

holding queue by scheduling the PXE - Add to Holding Queue script on the client, or 

by copying the client directly into the PXE holding queue group in the network view. 

Clients can then be scheduled for an image deployment job. 

To configure a PXE holding queue 

1. Set up PXE representatives on your network. 

2. Click Configure | Management Suite Services, then click the OS 

Deployment tab. 

3. Select and move PXE representatives from the Available proxies list to the 

Holding queue proxies list. 

The Available proxies list shows all available PXE representatives on your 

network, identified by client name. This list is generated by running an 

inventory scan that detects PXE software (PXE and MTFTP protocols) running 

on the client. The inventory scan is run automatically whenever a PXE 

representative is initially set up. 

4. Click Reset. The Reset button forces all PXE-enabled clients on the same 

subnet as the selected PXE representative to re-enter the PXE holding queue 

in the console's network view. These clients can then be scheduled for an 

imaging job. 

Note: The Reset button is enabled when you select a PXE representative in 

the Holding queue proxies list. 

5. Click Apply, then OK to save your changes and close the dialog. 

The next time a client on that subnet boots, it will be added to the PXE holding 

queue object in the console's network view. 

273

USER'S GUIDE 

To deploy an image to a client in the PXE holding queue 


button. 

2. Select an OS deployment script from the list, then click OK. 

3. In the console's network view, open the PXE Holding Queue object, then 

select the target clients you want to deploy the image to. 

4. Drag and drop the selected clients to the Scheduled Tasks window. 

5. Click the Set Start Time toolbar button to run the script now, or schedule it 

to run at a later time. 

274


Profile migration overview 

Profile migration complements OS deployment by offering a complete deployment 

and migration solution. With profile migration, you can preserve all of your users' 

customized desktop and application settings and personal data files during an 

upgrade or migration project. Profile migration supports in-place migrations of 

individual clients as well as remote, large-scale migrations of multiple clients across 

your network. 

Profile migration can best be understood as a two-part process: 

1. Capturing a source client's unique profile, consisting of user accounts, 

desktop (PC) and application settings, and data files. 

2. Restoring the profile to a target client. 

For step-by-step descriptions of the profile capture and restore procedures, see 

"Creating migration scripts with the OS Deployment/Migration Tasks wizard" earlier 

in this chapter. 

For page-by-page descriptions of the wizard's interface, refer to the "Help for the OS 

Deployment/Migration Tasks wizard" section of Appendix B. 

Migration methods: scripted and user-initiated 

Using profile migration, you can create separate capture and restore scripts with the 

OS Deployment/Migration Tasks wizard. The script can then be scheduled to run 

remotely on one or multiple target clients on your network. 

Additionally, at the console, you can create self-extracting executable files (called 

user-initiated packages) that you, or the end user, can run directly from individual 

clients as a user-initiated profile migration. The user-initiated package launches a 

program called the LANDesk Profile Migration wizard. For more information, see 

"Creating user-initiated profile migration packages" later in this chapter. 

The purpose of these two migration methods is the same; however, there are some 

differences in functionality. For example, the in-place user-initiated method lets you 

select which user accounts to migrate, while the scheduled script method does not. 

The information below refers specifically to the script method. The OS Deployment/ 

Migration Tasks wizard includes its own online help that describes the functionality of 

that utility. When running the wizard, click Help on any of the wizard's pages for 

more information. 

Migration paths 

Profile migration supports migrating across Windows operating system versions as 

follows: 

• From Windows 95 and 98 SE ...to Windows 2000 SP3 or Windows XP 

• From Windows NT 4 ...to Windows 2000 SP3 or Windows XP 

• From Windows 2000 ...to Windows 2000 SP3 or Windows XP 

• From Windows XP ...to Windows XP 

• Windows Server 2003 is also supported (for both capture and restore) 

275

USER'S GUIDE 

Prerequisites 

To do a profile migration, clients must meet the following prerequisites: 

• Clients must be in the core database. 

• Clients must have the CBA, Enhanced Software Distribution, and Inventory 

agents loaded. Profile migration uses the Enhanced Software Distribution 

agent to distribute files. 

276


Profile content 

Profile migration allows you to migrate the following content: 

• User accounts 

• Application settings, templates, and associated files 

• Desktop (PC) settings 

• Files and folders 

User accounts are migrated by default. Settings and files are migrated according to a 

user-defined collection of rules (see Creating collections below for more information). 

You can create rules for applications, desktop settings, and files and folders. 

Creating collections 

Use the Collection of Rules dialog to create new collections and edit existing ones. A 

collection is a user-defined set of application, desktop, and file rules that determines 

the profile content to be migrated (captured or restored) by the migration script. 

To create a collection 

1. To access the Collection of Rules dialog, first click the Collection Manager 

button on the Manage Scripts window's toolbar, then select Collections and 

click New. Or, through the OS Deployment/Migration Tasks wizard, by 

clicking the Manage button on the Select a collection for this profile page of 

the wizard. 

2. Enter a unique name for the collection. 

3. (Optional) Enter a description that will help you remember the profile content 

captured/restored by this collection. 

4. Define the content you want to capture/restore with the collection by 

selecting rules in the Rules list. Use the plus-sign and minus-sign boxes to 

expand and collapse the tree structure to view all of the Applications, Desktop 

Settings, and File Rules. 

To select a rule, check the corresponding check box; You can select any 

combination of the rules available in the Rules tree listing when defining a 

collection. 

5. Click OK to save the collection and return to the Collection Manager dialog. 

Note: When you delete a collection, the collection is removed from the core server. 

Any migration script referencing that collection will not run properly. You should also 

delete the script. 

277

USER'S GUIDE 

Migrating user accounts 

In a scripted profile migration, all discovered local and domain user accounts on the 

source clients are captured by default (Important: Except for the All Users and 

Default User accounts). 

All captured user accounts will be restored to the target clients. A user account that 

does not already exist on the target client will be created as a new local user account 

and its settings migrated. Before restoring user accounts, you can enter a default 

password for these new local user accounts. If a duplicate user account does already 

exist on the target client, the captured (source) user account's settings will be 

migrated to the existing user account, but the user's current password is preserved 

and should be used to log in. 

Migrating application settings, templates, and associated files 

Applications' persistent settings, template files, and associated files can be migrated 

as part of a client's profile. Application programs themselves are not migrated during 

profile migration (however they can be part of an OS image deployment). Each 

application's migration is defined by an application rule that can be added to a 

collection of rules. 

Application rules are available for the following applications: 

• Microsoft Access 

• Supported versions: 95, 97, 2000, and XP 

• Migrated files: *.ade; *.adp;* .mad; *.maf; *.mag; *.mam; *.maq; 

*.mar; *.mas; *.mat; *.mav; *.maw; *.mda; *.mdb; *.mdbhtml; 

*.mde; *.mdt; *.mdz; *.mdw 

• Microsoft Excel 


• Migrated files: *.xls; *.csv; *.dqy; *.iqy; *.oqy; *.rqy; *.slk; *.xla; 

*.xlb; *.xlc; *.xld; *.xlk; *.xll; *.xlm; *.xls; *.xlshtml; *.xlv; *.xlw; 

*.dif; *.xlt; *.xlthtml 

• Microsoft Outlook 


• Migrated files: *.ics; *.msg; *.oft; *.pst; *.vcs; *.pab; *.rwz; *.oab; 

*.oft; *.srs 

• Microsoft PowerPoint 


• Migrated files: *.ppt; *.ppthtml; *.pps; *.ppa; *.pwz; *.ppz; *.pp1 

• Microsoft Word 


• Migrated files: *.doc; *.dochtml; *.gly; *.rtf; *.wbk; *.wiz 

• Microsoft Office Shared Components 


278


• Migrated files: autocorrect lists (*.acl), custom dictionaries (*.dic), 

common toolbars, and all template files for supported Office 

applications, including: *.dot; *.dothtml; *.htm; *.pot; *.pothtml; 

*.xlt; *.xlthtml; *.mdn; *.mdz; *.wizhtml 

• Microsoft Internet Explorer 

• Supported versions: 4.0, 5.0, 5.5, and 6.0 

• Migrated files: favorites (*.*), cookies (*.txt, *.dat), and ratings files 

(*.rat) 

New application support with Management Suite 8 

Application rules are now available for the following applications: 

• ACT! 

• Adobe Acrobat 

• Adobe Acrobat Reader 

• Adobe Illustrator 

• Adobe PageMaker 

• Adobe Photoshop 

• Lotus 1-2-3 

• Lotus Approach 

• Lotus FastSite 

• Lotus Freelance 

• Lotus Notes 

• Lotus Organizer 

• Lotus SmartCenter 

• Lotus Word Pro 

• MS ActiveSync 

• MS FrontPage 

• MS NetMeeting 

• MS Outlook Express 

• MS Visio 

• Netscape 

• Palm Desktop 

• WinZip 

• Yahoo Messenger 

Application migration considerations 

• Upgrade version migration is supported for Office 95 and 97 versions to Office 

2000 or XP. For Office 2000 and Office XP, you can migrate applications to 

the same version. 

• If an application is not installed on the target client, that application's settings 

and files will not be migrated, even if they were captured from the source 

client. 

• Note that template files for all of the listed Microsoft applications are migrated 

as part of the Microsoft Office Shared Components rule. If you want to 

migrate template files, you must select Shared Components. 

• To ensure a successful migration of all the most recent associated settings 

and files, close all applications before running a profile migration. 

279

USER'S GUIDE 

Additional application support 

To obtain the latest application rule files offered by LANDesk Software, go to the 

LANDesk support Web site at 

http://www.landesk.com/support/downloads/index.php. 

Migrating Desktop (PC) settings 

Many of the customized and optimized settings on your clients can also be migrated. 

Each setting's migration is defined by a desktop rule that can be added to a 

collection of rules. 

You can migrate the following desktop (PC) settings: 

• Desktop shortcuts, files, folders, and briefcases 

Note on briefcases: Remember to run Update All on a briefcase before 

migrating. Also, if your briefcase has links to files located in a "userspecific" 

directory that changes from one OS to another, and you migrate 

to a different OS, the files will be migrated but the links will be broken 

and need to be recreated. 

• My Documents folder 

• Mapped network drives 

Note on duplicate drive letters: If there is a drive letter already 

mapped on the target client, that mapped drive is preserved rather than 

replaced, and the source client's drive letter mapping is not migrated. 

• Printers (network) 

• Wallpaper 

• Screen resolution, color quality, and refresh rate 

Migrating files and folders 

By creating your own customized file rules, you can migrate individual or multiple 

files determined by directory location and filename. File rules offer powerful control 

and flexibility by letting you: 

• Create as many file rules as you want and add them to your collections. 

• Include and/or exclude files by wildcard naming in a single file rule. 

• Specify whether to include subdirectories. 

• Redirect files to a new destination on the target client. 

• Capture files from any fixed drive on the source client (including disk 

partitions), and successfully migrate the files even if the target client does not 

have the same partitioning. 

• Retain the captured file's directory structure. If a captured file's associated 

directory structure does not exist on the target client, the path will be created 

and the file restored to it. 

280


You can migrate files from a client's fixed drives, including disk partitions. Removable 

media, such as CD-ROM drives, and network shares are not supported. If the target 

client does not have a matching disk partition drive letter, a new directory named 

"Migrated_[drive letter]_Drive" is created at the root of the target client's C drive, 

and the files (along with their associated directory structure) are migrated to that 

new directory on the target client. 

To create a file rule 

Use the File Rules dialog to create new file rules or edit existing file rules. A file rule 

determines which files are migrated, based on the following criteria: drive and 

directory location; subdirectories; file naming including wildcard support, and 

destination location. 

1. In the Collection Manager dialog, click File rules and then click New to open 

the File Rules dialog. 

2. Enter a unique name for the file rule. 

3. (Optional) Enter a description that will help you remember this file rule. 

4. Specify all of the options on the dialog (for descriptions of the options, see 

"About the File Rule dialog.") 

5. Click OK to save the file rule and return to the Collection Manager dialog. 

When you delete a file rule, the rule is removed from the core server. Any collection 

that contained that rule provides a notice about this change the next time you open 

or edit the collection. 

Additional file migration considerations 

• Rules and collections: You can create as many file rules as you like. You 

then add file rules to collections that may or may not contain other file, 

application settings, and desktop settings rules. 

• File path (directory structure): The associated directory structure of a file 

is preserved by default. 

• Multiple controls in one file rule: You can have any combination of 

multiple file inclusion and/or file exclusion controls in the same file rule. 

• File replacement handling: The file captured from the source client 

replaces the existing file on the target client IF the captured file is newer than 

the Date Modified time stamp of the existing file. 

• File size limitation: Because profile data is stored in sequential Windows 

cabinet (.CAB) files, which have a size limitation of 2 GB, you cannot migrate 

a single file that is 2 GB or larger. A file of that size is probably not common 

on clients, but you should be aware of this limitation. 

281

USER'S GUIDE 

Creating migration scripts with the OS 

Deployment/Migration Tasks wizard 

The steps below outline the basic procedures for capturing and restoring a client's 

profile using the OS Deployment/Migration Tasks wizard. For more information about 

each of these steps, click the Help button located on each page of the script wizard. 

Note: For capturing and restoring a profile with a user-initiated migration package, 

see the online help included with the LANDesk Profile Migration wizard. 

To create a profile capture script 






3. Select Capture profile, and then click Next. 

4. Enter a name and description for the profile capture script, and then click 

Next. 

5. Select a pre-defined collection of rules (that determines the content of the 

profile), and then click Next. 

6. Enter a UNC path and authentication credentials for the location where you 

want to store the profile data. 

7. Click Finish to create the profile capture script and exit the wizard. 

Using the Scheduled Tasks tool, you can now schedule the script to run on one or 

more target clients on your network. 

Storing profile data for multiple clients (and multiple users) 

Profile data is stored in Windows cabinet files (.CAB) in a directory structure located 

under the specified UNC path. If you run a profile capture script on multiple clients, 

each client's profile data is stored in a separate directory named after its unique 

Windows computer name. Likewise, if multiple users are discovered and captured on 

the same source client, each user's profile data is stored in a separate subdirectory 

(of the client's directory) named after the user login name. In other words, every 

migrated client has its own profile storage directory and contains a subdirectory for 

every captured user account on that client. 

282


To create a profile restore script 






3. Select Restore profile, and then click Next. 

4. Enter a name and description for the profile restore script, and then click 

Next. 

5. Enter the UNC path and authentication credentials to the location of the 

profile data you want to restore, and enter a default password for migrated 

new local user accounts (if left empty, the password is automatically set to 

"password"). 

6. Click Finish to create the profile restore script and exit the wizard. 

Using Scheduled Tasks tool, you can now schedule the script to run on one or more 

target clients on your network. 

Note: Windows 2000 SP3 and Windows XP are the only supported target Windows 

OSes. 

Profile migration log file 

Profile migration (both the scripted and user-initiated method) creates a "rolling" log 

file named PROFILEMIGRATION.LOG, that is saved in the user-specified profile data 

storage directory. Relevant information, such as time, specific operation, and status, 

are appended to the existing log file for each subsequent capture and restore 

operation. When the log file reaches 64 KB in size, it is renamed 

PROFILEMIGRATION.OLD and a new .LOG file is created. You can view this log file in 

any text editor. 

283

USER'S GUIDE 

Creating user-initiated profile migration packages 

The User-Initiated Package dialog lets you create a self-extracting executable file 

that can be run on clients as a user-initiated profile migration. 

User-initiated migration packages can be run on your clients, as well as computers 

that are not managed by Management Suite. 

To create a user-initiated migration package 

1. Access the Collection Manager dialog from the OS Deployment/Migration 

Tasks wizard, or by clicking Scripts | Collection Manager. 

2. Select User-Initiated packages, and then click New. 

3. Enter a unique name for the package. Do not type the filename extension 

here; the .EXE extension will be appended automatically to the name you 

enter. 

4. Select a collection from the displayed list. The collection you select 

determines the profile content applications, desktop settings, and files. You 

can select only one collection per migration package. 

5. To build the package, click OK. This may take some time, depending on the 

amount of profile content defined in the collection you selected. 

The user-initiated migration package (.EXE) is saved by default to the following 

directory on your core server: c:\Program 

Files\LANDesk\ManagementSuite\LDLogon\PMScripts\Executables. 

When you delete a user-initiated package, the package is removed from the core 

server. Other copies of the package may still exist depending on how and where you 

distributed the package to users. 

284


Running user-initiated profile migration packages 

You can distribute the user-initiated profile migration package to clients via e-mail or 

removable media and run it at the client, or you can store the package on a network 

share and run it from a client with access to that share. 

The package launches a program called the LANDesk Profile Migration wizard that 

includes its own online help file. For more information, including step-by-step 

instructions for capturing and restoring a profile with user-initiated migration 

packages, click Help on any of the LANDesk Profile Migration wizard's pages. 

285

Chapter 10: Healing broken applications 

The Application Healing feature keeps applications up and running on clients. 

Application Healing works by automatically repairing applications that no longer run 

as a result of files being accidentally deleted or corrupted. With Application Healing, 

you can configure LANDesk Management Suite to heal the applications you specify. 

When an application fails to launch on a client, Application Healing detects the 

problem. The Application Healing agent then uses an Enhanced Software Distribution 

(ESWD) package to reinstall components of that application, fixing any problems in 

the process. To minimize the use of network bandwidth, the heal only copies 

missing, corrupt, or outdated files to the client. 

Application Healing enables you to heal applications that have been deployed with or 

without ESWD packages. For applications previously installed without using an ESWD 

package, you can make them "healable" by creating an ESWD package to use for 

healing. Application Healing requires that you use ESWD packages for healing. 

You can also use Application Healing in a monitoring role. If you deploy the 

Application Healing agents to clients without configuring the agents to heal specific 

applications, the agents report to the core server when any application has a 

problem launching. You can then run reports from the console to see which 

applications are causing problems for your clients. 


• Configuring Application Healing 

• Configure step 1: Setting up ESWD packages for healing 

• Configure step 2: Making applications healable 

• Configure step 3: Distributing ARL files to clients 

• Viewing Application Healing events 

• Viewing Application Healing reports 

• Application Healing registry keys 

287

USER'S GUIDE 

Configuring Application Healing 

To install Application Healing, you need to: 

• Use the Client Setup wizard to configure your clients for Application Healing. 

To use Application Healing after installing it, you need to: 

• Set up an ESWD package for each application that should be healable. 

• Configure application repair lists (ARLs) for the applications you're making 

healable. 

• Distribute the application repair lists to clients. 

Once you've installed Application Healing: 

• When the agent detects an application failure, it starts the healing process by 

referring to the application's ARL file that you sent earlier. From the ARL, the 

agent retrieves the ESWD package path and uses the package to determine 

which files may need to be reinstalled. 

• The agent sends events about the software healing status to the core server. 

Use the AMS alert log and Application Healing reports to check the status 

periodically. 

Once you've installed Application Healing support on your core server, management 

consoles, and clients, you need to make important applications on clients healable. 

You will need to: 

• Set up ESWD packages for the applications that should be healable. 

• Configure application repair lists (ARLs) for the applications you're making 

healable. 

• Distribute the application repair lists to clients. 

How Application Healing detects application problems 

The Application Healing agent looks for failures to start .EXEs (CreateProcess) or load 

.DLLs (LoadLibrary). The agent logs all of the failures it detects to the AMS alert log 

on the client's core server. If the client isn't connected to the network, the agent 

stores the events locally until it can relay them to the core server. 

If a user tries to start a program from a shortcut and the target of that shortcut isn't 

there, Application Healing won't trigger. This happens because the affected 

application never launched, so the agent never saw the error. However, if a user 

tries to start an application by double-clicking a file that the application is associated 

with, Application Healing will usually trigger even though the main application 

executable that the program shortcut points to is missing. 

When an .EXE or .DLL file listed in an ARL file causes a problem, the agent triggers 

the healing process using information in the ARL file. If a recent healing attempt has 

occurred (by default, within the last 10 minutes), Application Healing won't try to 

repair the application again for that interval. 

288

CHAPTER 10: HEALING BROKEN APPLICATIONS 

If a healing attempt hasn't occurred within an interval you specified in the Client 

Setup wizard, the agent starts reinstalling the application with the ESWD package 

specified in the application's ARL file. 

If it was a create process failure that triggered the healing process and the user 

chooses to repair immediately, Application Healing will attempt to restart the 

application once healing finishes. 

289

USER'S GUIDE 

Configure step 1: Setting up ESWD packages for 

healing 

Application Healing requires an ESWD install package for the application you're 

healing. If you originally distributed the application package via ESWD and have the 

package available on the network or a Web server, you're ready to create an ARL. 

If you installed applications via any other method, you'll need to create an ESWD 

package with the ESWD Package Builder. When creating the package, use the same 

configuration that the original package or application install had. Otherwise, when 

Application Healing uses the new package to heal, installation differences (where 

files are placed, and so on) may cause problems. You also need to test the 

replacement ESWD package before using it in a production environment. 

When Application Healing uses an ESWD package for healing, any user interface 

you've customized as part of the package will appear during healing. If you want 

your healing packages to behave differently during install than your application 

install packages, you may want to have two package versions. 

Each ESWD package has a unique GUID. Application Healing uses this GUID to match 

package versions. For example, if a package's GUID matches the GUID stored in the 

ARL file, Application Healing knows to only update missing or changed files. If ESWD 

has the package files cached locally, a matching GUID will allow Application Healing 

to retrieve files from the cache during healing, rather than getting them from the 

network. If a package GUID doesn't match the package that the ARL is pointing to, 

Application Healing will reinstall the entire package. 

290


Configure step 2: Making applications healable 

Once you've configured clients for Application Healing, and you have an ESWD 

package for the application you're healing on the network or a Web server, you can 

create an application repair list (ARL). An ARL tells the Application Healing agent 

what applications are healable and where to heal them from. The ARL contains the: 

• Application name 

• Executable or .DLLs to monitor 

• Path to the package that repairs the application 

You can add multiple application configurations to an ARL file. You should have a 

system for organizing your ARL files. Once you've decided how you're going to 

organize your files, you need to create the ARLs and distribute them to clients. 

Creating ARL files 

Application Healing window 

Create and manage your ARL files from the console's Application Healing window. 

The Application Healing window has these columns: 

• Application Repair List: The ARL files in your \Program 

Files\LANDesk\ManagementSuite\Ldlogon directory. Selecting an ARL in this 

column populates the other columns and allows you to configure that ARL. 

• Application name: The name you provided for the application you're 

configuring. 

• Package location: The URL or UNC path to the ESWD package that will 

repair the application you're configuring. This is the path clients will use to 

access the package. 

• Filename: The application files that will trigger Application Healing when 

there's a problem. These should be the main application .EXEs and .DLLs that 

will most likely generate errors should the application not be working 

correctly. 

To create an application repair list 

If the Application Healing window isn't visible, click Tools | Application Healing. 

1. Click the New ARL toolbar button and enter an ARL name. 

2. Select the new ARL and click the Add Application to ARL toolbar button. 

3. Enter the name of the application you're configuring. 

4. Enter the location of the package that repairs the application you're making 

healable. You can select either a Web path or a File share path, then enter 

the path or click Browse. 

5. Click OK. 

6. Select the .EXE/.DLLs to monitor. For more information, see "Selecting files to 

monitor" later in this chapter. 

291

USER'S GUIDE 

By default, ARLs are saved to the \Program 

Files\LANDesk\ManagementSuite\Ldlogon directory on your core server. 

To specify which files to monitor 

1. In the Application Healing window, select the application name you want to 

add files to. 

2. Click the Configure File List toolbar button 

3. By default, all .EXE and .DLL files are selected. From the list, remove any 

system or shared .DLLs that you don't want monitored, then click OK. 

4. Click Save ARL to save your changes. 

About the Add application to Application Repair List dialog 

Use the Add Application to Application Repair List dialog (Application Healing, Add 

Application to ARL toolbar button) to add the files you want Application Healing to 

track. 

• Application name: Enter a name for the application you're configuring. This 

name appears in the Application Repair List column. 

• Web path: Click Web Path for packages stored on a Web server. You must 

include http:// in the URL. 

• File share path: Click File Share Path for packages stored on a null-session 

share on a file server. This path must follow the UNC path convention, 

\\servername\sharename\. 

• Browse: Click Browse to browse for the path. If you clicked Web path, a 

small browser window opens. If you clicked File share path, a standard 

browse dialog opens. 

Organizing ARL files 

You have two choices when considering how to organize ARL files: 

• One application per ARL file 

• Multiple applications per ARL file 

If you plan to have one application per ARL file, you'll be managing ARLs on your 

client on a per-application basis. Doing so gives you many options for customizing 

Application Healing on the client. The downside is that this could be more difficult to 

keep track of, because clients might have a dozen or more ARL files on their 

computer, depending on how many applications are healable. 

If you plan to have multiple applications per ARL file, you'll need to consider how to 

group applications within an ARL. For example, you might want to have a global ARL 

file that contains applications that everyone in your company runs. Everyone will get 

this global ARL file. You'll probably also need an ARL file designed for the department 

a client is in. For example, one for Finance, another for Marketing, and so on, that 

includes the applications specific to that department. 

292


Remember that you need to avoid having the same .EXEs or .DLLs referenced by 

multiple applications in ARL files. For example, if you associate myfile.exe to two 

different applications in your ARL files, the Application Healing agent will begin 

healing the first application it encounters in an ARL file with myfile.exe as a 

monitored file, regardless of whether that application was the one with the problem. 

About the Associated Files with Application dialog 

Use the Associated Files with Application dialog to configure which files Application 

Healing will monitor for problems. 

• Available files: Lists all of the .EXE and .DLL files in the ESWD package you 

selected. 

• Selected files: Lists a subset of the available files you want to monitor. You 

must choose these files carefully. For more information, see "Selecting files to 

monitor" in the next section. 

Selecting files to monitor 

The Application Healing agent looks for failures to start .EXEs or load .DLLs. The 

agent logs all failures it detects to the AMS alert log on the core server. When an 

.EXE or .DLL file listed in an ARL file causes a problem, the agent triggers the healing 

process using the information in the ARL file. 

When you've specified a repair package in an ARL file and clicked the Select 

Application Files button, Application Healing lists the .EXE and .DLL files from the 

package. Carefully select the .EXE and .DLL files that trigger the healing process, 

because if you select a .DLL file that multiple applications use (MSVC42.DLL for 

example), then the wrong application might get healed when there's a problem. 

While an application might consist of multiple .EXE and .DLL files, errors typically 

occur in a subset of the files. Because the client agent logs faults in all applications, 

you might want to check your AMS logs to see where errors are occurring. This can 

be a good starting point in narrowing down the list of .EXE/.DLL files that will trigger 

healing. As a starting point, make sure you select at least the main .EXE file the 

application's shortcut points to. 

In some cases, selecting too many files can lead to another type of problem. Some 

applications attempt to load .DLLs that they don't really need. For example, an 

application that runs under Windows NT and Windows 98SE might look for a .DLL 

that's specific to Windows NT. If that .DLL isn't available, the application assumes it's 

running on Windows 98SE and everything works fine. However, when the application 

attempts to look for the .DLL and the component looking for the .DLL is a monitored 

file, Application Healing will start unnecessarily. If you notice applications failing on 

.DLLs that aren't included with the application, consider removing the source .DLL 

from the selected files list. 

If an .EXE or .DLL is specified in multiple ARL files, the Application Healing agent 

uses the first ARL file it finds that lists the problem .EXE/.DLL. Avoid using the same 

.EXE/.DLLs in multiple application entries. 

293

USER'S GUIDE 

Configure step 3: Distributing ARL files to clients 

Once you've created the ARL using the console, you'll need to distribute the ARL to 

clients. The Application Healing agent on the client uses the ARL files to determine 

which applications are healable and how to heal them. If an application doesn't have 

an associated ARL file on the client, that application won't be healable. 

To distribute ARL files to clients 

1. From the Application Healing window, select the ARL file you want to 

distribute, then click Create Scheduled Task. 

2. The ARL file box should contain the ARL name you're distributing. If it 

doesn't, you can select the ARL file by clicking Select and selecting an ARL 

from the list provided. 

3. Give the script a name, such as "Deploy Finance ARL." You should at least 

include the text "ARL" in the script name so you can find it easily in the 

Scheduled Tasks window. 

4. Click OK to go to the Scheduled Tasks window. 

5. Select the clients you want to distribute this ARL to by dragging and dropping 

clients from the Network View to the Scheduled Tasks window. 

6. Double-click the ARL task and select when you want the distribution to occur, 

then click OK. 

7. Repeat this task for each ARL you want to distribute. 

You can update ARL files on clients by making changes to the appropriate ARL and 

redistributing it to clients. 

To remove ARL files from clients 

1. From the Application Healing window, select the ARL file you want to remove, 

then click Create Scheduled Task. 

2. The ARL file box should contain the ARL name you're removing. If it doesn't, 

you can select the ARL file by clicking Select and selecting an ARL from the 

list provided. 

3. Give the script a name, such as "Remove Finance ARL." You should at least 

include the ARL name in the script name so you can find it easily in the 


4. Click Remove script. 

5. Click OK to go to the Scheduled Tasks window. 

6. Select the clients you want to remove this ARL from by dragging and dropping 

clients from the Network View to the Scheduled Tasks window. 

7. Double-click the ARL task and select when you want the removal to happen, 

then click OK. 

8. Repeat this task for each ARL you want to remove. 

294


About the Schedule Application Repair List (ARL) File dialog 

Use the Schedule Application Repair List (ARL) File dialog to create a script that will 

deploy the ARL to clients. 

• Application Repair List (ARL) Name: Enter the ARL name that you want to 

deploy. Click Select to pick from the list of available ARL files. 

• Name: Enter the name for this script. This is the name that appears in the 


• Deploy Script: Select this option to create an ARL deploy script. 

• Remove Script: Select this option to create a script that removes the 

specified ARL from clients. 

295

USER'S GUIDE 

Viewing Application Healing events 

The Application Healing agent sends Alert Management System (AMS) events to the 

core server. If clients aren't connected to the network when events occur, the agent 

stores events locally and forwards them to the core server once the client can 

connect. 

Application Healing stores events to both the AMS database and the core database, 

where all Management Suite data is stored. Once events are in the core database, 

they stay there until you purge them. Periodically purge these events from the core 

database by completing the purge task described later in this section. 

The Application Healing agent sends these events when appropriate to the core 

server: 

• Application not repaired, healing disabled on computer 

• Recent reinstall failed 

• Reinstallation successful 

• Reinstallation successful, restarting application 

• Repair has been delayed 

• Repairing application 

• Unable to reinstall the application 

• Unable to repair application 

• User has canceled repair 

If you're configuring an event that uses an action message, you need to change the 

alert parameter to . With Application Healing 

events, is always the core server. returns the 

name of the client originally generating the event. 

To view Application Healing events 

• Click View | Alert History. 

To create alert actions for Application Healing events 

1. Click Configure | Alert Settings. 

2. In the Alert Settings window, expand the LANDesk Application Healing 

tree. 

3. Double-click the event you want to configure an action for. 

4. Complete the Configure Event Action wizard. 

To purge Application Healing events from the core database 

1. In the Application Healing window, click the Purge Healing Events button. 

2. Select whether you want to purge all events or just events older than a date 

you specify. 

296


Changing the TCP port events use 

Application Healing uses TCP to send event information. By default, Application 

Healing requires that port 12175 be open on any firewalls between clients and their 

core server. If you want to use a different port, you can use the Client Setup wizard 

to change the default port Application Healing uses to send events. If you configure 

your clients to use a custom port, you must also configure the core server to listen 

on the same port. 

To change the TCP port the core server uses for events 

• On the core server, change the value for this registry key so that it matches 

the port your clients are using: 

HKLM\Software\Intel\LANDesk\LDWM\QIPSrvr\TCPPort 

297

USER'S GUIDE 

Viewing Application Healing reports 

Application Healing has several reports you can view. All reports originate from the 

core database. 

To view an Application Healing report 

1. From the network view, click Tools | Reports. 

2. Click All LDMS Reports > Application Healing > and double-click the 

report you want to view. 

3. If the report requires it, click the report range you want. 

4. Click OK. 

See the following sections for descriptions of each report. 

Applications healed per client 

The Applications Healed Per Client report lists all applications that have been healed 

on a per-client basis. This report also lists the: 

• Number of times Application Healing has failed 

• Number of times Application Healing was canceled 

• Number of times each application has been healed 

• Last date the application was healed 

• All "broken" applications that did not have an associated package 

Broken application list 

The Broken Application list report lists all of the files that have been detected as 

being broken but did not have a corresponding package. The report also lists the 

number of times the application has been detected as broken. 

Client event history 

The Client Event History report lists all of the Application Healing events associated 

with a particular client. 

Computers healed per application 

The Computers Healed Per Application report lists all of the clients that have been 

healed for a particular application. The report also lists the number of times the 

application has been successfully healed and the number of times that healing has 

failed on a per-client basis. 

298


Application Healing registry keys 

The following registry keys are for reference only, and most of the keys are set as a 

result of choices you made when installing Application Healing. Only rarely would you 

want to change these keys manually. 

Client configuration registry keys 

The client healing agent uses the HKLM\Software\Intel\LANDesk\LDWM\QIP key for 

storing most configuration information. These values are supported: 

Value Type Description 

ConnectionFreq 

DWORD When the agent can't establish an initial connection with the 

core server, it periodically retries to establish a connection. This 

registry value specifies how frequently (in seconds) connection 

retries occur. Valid values are from 5 to 3600 (once per hour). 

The default value is 120 seconds (2 minutes). 

QueueCompactFreq DWORD How frequently (in seconds) the queue will be compacted. Valid 

values are from 30 to 86400 (once per day). The default value is 

900 seconds (15 minutes) 

TCPPort 

DWORD Specifies the TCP port for the agent to use when 

communicating with the server. By default, this value is 12175. 

You must use the same port number on the core server and 

clients. 

There is one additional key under 

"HKLM\Software\Intel\LANDesk\Metering\Meterwin\Repair". It supports this value: 


Utility String Contains the path to SDISTFIX.EXE, the Application Healing client executable. 

The default is c:\Ldclient\SDISTFIX.EXE. If SDISTFIX.EXE isn't in C:\ldclient on 

your clients, you need to change this key to point to the new location; otherwise, 

healing won't work. 

299

USER'S GUIDE 

Client healing agent registry keys 

The client healing agent configuration information is stored under the 

HKLM\Software\Intel\LANDesk\LDWM\AppHealing\Agent key. These values are 

located under this key: 


DialogTimeOut DWORD The amount of time (in seconds) until the Application Healing wizard 

will time out and proceed with healing the application. Valid values 

are from 10 to 3600 seconds (1 hour). The default value is 300 

seconds (5 minutes). 

DisableHealing DWORD If this value is set to a non-zero value, it will disable Application 

Healing on the client. 

MinHealDelta 

UIFlags 

DWORD Determines how many seconds must elapse before another repair 

attempt will be made. Valid values are from 10 to 3600 seconds (1 

hour). The default value is 600 seconds (10 minutes). 

DWORD Bit-wise flags to control how the UI (for both SDISTFIX.EXE and 

package installation) will display. These options are available: 

0x1000, Silent installation, no UI will be displayed 

0x2000, Alternate package location not allowed 

0x4000, User cannot delay the repair until the next logon 

0x0001, User cannot cancel the operation 

0x0002, No background will be displayed during the reinstallation of 

the package. 

By default, the no cancel and no background bits (0x0003) are set. 

300


Server healing agent registry keys 

The server healing agent uses the HKLM\Software\Intel\LANDesk\LDWM\QIPSrvr key 

for storing configuration information. These values are supported: 


MaxConnections 

DWORD Controls the maximum number of clients that can be connected 

to the server healing agent. Valid values range from 1 to 32. By 

default, the value is 32. Note: Each connection causes a thread 

to be created within the server healing agent. 

MaxInactiveLibTime DWORD Target handlers are dynamically loaded by the server healing 

agent on an as-needed basis. The target handlers are unloaded 

after they've been inactive (that is, they've received no packet) 

for a certain amount of time. This value specifies the number of 

seconds for which a handler must be inactive before it will be 

unloaded. No validation is performed on this value. The default 

is 300 seconds (5 minutes). 

TCPPort 

DWORD Specifies the TCP port for the server healing agent to use when 

communicating with clients. By default, this value is 12175. You 

must use the same port number on the core server and clients. 

SDClient directory registry key 

By default, Application Healing assumes that the Application Healing client 

executable (SDISTFIX.EXE) is located in the C:\Ldclient directory. You can specify an 

alternate directory for the SDISTFIX.EXE by setting the SDClientDirectory value 

under the HKLM\Software\Intel\LANDesk\LDWM\Distribution key. 

301

Chapter 11: Managing application policies 

LANDesk Management Suite enables you to manage sets of applications on groups of 

clients using the Application Policy Management feature. 


• Application Policy Management 

• Configuring policies 

• Selecting targets for your policies 

• Understanding policy types 

• Reporting on policy status 

303

USER'S GUIDE 

About Application Policy Management 

Application Policy Management helps you easily manage sets of applications on 

groups of clients. A policy has two main components: 

• Enhanced Software Distribution (ESWD) packages that you create. 

• Policy targets for the ESWD packages, such as the results of an LDAP or core 

database query. 

One of Application Policy Management's most compelling features is that it 

periodically reruns queries you have configured as part of the policy, applying your 

policies to any new managed clients. For example, perhaps you have a Department 

container in your LDAP directory that contains user objects. Any user whose 

Department object is "Marketing" uses a standard set of applications. After you set 

up a policy for Marketing users, new users who are added to Marketing automatically 

get the correct set of applications installed onto their computer. 

In its simplest form, a policy is a command line for Enhanced Software Distribution 

(ESWD) packages to be executed on target clients. Use the LANDesk Management 

Suite console to configure application policies, which are stored in the core database. 

Application Policy Management can deploy these file types: 

• Enhanced Software Distribution (ESWD) packages 

• Microsoft Installer (MSI) packages 

• Single-file standalone executables 

Here's the task flow for Application Policy Management: 

1. Make sure the Application Policy Management and ESWD agents are on your 

clients. 

2. If you don't have an ESWD package for the application you want a policy for, 

create one. For more information, see Chapter 6: "Distributing software and 

files." 

3. Use the console to configure application policies and the policy targets. The 

core database stores policy targets, which you can define to be sets of 

users/computers or the results of LDAP/database queries. 

4. The Application Policy Management service on the core server periodically 

updates the policy target list by reevaluating the LDAP/database query 

results. This helps ensure that the core database has a current set of targeted 

users/computers. 

5. A user logs on to a client, connects to the network, or otherwise starts the 

Application Policy Management agent. 

6. The core server's Application Policy Management service determines the 

applicable policies based on the client's device ID and the logged-in user. 

7. The Application Policy Management service sends the policy information back 

to the Application Policy Management agent. 

8. Depending on how you've configured the client to handle policies, the user 

selects the policies to run or the policies run automatically. Only 

recommended or optional policies are available in the client list. When an 

unprocessed, recommended policy is in the list, it's checked by default. 

304

CHAPTER 11: MANAGING APPLICATION POLICIES 

Periodic policies appear in the list once their execution intervals have lapsed. 

Selected policies execute sequentially. 

9. The Application Policy Management agent sends the policy results to the core 

server, which stores the results in the core database. Application Policy 

Management status reporting uses QIP for enhanced reliability. This status is 

reported in the Application Policy Management window's third pane. 

About the Application Policy Management window 

The Application Policy Management window is divided into three parts: 

• The first pane shows the policy name and the policy package type. 

• The second (middle) pane shows the groups that contain target clients for 

that policy and how frequently Application Policy Management will apply the 

policy. 

• The third pane shows more information on the target clients for the group 

selected in the middle column. It also shows the status of the policy to the 

client and when the status was last updated. 

305

USER'S GUIDE 

Configuring policies 

Before creating policies, make sure you've deployed the Application Policy 

Management agent to your clients. 

Application Policy Management requires ESWD packages for any policy you create. 

You can either create the ESWD packages ahead of time or you can create the 

packages while creating the policy. We recommend that you create the packages 

ahead of time to test them and ensure that they work before using them in a policy. 

To create a policy 

1. In the console, click Tools | Application Policy Management. 

2. Click the Add New Policy toolbar button. 

3. In the Deploy Package window, type in the Web path or File share path of 

the package or click Browse to select a package you've already created. 

4. Finish the rest of the wizard. Click Help for more information on each page. 

5. Add targets for the policy. For more information, see the next section. 

Selecting targets for your policies 

Each policy you create needs a set of targets that Application Policy Management will 

apply the policy to. Application Policy Management uses two types of targets, static 

and dynamic. 

• Static targets: A list of specific devices or users that doesn't change unless 

you manually change it. Static targets can be LDAP users from Directory 

Manager or devices from the console's network view. 

• Dynamic targets: A dynamic list of devices that allows Application Policy 

Management to periodically check the target list for any changes. Dynamic 

targets include query results and LDAP groups/containers or network view 

groups. 

Dynamic policy targets are unique, in that Management Suite updates the results of 

these queries periodically. As new clients meet the query criteria, policies using those 

queries get applied to the new clients. 

You can specify static policy targets in these ways: 

• Network view computers: A static set of computers from the core 

database. 

• LDAP users or machines: A static set of user and/or machine objects. 

You can specify dynamic policy targets in these ways: 

• Network view group: A dynamic set of computers from the core database. 

• LDAP group/container: A dynamic set of user and/or machine objects. 

• Database Query: A set of computers generated by a query against the core 

database. 

306


• User Group: A group of users selected from an LDAP-compliant directory. 

• LDAP Query: A set of users, computers, or both, generated by a query on an 

LDAP-compliant directory. 

Adding static targets 

Application Policy Management can use static targets as policy targets. Static targets 

are a list of specific devices or users that doesn't change unless you manually change 

it. 

To add static targets from the network view 

• From the network view, select individual clients and drag them to the middle 

pane. 

To add static targets from Directory Manager 

• From Directory Manager, drag objects to the Application Policy Management 

window's middle pane. 

To add a static target manually 

1. In the Target pane's shortcut menu, click New Static Target. 

2. Enter the target information in the New Static Target dialog. 

3. Drag targets from the network view or Directory Manager. 

Adding dynamic targets 

Application Policy Management can use queries to determine policy targets. As of 

Management Suite 8, queries are stored only in the core database. For more 

information on queries, see chapter 4, "Managing inventory and reports." 

You can right-click queries in the console's network view to see if any application 

policies are associated with the query you've selected. 

In order for clients to receive policies that are targeted through Active Directory or 

NetWare Directory Services, they have to be configured to log in to the directory. 

This means that they need to have all the correct client software installed, and they 

need to actually log in to the correct directory so that their fully distinguished name 

will match the name that was targeted through Directory Manager and Application 

Policy Manager. 

Windows 95/98 clients need to be configured to log in to the domain where the 

Active Directory resides. Windows NT and Windows 95/98 don't include Active 

Directory support. You must install Active Directory support on clients that log in to a 

directory and require Application Policy Management. As of this printing, more 

information on installing Active Directory client support was available here: 

http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextensi 

on.asp 

307

USER'S GUIDE 

For each Windows NT/2000/2003/XP client, there must be a computer account on 

the Active Directory domain controller. This means that the computer being used as 

the client must be logged in to the domain where the Active Directory exists. You 

can't simply map a network drive using the fully-qualified Windows NT domain name. 

The policy won't take effect this way. 

To use Directory Manager to create a query 

1. Click Tools | Directory Manager. 

2. Click the Manage Directory toolbar button. 

3. Enter the directory URL and authentication information and click OK. 

4. Click the New Query toolbar icon. 

5. Create your query. For more information, see "Using Directory Manager to 

query directories via LDAP" in chapter 3. 

To preview query results 

• From the middle pane, right-click a group and click Preview Query Results. 

Note that some queries can take a long time to resolve. Once the query 

finishes, results will appear in the right pane. 

To add dynamic targets from the network view 

• From the network view, drag a device group to the Application Policy 

Management window's middle pane. 

To add dynamic targets from Directory Manager 

1. From Directory Manager, drag a container or group to the Application Policy 


2. If you're adding a container, select whether you want to add user objects, 

machine objects, or both from the container. 

To add targets to a policy with a query 

• From the network view, drag and drop a query to the Application Policy 


To see if a query is used by a policy 

• In the network view, right-click the query you want to check and click 

Policies. 

Or 

• In Directory Manager, select the query and that query's target policies are 

shown in the right pane. 

308


Copying targets to another policy 

If you have a complex network or organizational structure, it can be a lot of work 

associating targets with a policy. Once you've configured policy targets, you can save 

time on additional policies that use the same targets by copying those targets to the 

new policy. 

To copy targets to another policy 

1. In the Target pane, click the target list that you want to copy. In that target 

list's shortcut menu, click Copy Target to Another Policy. 

2. Click the policy that should receive the target list and click Associate. Click 

Close when you're done. 

Applying scope to APM policies 

Multiple scopes can filter the APM target details pane for a target lists. However, the 

final scope that a policy uses is always the scope of a target list creator. If another 

Management Suite user with a different scope looks at a the target details pane for a 

target list created by someone else (let's call this second person a target list 

"editor"), the target details pane is filtered first by the creator's scope and then by 

the editor's scope. In this case, the editor may not see all the targets the policy will 

be applied to in the target details pane, because the editor's scope may not allow 

them to see all targets in the creator's scope. 

309

USER'S GUIDE 

Understanding policy types 

The policy type affects how target clients act when they receive the policy: 

• Required: The Application Policy Management agent automatically applies 

required policies without user intervention. You can configure required policies 

to run silently. Any UI that appears on the client while a required task is 

installing should be non-blocking; in other words, the application being 

installed shouldn't require user input. 

• Recommended: Users have the choice of when to install recommended 

policies. Recommended policies are selected by default on the client UI. 

• Optional: Users have the choice of when to install optional policies. Optional 

policies aren't selected by default on the client UI. 

You can also configure how frequently a policy can run: 

• Run once: Once a policy successfully runs on a client, the client won't run 

that policy again. 

• Periodic: When a recommended or optional policy is specified as being 

periodic, it will be removed from the UI when it's successfully processed and 

will be shown again in the UI after the specified interval has elapsed. 

• As desired: Can be installed by users at any time. 

What clients see on their computers 

Application policies are always processed using a pull model. Clients check with the 

core server for new policies that might apply to them. When this check occurs, a 

dialog appears at the client showing only unprocessed, recommended and optional 

policies, not required policies. When an unprocessed, recommended policy appears in 

the UI, it is checked by default to encourage the end user to process it. 

Once a policy is processed, it may still show up in the UI if it's set up to run 

periodically. If this is the case, it will continue to be selected, event if it's a 

recommended policy. A policy may also continue to appear in the UI if it wasn't 

applied correctly. 

310


Configuring policies for Macintosh clients 

You can also create Macintosh client policies (Mac OS X only). Creating a Macintosh 

client policy is similar to creating a policy for a Windows-based client. Macintosh 

clients also have the same required, recommended, and optional policy types. 

Macintosh application packages must be a single-file format. Application Policy 

Management will check for policy updates on login and when waking up from sleep. 

When targeting policies, Mac doesn't currently support Application Policy 

Management by user name, only by Machine name. 

Application Policy Management does the following with Macintosh application policy 

packages: 

1. Downloads files to /Library/Applications/LANDesk/sdcache (just like CBA 

downloads). 

2. If the download is compressed, Application Policy Management will 

decompress it in place. 

3. If the download is a disk image, Application Policy Management will mount it. 

4. If there is a command line for the policy, Application Policy Management will 

execute it. 

5. If the download is an Apple Package Installer file, Application Policy 

Management will run it silently. 

6. If the download is a disk image, Application Policy Management will look for 

the first Apple Package Installer file on the mounted volume and run it silently 

7. If the download is a disk image, Application Policy Management will mount it. 

Also, Application Policy Management does support .dmg files with EULAs. 

NOTE: Some package types don't work well with Application Policy 

Management 

Installer Vise and Installer Maker installs tend to not work well with APM. They 

almost always require user interaction and can be canceled. 

To add a Macintosh client policy 

• In the Application Policy Management window, click the Add New Macintosh 

Policy button and finish the wizard. 

To edit a Macintosh policy's package command line 

1. In the Application Policy Management window, double-click the policy you 

want to edit. 

2. Add the command-line parameters you want to the Policy CMD Line. These 

parameters will be passed on to the package. 

311

USER'S GUIDE 

To refresh the local client policies 

1. In the Management Suite Preference Pane on the Macintosh client, click the 

Overview tab. 

2. Click Check Now for Application Policy Management. 

To view installed policies 

• In the Management Suite Preference Pane on the Macintosh client, click the 

APM tab. 

312


Reporting on policy status 

Whenever a client processes a policy, the Application Policy Management agent 

sends status information back to the core server. Application Policy Management 

stores status information in the core database and displays status information next 

to each target. 

Application Policy Management supports four types of reports: 

• APM status by machine: Shows policy status information for a selected 

client. If multiple users have processed policies on the client, information for 

all users of the client will appear. 

• APM status by policy: Shows status information for a selected policy. 

• APM status by user: Shows policy status information for a selected user. If 

a user has processed policies on multiple clients, the report will display 

information for all clients that the user has processed policies on. 

• APM status of all policies: Shows status information for all policies. 

To generate an Application Policy Management report 

1. Click Tools | Reports. 

2. In the Reports window, click All LDMS Reports > APM Status, and doubleclick 

the Application Policy Management report you want to generate. 

To export a policy's status 

• Generate a report and use the report viewer's Export Report button to 

export the report. 

313

USER'S GUIDE 

About the New Static Target dialog 

Use the New Static Target dialog (in the Target pane's shortcut menu, click New 

Static Target) to add specific devices and users to a policy. 

• Target Name: Enter a name you want to use to describe this target. 

• Targets: You can target either Devices or Users. If you select Devices, you 

can add targets from the Network View. If you select Users, you can add 

targets from the Directory Manager (Tools | Directory Manager). 

• Required: The Application Policy Management agent automatically applies 

required policies without user intervention. You can configure required policies 

to run silently. Any UI that appears on the client while a required task is 

installing should be non-blocking; in other words, the application being 

installed shouldn't require user input. 

• Recommended: Users have the choice of when to install recommended 

policies. Recommended policies are selected by default on the client UI. 

• Optional: Users have the choice of when to install optional policies. Optional 

policies aren't selected by default on the client UI. 

• Run once: Once a policy successfully runs on a client, the client won't run 

that policy again. 

• As desired: Can be installed by users at any time. 

• Periodic: When a recommended or optional policy is specified as being 

periodic, it will be removed from the UI when it's successfully processed and 

will be shown again in the UI after the specified interval has elapsed. 

314

Chapter 12: Configuring alerts to notify you 

The LANDesk Alert Management System (AMS) automates actions in response to 

alerts that occur on the network. AMS monitors Management Suite components and 

clients for specific events to occur. When these events occur, the component or client 

sends an alert to AMS. 

AMS can then notify you about the alert by completing the predefined alert actions 

you've configured. For example, you can configure the console to notify you if 

someone attempts a remote control session. When this event occurs, AMS detects 

the attempt and runs the configured alert actions such as sending you Internet mail 

or a pager message. 


• How alerting works in Management Suite 

• Configuring AMS alert actions 

• Configuring the Message Box alert action 

• Configuring the Broadcast alert action 

• Configuring the Send Internet Mail alert action 

• Configuring the Run Program alert action 

• Configuring the Write to Event Log alert action 

• Configuring the Load an NLM alert action 

• Configuring the Send Page alert action 

• Configuring the Send SNMP Trap alert action 

• Working with configured alert actions 

• Viewing the AMS Alert History 

315

USER'S GUIDE 

How alerting works in Management Suite 

You can configure AMS to notify you when specific Management Suite events occur. 

For example, you could configure a message box alert action to display at your client 

if a software distribution package fails to arrive at a client. If that package failed to 

arrive, AMS would generate an alert and display the message box on your client. The 

console lets you configure alerts on certain parameters. 

When the alert conditions you set occur, the console sends an alert to AMS. AMS 

notifies you by running the alert actions you have configured in the Alert Settings 

dialog. Available alert actions include: 

• Displaying a message box 

• Broadcasting messages 

• Sending Internet e-mail 

• Loading an NLM 

• Running a program 

• Writing the event details to an event log 

• Sending a pager message 

• Sending an SNMP trap 

You can configure alerts for NetWare and Windows 95/98/NT/2000/2003 and 

Windows XP Professional clients. You can also select the client where the alert action 

occurs. 

For example, you could configure a message box alert action to display at your client 

if a software distribution package fails to arrive at a client. If that package failed to 

arrive, AMS would generate an alert and display the message box on your client. 

The alert actions you configure at one console aren't available at another. You can 

export configured alerts to other consoles to use the same configured alert actions 

on multiple clients. See "Exporting alert actions to other computers" later in this 

chapter for more information. 

316

CHAPTER 12: CONFIGURING ALERTS TO NOTIFY YOU 

Configuring AMS alert actions 

The Alert Settings dialog is where you select alerts and configure alert actions. The 

Alert Settings dialog contains a folder tree view of all events that AMS can monitor. 

You can expand or contract the folders to see the alerts available for each. You can 

also configure alert actions to occur when AMS detects any of these events. 

Configuring alert action messages 

These alert actions can generate messages when they are sent: 

• Message Box 

• Broadcast 

• Send Page 

• Send Internet Mail 

• Send SNMP Trap 

• Write to Event Log 

This message can include any text you add and information from the alert that 

generated the message. This table lists the default parameters available with all 

messages: 

Default parameter Description 

Host Name 

Date 

Time 

Alert Name 

User Name 

Description 

Severity 

Name of the host client 

Date the alert occurred 

Time the alert occurred 

Name of the selected alert 

Name of the user who triggered the alert (if available) 

A description of the alert that occurred 

The severity level of the alert 

More parameters may be available depending on the selected alert. The Message 

dialog contains two list boxes. The Message box contains the text of the message 

you want to send. The Alert Parameters list contains any parameters you want 

included as message text. 

Each parameter placeholder you add to the Message box is substituted with 

corresponding alert information when the alert occurs. Alerts can't be larger than 1 

KB in size. When an alert is larger than 1 KB, it can't be delivered. In this case, AMS 

triggers a default alert to notify you that a message wasn't sent. You can configure 

alert actions for the default alert to ensure that you know when a message isn't 

delivered. 

You can test configured alert actions to make sure they work as expected. See 

"Testing configured alert actions" later in this chapter for more information. 

317

USER'S GUIDE 

Configuring alert actions 

You use similar steps to configure most AMS alert actions in the Configure Alerts 

wizard. For specific details about configuring each type of alert action, refer to that 

section later in this chapter. 

To configure an alert action 

1. In the console, click Configure | Alert Settings. 

2. In the Alert Settings window, select the alert you want to configure alert 

actions for. 

3. Right-click the alert, then click Configure. 

4. Select an alert action, then click Next. 

5. Select a client to run the action, then click Next. 

6. Select an alert action severity, or use the default. You rate configured 

alerts so that an important alert can be flagged as critical. You can set other 

alerts that aren't as important to you at informational or monitor levels. AMS 

has six severity levels: 

• Monitor 

• Information 

• OK 

• Critical 

• Non-Critical 

• Non-Recover 

7. Click Next. 

8. Select details for the selected alert action, then click Next. 

9. If the alert action can send message text, enter the message text you want 

to display in the Message box and move available parameters you want to use 

to the Message box. 

10. Enter a configuration name. This name and the action computer name 

appear in the Alert Settings dialog beside this action. 


Configuring different alert types 

For specific details about configuring each different alert type, refer to that alert 

action section in this chapter. 

Configuring the Message Box alert action 

The Message Box alert action displays a message box on the client you configure the 

action from. You have two options with the Message alert. You can: 

• Beep when displaying—The message box beeps when it displays on the 

client. 

• Make message box system modal—A system modal message box prevents 

you from working in other programs until you acknowledge the dialog by 

clicking on it. 

318


Configuring the Broadcast alert action 

The Broadcast alert action sends a broadcast message to everyone connected to the 

server generating the alert. You can configure this alert to only go to certain 

segments of the network by using the Advanced Discovery options. See the 

"Advanced Discovery" section in the online help for more information. 

The Broadcast alert action will only succeed if: 

1. The client receiving message has some connection to the core server, like a 

mapped drive. 

2. The client is in the same domain and network subnet as the core server. 

3. The client is set up to receive a broadcast message (on Windows 

2000/2003/XP, the Messenger service must be running). 

Configuring the Send Internet Mail alert action 

The Send Internet Mail alert action sends an Internet mail message to the user you 

specify. When using the Send Internet Mail alert action, you also need to specify the 

SMTP Internet mail server that the alert action will send the message through. 

If you specify the mail server by name, you need to have a domain name server 

(DNS) configured on your network so that the Send Internet Mail alert action can 

resolve the server's IP address. If you don't have a DNS server, enter the mail 

server's IP address directly. 

This alert action works only if you have access to an SMTP Internet mail server at 

your site. 

Configuring the Run Program alert action 

The Run Program alert action runs a program on the client you select. If you're 

running a Windows program, you can select from these window states: 

• Normal 

• Minimized 

• Maximized 

The windows state option has no effect on DOS programs. Enter a full path and 

command line to the program you want to run. You can enter any command line 

options you want the program to use in the Command Line field. 

Configuring the Write to Event Log alert action 

The Write to Event Log alert action creates an entry in the Windows NT Event Log's 

Application Log. This entry is logged on the client where the alert came from. This 

alert action is available only on Windows NT clients. 

319

USER'S GUIDE 

Configuring the Load an NLM alert action 

The Load an NLM alert action loads an NLM on a selected NetWare server when the 

AMS alert occurs. You must configure this alert to determine which NLM is loaded, 

and the server where it loads. This alert action is similar to the Run Program alert 

action for a Windows NT client. 

The first time you configure this action, AMS searches the network for NetWare 

clients that can perform this action. 

Enter the NLM to load in the NLM field. NetWare servers usually store NLMs in the 

SYS:SYSTEM directory. Be sure to enter the NLM path as used on the NetWare 

server. For example, use the system path such as SYS:SYSTEM\TEST.NLM. Don't use 

drive letter mappings from your client such as T:\SYSTEM\TEST.NLM because the 

NetWare server doesn't use these drive letters on its own hard disk. 

Enter any command line options you want the NLM to use in the Command Line 

Options field. 

Configuring the Send Page alert action 

The Send Page alert action sends a pager message to the number you specify. Any 

client you configure a pager action on needs to have a modem. Test Send Page alert 

actions to make sure they work as expected. See "Testing configured alert actions" 

later in this chapter for more information. 

Pager alert action configuration is divided into these parts: 

• Configure a modem for AMS 

• Configure for a paging service 

• Enter a pager message 

The three sections following the next procedure describe each part of the 

configuration process in more detail. 

To configure the Send Page alert action 

1. In the Configure AMS Alerts dialog, select the parameter you want to 

configure alert actions for. 

2. Click Configure. 

3. Click the Send Page alert action, then click Next. 


5. Select an alert action severity, or use the default setting, then click Next. 

6. Enter the access telephone number you're calling. Be sure to include any 

numbers you need to dial to access an outside line at your site. 

7. Enter the pager ID number. 

8. Enter the password you use to access the paging service network in the 

Password field. If your paging service doesn't use a password, leave this field 

blank. 

9. In the Service drop-down list, select your service type. If your paging 

service isn't listed, try one of the generic types. See "Configuring for a paging 

service" for more information. 


320


11. If you're creating a message for an alphanumeric pager, type the message 

text you want to display in the Message box and move the parameters you 

want to use from the Alert Parameters list to the Message box. If you're 

creating a message for a numeric pager, you can only enter numbers in the 

Message box. 

12. Enter a configuration name. The configuration name appears in the 

Configure AMS Alerts dialog beside this action. 


Configuring a modem for AMS 

You must configure a modem for AMS to contact your paging service. You need to 

run the modem configuration utility and select the correct COM port and modem type 

settings for the Send Page alert action to function correctly. 

To configure a modem for AMS 

1. In Windows Explorer, double-click the MODEMCFG.EXE modem configuration 

utility. This utility is located in the WINNT\SYSTEM32\AMS_ii folder on 

Windows NT clients. Windows 98SE clients keep this utility in the 

WINDOWS\SYSTEM\AMS_ii folder. 

2. From the Com Port drop-down list, select the COM port the modem uses. 

3. From the Modem Type drop-down list, select the correct modem type. 

4. Click OK to save these settings. Your modem is configured to work with the 

AMS alerting system. 

Configuring for a paging service 

You can access a paging service either directly or indirectly, though AMS Send Page 

alerts only work with direct paging services. 

Paging 

method 

Direct paging 

Description 

Refers to dialing the paging service provider's network access phone number. 

You access their client network to enter the pager identification number, and 

the paging service network then sends the message to the pager. 

Indirect paging Requires calling a paging service, speaking with an operator, and giving the 

operator the pager's identification number. AMS Send Page alerts don't work 

with indirect paging. 

Because the paging service operator enters the information into the paging 

network that sends the message to the pager, the AMS message can't get 

through to the paging service network. The indirect paging method, sometimes 

used when contacting the network directly, is a toll call, and the pager service 

offers toll-free service through the operator. 

You need to configure the Send Page alert action for your paging service. At a 

minimum, this information includes the paging service phone number and the name 

of the paging service you're using. 

Always put the paging service's phone number in the Send Page dialog's Service 

Provider field. If your paging service isn't in the Send Page dialog's Service dropdown 

list, try using the Generic Beeper or the Generic Alphanumeric service (pick the 

321

USER'S GUIDE 

one that matches the type of pager you're using). Put the password you use to 

access the paging service network in the Password field. 

If the generic service doesn't work with your pager 

You must configure the communication parameters for the Send Page alert action. 

This information includes the baud rate, data and stop bits, parity, and paging 

protocol your paging service uses. This information is available from your paging 

service. If your paging service is in the Service drop-down list, these parameters are 

configured automatically when you select the service. 

To configure your paging service manually, see the following procedure. 

To configure the Pager alert action for an unlisted paging service 

1. In the Pager dialog's Service field, click New. 

2. Click Properties. 

3. Enter the maximum message length, baud, data bits, stop bits, parity, 

and protocol that your paging service requires. You can get this information 

from your paging service. 

4. Click OK. 


6. If you're creating a message for an alphanumeric pager, type the message 

text you want to display in the Message box and move the parameters you 

want to use from the Alert Parameters list to the Message box. If you're 

creating a message for a numeric pager, you can only enter numbers in the 

Message box. 

7. Enter a configuration name. The configuration name appears in the 

Configure AMS Alerts dialog beside this action. 


Entering a pager message 

The Pager alert action supports both alphanumeric and numeric-only pagers (often 

called beepers). 

If you're paging an alphanumeric pager, the message can include any text you type 

in and information from the alert that generated the message. This message 

shouldn't exceed the maximum number of characters your paging service supports; 

otherwise, you could get a truncated message. 

Paging with a numeric-only pager 

If you're paging with a numeric-only pager, you can only send numbers. Create a 

system of server numbers and numeric error codes that corresponds to alerts you 

configure. For example, create a system where 1 refers to your production server 

and number 101 means the disk is almost full. When you receive message 1 101, 

you'd know that your production server's disk is almost full. 

Configuring the Send SNMP Trap alert action 

Simple Network Management Protocol (SNMP) is a message-based protocol based on 

a manager/agent model consisting of Get, GetNext, and Set messages and 

322


responses. SNMP uses traps to report exception conditions such as component 

failures and threshold violations. 

AMS can generate an SNMP trap when an alert happens. You can configure systems 

generating alerts to send these traps to an SNMP management console if you have 

one. 

SNMP event console not included 

Management Suite does not include an SNMP event console for viewing SNMP traps 

and events. 

To configure the Send SNMP Trap alert action 

1. In the Alert Settings dialog, select the parameter you want to configure alert 

actions for. 

2. Click Configure. 

3. Select the SNMP Trap alert action, then click Next. 


5. Select an alert action severity, or use default, then click Next. 

6. Type any message text you want to display in the SNMP trap and move 

available parameters you want from the Alert Parameters list to the Message 

box. 

7. Enter a configuration name. This name appears in the Alert Settings dialog 

beside this action. 


You must specify the trap destination address (either IP or IPX) of the clients that 

you want SNMP traps sent to. 

To install SNMP on Windows 2000 

1. From the Windows 2000 Control Panel, double-click Add/Remove 

Programs. 

2. On the left of the window, click Add/Remove Windows Components. 

3. Select Management and Monitoring Tools and click Details. 

4. Select Simple Network Management Protocol and click OK. 


6. Windows 2000 will install the SNMP component. Complete the SNMP 

installation. 

323

USER'S GUIDE 

To configure trap destinations for Windows 2000 

1. In Control Panel's Computer Management applet, click Services and 

Applications and Services. 

2. Double-click the SNMP Service. 

3. Click the Traps tab. 

4. In the Community Name list, enter Public and click Add to list. 

5. Enter the Trap Destinations for the clients you want traps sent to, then click 

Add. 

6. Click OK. 

To configure trap destinations for Windows NT 4 

1. From the Windows NT Control Panel, double-click the Network icon. 

2. Click the Services tab. 

3. Click the SNMP Service item, then click Properties. 

4. Click the Traps tab. 

5. In the Community Name drop-down list, select public. If there's no public 

entry in the list, type it in, then click Add. 

6. After you've selected or entered the "public" community name, click Add 

below the Trap Destinations list. 

7. Enter the addresses of the clients you want traps sent to, then click Add. 

8. Click OK | Close. 

To configure trap destinations for NetWare 5.1 servers 

1. From the NetWare server console, type: 

load install 

2. Click Product Options. 

3. Click Configure Network Protocols. 

4. Click Protocols. 

5. Click TCP/IP. 

6. Click SNMP Manager Table. 

7. Enter the addresses of the clients you want traps sent to, then click Add. 

324


Working with configured alert actions 

After you configure alert actions, you can test them to make sure they work as 

expected, you can delete them, or you can export them to other clients. 

Testing configured alert actions 

After you configure alert actions, test them in the Alert Settings dialog. 

To test configured alert actions 

• Right-click an alert, then click Test to test all alert actions configured for that 

alert. Right-click a specific alert action, then click Test to run only that alert 

action. 

Deleting alert actions from a parameter 

You can delete an alert action from a parameter. 

To delete an alert action from a parameter 

1. In the Alert Settings dialog, right-click the alert action you want to delete. 

2. Click Delete. 

Exporting alert actions to other clients 

Each client that generates AMS alerts stores its alert information in a local AMS 

database. Normally, the alerts and actions stored in one database aren't visible to 

AMS databases on other clients. There may be times when you want to duplicate 

configurations of AMS alert actions across multiple clients so you don't have to 

repeat your work. The AMS export option lets you export alert actions to other 

clients that generate AMS alerts. 

Some alert actions may not work on other clients. For example, if you export a Send 

Page alert action to a client that doesn't have a modem, the alert can't work. 

When you export alert actions from one client to another, you can export a single 

alert action or all alert actions. 

325

USER'S GUIDE 

To export alert actions to other clients 

1. From the Alert Settings dialog, right-click on an alert (if you want to export 

all of that client's AMS alert actions) or on a specific alert action (if you want 

to export only the selected alert action). 

2. Click Export. 

3. In the Select Computers To Receive Exported Actions dialog, select the 

computers you want to receive the alert actions you selected. If the client 

you want has AMS active on it and it isn't in the Available Computers list, click 

Refresh to rediscover clients with AMS. 

4. Click Export. 

5. In the Export Status dialog, verify that the alert actions exported successfully. 

Viewing export status 

After AMS exports alert actions to the clients you selected in the Select Computers 

dialog, AMS displays the export results in the Export Status dialog. This dialog 

displays alert actions that don't export successfully. If alerts don't export 

successfully, it can be for these reasons: 

• AMS isn't installed or working correctly on the target client. Verify AMS by 

testing a configured alert action on that client from the Alert Settings dialog. 

• The alert that the action was configured for doesn't exist on the target client. 

Make sure that the application that registered the alert with AMS on the 

source client is installed on the target client. 

326


Viewing the AMS Alert History 

You can use the console Alert History to view a list of all AMS alerts generated by 

clients on the network. You can configure the Alert History to display: 

• Only those alerts that match conditions you specify 

• A specified number of entries 

The list of alerts is displayed in the Alert History dialog with this information about 

each alert: 

• Alert Name 

• Source 

• Computer 

• Date 

• Time 

• Severity 

In addition to the basic information the Alert History dialog displays, you can access 

more detailed information about each alert in the Alert Information dialog. The core 

server stores the AMS Alert History information for all client workstations and 

consoles. 

To view the Alert History 

• In the console, click View | Alert History to see the Alert History. 

Filtering the Alert History display list 

You can configure the Alert History to display only those alerts that match criteria 

you specify. You can filter which alerts display according to these parameters: 

Filter 

Description 

View From/View To Sets the date and time range of alerts. 

Computer 

Source 

Alert 

Severity 

Displays alerts from a specific client. 

Displays alerts from the same type of alert source (such as Remote 

Control Agent) on one or more clients. 

Displays all alerts with a specific alert name. 

Displays only alerts matching the severity levels you select. You can 

specify these severity levels: Monitor, Information, OK, Non-Critical, 

Critical, and Non-Recover. 

327

USER'S GUIDE 

To specify which alerts display in the Alert History 

1. Right-click in the Alert History window, then click Options. 

2. On the Filters tab, select the filters you want to apply to the Alert History list. 

3. Click OK. 

To change the number of entries displayed in the Alert History 

1. Right-click in the Alert History window, then click Options. 

2. On the Settings tab, specify the number of log entries you want the log to 

hold. 

3. Click OK. 

Viewing detailed alert information 

You can view detailed information about each alert the Alert History window displays. 

The detailed information appears in the Alert Information dialog and includes alert 

parameters, their values, and the action status of each alert. 

The Alert Information dialog also displays this information: 

Action Status Description 

Action Type 

Action Name 

Computer 

Status 

Type of action generated by the alert, such as Message Box, Pager, Internet 

Mail, Execute Program, or Broadcast. 

Name given to the specific action. 

Name of the client where alert was configured to occur. 

Alert status, such as pending, processing action, error, completed successfully, 

or failed to complete. 

To view alert information 

1. From the Alert History window, double-click the alert that you want to display 

detailed information for. 

2. When you finish viewing the alert information, click Close. 

The client listed in the Alert History is the core server that recorded the action; it 

records all events. 

To see which client generated an alert 

• Double-click the Alert History entry you want more information about. 

The Alert Information window displays additional alert details including the 

name of the client that generated the alert. 

328


Deleting Alert History entries 

You can delete entries in the Alert History either individually or as a group. 

To delete a single log entry 

• Select the log entry you want to delete, right-click in the Alert History 

window, then click Delete | Selected Entries. 

To delete multiple log entries 

1. While pressing the Ctrl key, select the log entries you want to delete. 

2. Right-click in the Alert History window, then click Delete | Selected 

Entries. 

To delete all visible log entries 

1. Filter the Alert History so that only the entries you want to delete are visible. 

2. Right-click in the Alert History window, then click Delete | Filtered 

Entries. 

Copying Alert History contents to the clipboard 

You can copy Alert History entries and their parameters to the clipboard so you can 

then paste them to another application for printing or data analysis. 

Only parameters visible in the log are copied. To limit the number of entries the Alert 

History copies to the clipboard, apply filters to limit the number of visible log entries. 

To copy Alert History contents to the clipboard 

1. Adjust the log filters so that only the entries you want to copy are visible. 

2. Right-click in the Alert History window, then click Copy. 

329

Chapter 13: Using the Patch Manager add-on 

LANDesk Patch Manager 8 provides a complete patch management solution that can 

be added to your Management Suite 8 network—including automated vulnerability 

updates from industry sources as well as user-created custom vulnerability 

definitions; vulnerability detection and assessment, and remediation. 

Patch Manager 8 Add-On 

Patch Manager is a separately purchased add-on product that integrates seamlessly 

with your current LANDesk Management Suite system. If you haven't purchased or 

installed Patch Manager, the user interface and capabilities described in this chapter 

aren't on your core server and won't be available from your Management Suite 

console. For more information about purchasing Patch Manager, visit the LANDesk 

Web site. 

For information on installing and activating the Patch Manager add-on, refer to 

"Installing add-ons" in the Installation and Deployment Guide. 


• Patch Manager overview 

• About the Patch Manager window 

• Configuring clients to work with Patch Manager 

• Updating vulnerability and detection rule information 

• Creating user-defined vulnerabilities and detection rules 

• Viewing vulnerability and detection rule information 

• Purging vulnerability and detection rule information 

• Scanning clients for vulnerabilities 

• Viewing detected vulnerabilities 

• Downloading patches 

• Remediating vulnerabilities 

• Using Patch Manager reports 

331

USER'S GUIDE 

Patch Manager overview 

Patch Manager provides all of the tools you need to establish ongoing patch-level 

security across your network. With Patch Manager, you can automate the repetitive 

processes of maintaining current vulnerability information, assessing vulnerabilities 

of the various operating systems and applications running on your managed devices, 

downloading appropriate patch executable files, remediating vulnerabilities by 

deploying and installing the necessary patches on clients, and verifying successful 

patch installation. 

Additionally, you can create your own custom vulnerability definitions in order to 

scan managed devices for specific OS and application conditions that might threaten 

the operation and security of your system. User-defined (or custom) vulnerabilities 

can be designed for detection only or for both detection and remediation. For more 

information, see "Creating user-defined vulnerabilities and detection rules" later in 

this chapter. 

Patch Manager uses Management Suite's role-based administration to allow users 

access to the Patch Manager tools. Role-based administration is Management Suite's 

access and security model that lets LANDesk Administrators restrict access to tools 

and devices. Each Management Suite user is assigned specific rights and scope that 

determine which features they can use and which devices they can manage. For 

more information about role-based administration, see "Using role-based 

administration" in chapter 1. A LANDesk Administrator assigns these rights to other 

users with the Users tool in the main Management Suite console. Patch Manager 

introduces one new role and corresponding right to role-based administration. The 

right is simply called Patch Manager and appears in the User Properties dialog. In 

order to see and use Patch Manager, a Management Suite user must be assigned the 

necessary Patch Manager right. 

Patch Manager supports most of the standard LANDesk Management Suite client 

platforms, enabling you to scan for vulnerabilities and deploy security patches to 

managed clients running the following operating systems: 

Supported platforms 

• Windows 95B / 98 SE 

• Windows NT (4.0 SP6a and higher) 

• Windows 2000 SP4 / 2003 / XP SP1 

• Sun Solaris 

• Mac OS X 10.2.x and 10.3.x 

For information on setting up the managed clients on your network for vulnerability 

scanning and patch deployment, see "Configuring clients to work with Patch 

Manager" later in this chapter. 

332

CHAPTER 13: USING THE PATCH MANAGER ADD-ON 

Patch Manager features allow you to: 

• Maintain updated vulnerability and patch information (via LANDesk's Patch 

Manager service that consolidates data from industry/vendor vulnerability 

data sources). 

• Provide patch security for international versions of the operating systems on 

your network, including current support for the following languages: English, 

Japanese, French, German, Italian, Spanish, and Swedish. 

• Create your own user-defined vulnerabilities for detection and remediation. 

• Organize and group vulnerabilities to perform customized vulnerability 

assessment and remediation. 

• Assess vulnerabilities on a variety of supported client platforms, including 

Windows, and Sun Solaris. 

• View vulnerability and detection rule details for any managed device from the 

Management Suite console. 

• Schedule automatic patch management tasks, including vulnerability updates, 

device scans, and patch downloads. 

• Perform remediation as a scheduled task, a policy, or automatically with the 

Auto Fix feature. 

• Download and deploy patches that have been researched and verified. 

• Track the status of patch deployments and installation on target devices. 

• Use Management Suite's Targeted Multicast, peer download, and checkpoint 

restart features for fast and efficient patch deployment. 

• Generate and view detected vulnerability and remediation status information 

with a variety of patch management-specific reports. 

The following steps provide a general outline of the vulnerability assessment and 

remediation processes involved in implementing patch management on your 

Management Suite network. (These procedures are described in detail in the 

appropriate sections below.) 

1. Collecting updated vulnerability information from industry/vendor data 

sources. Plus, creating your own user-defined vulnerabilities. 

2. Organizing and viewing vulnerability information. 

3. Configuring clients for vulnerability scanning and patch deployment. 

4. Scanning devices on your network for vulnerabilities. 

5. Viewing results for scanned devices. 

6. Downloading security patches for detected vulnerabilities. 

7. Repairing vulnerabilities by deploying patches to affected clients. 

8. Viewing patch deployment status. 

333

USER'S GUIDE 

About the Patch Manager window 

The Patch Manager window, like all other Management Suite tool windows, is opened 

from either the Tools menu or the Toolbox and can be docked, floated, and tabbed 

with other open tool windows (see "Dockable windows" in chapter 1). Note that with 

Management Suite 8's new role-based administration access and security feature, a 

Management Suite user must have either the LANDesk Administrator right (implying 

full rights), or the specific Patch Manager right, to be able to see and access the 

Patch Manager tool. For more information on user rights and scope, see "Using rolebased 

administration" in chapter 1. 

The Patch Manager window contains a toolbar and two panes. The left-hand pane 

shows a hierarchical tree view of vulnerability and detection rule groups. You can 

expand or collapse the objects as needed. The right-hand pane displays a detailed 

list of the selected group's vulnerabilities or detection rules, depending upon which 

type of group you've selected. 

Toolbar buttons 

• Update vulnerability information: Opens the Update Vulnerabilities dialog 

where you can specify the platforms and languages whose vulnerability 

information you want to update. You can also configure whether to place 

vulnerabilities in the Enabled Vulnerabilities group, whether to download 

associated patches concurrently, the location where patches are downloaded, 

and proxy server settings. 

• Schedule periodic update: Creates an Update Vulnerability Information 

task that appears in the Scheduled Tasks window where you can configure 

scheduling options. 

• Schedule vulnerability scan: Creates a Scan for Vulnerabilities task that 

appears in the Scheduled Tasks window where you can add target devices 

and schedule the task. 

• Refresh: Updates the contents of the selected group. 

• Create new vulnerability: Opens a new vulnerability properties dialog with 

editable fields where you can specify the type of vulnerability definition 

(detection only or detection and remediation), enter specific vulnerability 

information, create detection rules, and identify the appropriate patch file. 

• Import user-defined vulnerabilities: Allows you to import an XML file 

containing a vulnerability definition. 

• Export user-defined vulnerabilities: Allows you to export a vulnerability 

definition as an XML file. 

• Delete user-defined vulnerabilities: Removes the selected user-defined 

vulnerabilities from the core database. 

• Purge unused vulnerabilities: Opens the Purge Unused Vulnerability 

Information dialog where you can specify the platforms and languages whose 

vulnerability information you want to remove from the core database. 

• Help: Opens the online Help. 

The left pane of the Patch Manager window shows the following items: 

334


Main View 

Main View is the root of the Patch Manager tree, containing the Vulnerabilities and 

Detection Rules groups, and can be expanded and collapsed as needed. 

Identifying user-defined vulnerabilities 

User-defined vulnerabilities are always identified by the little person icon, whether 

they're in the Enabled, Disabled, or Unassigned group. 

Vulnerabilities 

The Vulnerabilities group contains the following subgroups: 

• Enabled Vulnerabilities: Lists all of the vulnerabilities that are searched for 

when the vulnerability scanner runs on managed devices. In other words, if a 

vulnerability is included in this group, it will be part of the next scan 

operation; otherwise, it won't be part of the scan. 

Enabled can be considered one of three vulnerability states, along with 

Disabled and Unassigned. As such, a vulnerability can reside in only one of 

these three groups at a time. A vulnerability is either Enabled, Disabled, or 

Unassigned and is identified by a unique icon for each state (: question mark 

() icon for Unassigned, red X icon for Disabled, and regular vulnerability icon 

for Enabled. Moving a vulnerability from one group to another automatically 

changes its state. 

By moving vulnerabilities into the Enabled Vulnerabilities group (click-anddrag 

one or more vulnerabilities from another group, except from the 

Detected Vulnerabilities group), you can control the specific nature and size of 

the next vulnerability scan on target clients. 

New vulnerabilities can also be automatically added to the Enabled 

Vulnerabilities group during an update by checking the Put new 

vulnerabilities in the Enabled group option on the Update 

Vulnerabilities Settings dialog. 

Caution about moving vulnerabilities from the Enabled Vulnerabilities 

group 

When you move vulnerabilities from the Enabled to the Disabled group, the 

current information in the core database about which scanned clients detected 

those vulnerabilities is removed from the core database and is no longer 

available in either the vulnerabilities' Properties dialogs or in the clients' 

Vulnerability Information dialogs. To restore that vulnerability assessment 

information, you would have to move the vulnerabilities back into the Enabled 

group and run a vulnerability scan again. 

• Disabled Vulnerabilities: Lists the vulnerabilities that aren't searched for 

the next time the vulnerability scanner runs on devices. As mentioned above, 

if a vulnerability is in this group, it can't be in the Enabled or Unassigned 

group. You can move vulnerabilities into this group to temporarily remove 

them from a vulnerability scan. 

• Detected Vulnerabilities: Lists all of the vulnerabilities detected by the last 

vulnerability scan, for all of the target devices included in that scan job. The 

335

USER'S GUIDE 

contents of this group are always determined by the last vulnerability scan on 

your network, whether one device was scanned or many. 

The Detected Vulnerabilities list is a composite of all detected vulnerabilities 

found by the most recent scan. The Scanned and Detected columns are useful 

in showing how many devices were scanned, and on how many of those 

devices the vulnerability was detected. To see specifically which devices have 

a detected vulnerability, right-click the vulnerability and click Affected 

computers. 

Note that you can also view device-specific vulnerability information by rightclicking 

a device in the network view, and then clicking Vulnerability 

Information. 

You can only move vulnerabilities from the Detected Vulnerabilities group into 

either the Unassigned or Disabled groups. 

• Unassigned Vulnerabilities: Lists all of the vulnerabilities that do not 

belong to either the Enabled or Disabled groups. The Unassigned 

Vulnerabilities group is essentially a holding area for collected vulnerabilities 

until you decide whether you want to scan for them or not. 

By default, collected vulnerabilities are added to the Unassigned 

Vulnerabilities group during an update. 

You can move vulnerabilities (click-and-drag one or more) from the 

Unassigned Vulnerabilities group into either the Enabled or Disabled groups. 

• User-defined Vulnerabilities: Lists all of the custom vulnerabilities you've 

created. This group always shows a flat list of all your custom vulnerabilities, 

even if you've moved a vulnerability into either the Unassigned, Enabled, or 

Disabled group (the group or state of the user-defined vulnerability is 

indicated by a dynamically-changing icon). 

For more information on creating, importing and exporting, and deleting userdefined 

vulnerabilities, see "Creating user-defined vulnerabilities" later in this 

chapter. 

• By Platform: Lists all of the vulnerabilities organized into specific platform 

subgroups. These subgroups help you identify vulnerabilities by platform 

category. 

You can use these platform subgroups to copy vulnerabilities into the Enabled 

Vulnerabilities group for OS-specific scanning, or copy vulnerabilities into a 

custom group (see below) in order to perform remediation for a group of 

vulnerabilities at once. 

Vulnerabilities can be copied (click-and-drag one or more) from a platform 

group into the Enabled, Disabled, or Unassigned group, or any of the Custom 

Groups. Vulnerabilities can reside in platform, product, and multiple custom 

groups simultaneously. (You can identify a vulnerability's status by its icon.) 

Note: Again, it might be helpful to think of the Enabled, Disabled, and 

Unassigned groups as containers for vulnerabilities in mutually-exclusive 

states, because a vulnerability can only be in one of those three groups/states 

at a time. The Detected Vulnerability group is the container for scan results, 

while the platform, product, and custom groups let you view and organize 

336


vulnerabilities according to different categories to help you configure scanning 

and remediation tasks. 

• By Product: Lists all of the vulnerabilities organized into specific product 

subgroups. These subgroups help you identify vulnerabilities by product 

category. 

You can use these product subgroups to copy vulnerabilities into the Enabled 

Vulnerabilities group for product-specific scanning, or copy vulnerabilities into 

a custom group (see below) in order to perform remediation for groups of 

products at once. 

Vulnerabilities can be copied (click-and-drag one or more) from a product 

group into the Enabled, Disabled, or Unassigned group, or any of the userdefined 

custom groups. Vulnerabilities can reside in platform, product, and 

multiple custom groups simultaneously. (You can identify a vulnerability's 

status by its icon.) 

• Custom Groups: Lists subgroups you've created and their vulnerabilities. 

Custom groups provide a way for you to organize vulnerabilities however you 

want. Use a group's contents to copy several vulnerabilities into the Enabled 

Vulnerabilities group for scanning, or to create a repair job for several 


To create a custom group, right-click Custom Groups (or a subgroup) and 

then click New Group. 

To add vulnerabilities to a custom group, click-and-drag one or more of them 

from any of the other vulnerability groups. Or, you can right-click a custom 

group, and then click Add Vulnerability. 

Detection Rules 

Note: Detection rules define the specific operating system, application, file, or 

registry conditions that a vulnerability definition checks for in order to detect a 

vulnerability on a scanned client. 

The Detection Rules group contains the following subgroups: 

• Enabled Detection Rules: Lists all of the detection rules that are enabled 

for scanning on devices. 

By default, detection rules associated with vulnerabilities are added to the 

Enabled Detection Rules group during an update. So are detection rules 

associated with a custom vulnerability when you create it. 

Note that in addition to having detection rules enabled, the actual patch 

executable file must also be downloaded to a local patch repository on your 

network (typically the core server) before remediation can take place. The 

Downloaded attribute (one of the detail columns) indicates whether the patch 

associated with that rule has been downloaded. 

• Disabled Detection Rules: Lists all of the detection rules that are disabled 

for scanning on devices. Some vulnerabilities are associated with more than 

one rule. By disabling a rule, you can ensure that it won't be scanned for. 

337

USER'S GUIDE 

• By Platform: Lists all of the collected vulnerabilities' detection rules, 

organized into specific platform subgroups. These subgroups help you identify 

detection rules by platform category. 

You can use these platform subgroups to perform group operations, such as 

enabling/disabling platform-specific detection rules or downloading several 

associated patches at once. 

• By Product: Lists all of the collected vulnerabilities' detected rules, organized 

into specific product subgroups. These subgroups help you identify detection 

rules by product category. 

You can use these product subgroups to perform group operations. 

The right pane of the Patch Manager window displays detailed information listed in 

sortable columns for vulnerability and detection rule items, as described below: 

Vulnerability details 

• ID: Identifies the vulnerability with a unique, vendor-defined alphanumeric 

code. 

• Severity: Indicates the severity level of the vulnerability. Possible severity 

levels include: Service Pack, Critical, High, Medium, Low, Not Applicable, and 

Unknown. 

• Title: Describes the nature or target of the vulnerability in a brief text string. 

• Language: Indicates the language of the OS or application affected by the 

vulnerability. 

• Date Published: Indicates the date the vulnerability was published by the 

vendor. 

• Silent Install: Indicates whether the vulnerability's associated patch (or 

patches) installs silently on clients (without user interaction), with a Yes or 

No. Some vulnerabilities may have more than one patch. If any of a 

vulnerability's patches don't install silently, the vulnerability's Silent Install 

attribute says No. To see how individual patches install, right-click the 

vulnerability and click Properties | Patches. 

• Fixable: Indicates whether the vulnerability can be repaired through patch 

file deployment and installation. Possible values are: Yes, No, Some (for a 

vulnerability that includes multiple detection rules and not all detected 

vulnerabilities can be fixed), and No rules (for a custom vulnerability that 

doesn't include any detection rules). 

• Detected: Displays the number of scanned devices that detected the 


• Scanned: Displays the number of devices scanned for the vulnerability. 

• Auto Fix: Indicates whether Auto Fix is enabled or disabled for the 


Right-click a vulnerability to view more details with the Properties option. The 

shortcut menu also lets you view affected computers, enable/disable Auto Fix, clear 

scan information and repair status, and create a repair job. 

Detection Rule details 

• Rule: Displays the name of the detection rule (can be the file name of the 

patch executable). 

338


• Vulnerability ID: Displays the ID of the vulnerability with which the rule is 

associated. 

• Downloaded: Indicates whether the rule's associated patch executable file 

has been downloaded to the local repository. The location of the repository is 

configured on the Patches tab of the Update Vulnerabilities Settings dialog. 

• Silent Install: Indicates whether the rule's associated patch installs silently 

on clients (without user interaction), with a Yes or No. Rules that belong to a 

user-defined vulnerability are identified as User-Defined in this column. 

Right-click a detection rule to view more details with the Properties option. The 

shortcut menu also lets you enable/disable the rule and download the associated 

patch. 

339

USER'S GUIDE 

Configuring clients to work with Patch Manager 

Before managed clients can be scanned for vulnerabilities, and receive patch 

deployments, they must have the new Vulnerability Scanner agent installed. 

Note: WinSock2 is required on Windows 9x clients in order for the Vulnerability 

Scanner agent to run. 

Patch Manager requires that the following Management Suite agents are also 

installed on clients: 

• Common Base Agent (CBA) 

• Bandwidth Detection agent 

• Local Scheduler agent 

• Targeted Multicasting agent 

• Enhanced Software Distribution agent 

Application Policy Management agent 

If you want to use policy-based remediation, your clients must also have the 

Application Policy Management (APM) agent installed. 

For existing clients, you probably only need to install the new Vulnerability Scanner 

agent, since the clients will already have the other agents installed. 

The easiest way to deploy the Vulnerability Scanner agent to multiple Windows 

clients is to create a new client configuration with the Client Setup wizard, and then 

schedule the configuration for the desired target clients with the Scheduled Tasks 

tool. 

To create a client configuration to install the Vulnerability Scanner agent 


2. Double-click the Add new client configuration icon to create a new client 

configuration. Or, if you're just adding the Vulnerability Scanner agent to 

clients that are already configured, double-click the configuration used to 

configure the clients so that you can keep the same settings. 

3. Enter a unique name if you are creating a new client configuration. 

4. In the Client Setup wizard's Install Components page, select the 

Vulnerability Scanner component. When you select Vulnerability Scanner, 

the other required agents mentioned above are automatically selected. Note 

that if you're configuring new clients for the first time, you should select all of 

the components you want installed. 


If you're just installing the Vulnerability Scanner agent with this client 

configuration, you don't need to make any changes to the current settings. 

6. At the end of the wizard, if you want the configuration to be the default (the 

configuration LDLOGON\IPSETUP.BAT will install), click Set as default 



8. Right-click the configuration and click Schedule to add the configuration to 

the Scheduled Tasks window where you can add target clients and set the 

scheduling options. 

340


More information on client configuration 

The Client configuration chapter includes more detailed information on configuring 

clients, using the Client Setup wizard, and scheduling tasks. 

When you configure a client to support patch management, the necessary files for 

vulnerability scanning, and remediation (i.e., patch deployment and installation) are 

installed on the target client. Also, a Vulnerability Scanner program icon is added to 

the client's LANDesk Management program group. 

The vulnerability scanner runs automatically during the initial client configuration 

process, so before you configure clients, you should ensure that the Enabled 

Vulnerabilities group contains only the vulnerabilities you want to scan for. If you 

don't want to scan for any vulnerabilities, make sure the Enabled Vulnerabilities 

group is empty. 

After client configuration, you can run the vulnerability scanner directly at the client 

with the Vulnerability Scanner program, by creating a Scan for Vulnerabilities task 

from the Patch Manager toolbar, or by running the predefined VulnerabilityScan 

script. For more information, see "Scanning clients for vulnerabilities" later in this 

chapter. 

Removing the vulnerability scanner from clients 

If you need to remove the Vulnerability Scanner agent from a client, you can use a 

predefined script written for that purpose. 

To remove the vulnerability scanner 

1. Click Tools | Scheduled Tasks. 

2. Click the Schedule Script toolbar button. 

3. Select the RemoveVulnerabilityScanner script and click OK. 

4. Add the desired target clients and schedule the task. 

You can also access the same script from the Manage Scripts tool. 

When you run this script, the vulnerability scanner files are removed from the client's 

hard drive, and the Vulnerability Scanner program icon is removed from the LANDesk 

Management program folder. 

Configuring UNIX clients 

LANDesk Management Suite 8 provides limited feature support for some versions of 

Linux and UNIX (see "Deploying to Macintosh, Linux, and UNIX clients" in the 

Installation and Deployment Guide). Patch Manager adds vulnerability assessment 

and remediation support for some of these clients. 

Supported UNIX distributions: 

• Sun Sparc (Solaris 8) 

341

USER'S GUIDE 

Installing the UNIX Vulnerability Scanner agent 

As with the other Linux/UNIX agents (i.e., the Inventory Scanner agent), you must 

install the Vulnerability Scanner agent manually on your clients. 

When Patch Manager is installed, the vulnerability scanner agent files are copied as a 

single tar file to the core server in the appropriate directory under \Program 

Files\LANDesk\ManagementSuite\LDLogon\unix\ that matches your UNIX 

distribution. Currently, Patch Manager supports Sun Solaris clients, so the only UNIX 

directory is: 

• solsparc: Sun Sparc Solaris 8 directory 

To install the vulnerability scanner on Sun Solaris clients 

1. Make sure these two library files are already installed: libexpat.so, and 

libstdc++.so. These two files are required in order for the Vulnerability 

Scanner to run on Solaris clients. 

2. Copy the agent tar file (vulscan-8.0-0.x-solaris.tar.gz) from the core 

server. 

3. Unzip the tar file, which includes the inventory agent files (which may already 

be installed on your clients) and two new vulnerability agent files: the 

vulscan executable, and the vulscan.conf configuration file. 

4. Copy vulscan.conf to /etc. Give read/write access for users. Use the UNIX 

chmod command to assign rights to the files. 

5. Copy vulscan to a directory that is accessible by the individuals who will be 

running the application. For example, /usr/local/landesk/PatchManager. If 

needed, make vulscan executable using the chmod command. 

Note: If you haven't already configured the Solaris client with the Inventory Scanner 

agent, you can also deploy the inventory agent files at this time. See the README 

file that is included in the tar file mentioned above. 

Configuring Mac OS X clients 

You can only scan for vulnerabilities on Mac OS X clients. Remediation must be 

performed manually. 

To install the Mac OS X agent, see "Deploying to Macintosh, Linux, and UNIX clients" 

in the Installation and Deployment Guide. Once you install the Patch Manager addon, 

the default Mac OS X agent package includes the vulnerability scanner. If you 

deployed the Mac OS X agent prior to installing Patch Manager, you'll need to 

redeploy the agent to clients so they get the updated package that includes the 

vulnerability scanner. 

To launch the vulnerability scanner manually 

1. Open the Mac OS X System Preferences and select the LANDesk Client 

panel. 

2. On the Overview tab, click Check Now in the Patch Manager section. 

342


Updating vulnerability and detection rule 

information 

Your network is continuously vulnerable to security threats from new worms and 

viruses, as well as ordinary maintenance issues like software updates and bug fixes. 

New hardware and software is released every day, along with the patches to repair 

inevitable vulnerabilities. Patch Manager makes the process of gathering the latest 

known vulnerability, detection rule, and patch information quick and easy by letting 

you update vulnerabilities via a LANDesk-hosted database. This LANDesk Patch 

Manager service consolidates known vulnerabilities from trusted, industry/vendor 

sources. 

Patch Manager also supports user-defined vulnerabilities 

In addition to known vulnerabilities, you can also create your own custom 

vulnerabilities. For more information, see "Creating user-defined vulnerabilities" later 


By establishing and maintaining up-to-date vulnerability and associated patch 

information, you can better understand the nature and extent of the security threats 

for each platform and application you support, determine which vulnerabilities are 

relevant to your environment, and customize vulnerability scanning and remediation 

tasks. The first step is to keep up with the latest known vulnerability information. 

With Patch Manager, you can configure and perform vulnerability updates at once, or 

create a scheduled vulnerability update task to occur at a set time or as a recurring 

task (see "Scheduling automatic vulnerability updates" later in this chapter). 

Only one Management Suite user on a specific core server (including additional 

consoles) can update vulnerabilities at a time. If a user attempts to update 

vulnerabilities while the process is already running, a message prompt appears 

indicating there is a conflict. 

To update vulnerability information 

1. Click Tools | Patch Manager. 

2. Click the Update vulnerability information toolbar button. 

3. Select the platforms whose vulnerability information you want to update. You 

can select one or more platforms in the list. Available platforms include: 

Windows, Mac, and Sun Solaris. The more platforms you select, the longer 

the update will take. 

4. Select the languages whose vulnerability information you want to update. You 

can select one or more languages in the list, depending on the platform(s) 

you've specified above. The more languages you select, the longer the update 

will take. See "About the Language Neutral option" later in this chapter for a 

detailed description and instructions for this option. 

5. (Optional) If you want new vulnerabilities (vulnerabilities that do not already 

exist in any vulnerabilities group in the Patch Manager tree) to automatically 

be placed in the Enabled Vulnerabilities group instead of the default location 

which is the Unassigned Vulnerabilities group, check the Put new 

vulnerabilities in the Enabled Group check box. 

343

USER'S GUIDE 

6. (Optional) If you want to automatically download the actual patch executable 

files, check the Download associated patches check box, and then click 

one of the download options. See "About the Update Vulnerabilities Settings 

dialog" below for a detailed description of these options. 

• For detected vulnerabilities only 

• For all referenced patches 

Patches are downloaded to the location specified on the Patch tab of the 

Update Vulnerabilities Settings dialog (see procedure below). 

7. (Optional) If you have a proxy server on your network that is used for 

external Internet transmissions (required to update vulnerability information 

and download patches), click the Proxy Server tab and specify the server's 

address, port number, and authentication credentials if a login is required to 

access the proxy server. 

8. Click Apply from any of the tabs at any time to save your settings. 

9. Click Update Now to run the vulnerability update. The Updating 

Vulnerabilities dialog displays the current operation and status. 

10. When the update has completed, click Close. Note that if you click Cancel 

before the update is finished, only the information that has been processed to 

that point is stored in the core database, and subsequently accessible from 

the Patch Manager tool in the console. 

Note: Do not close the Management Suite console while an update vulnerability 

process is running or the process will be terminated. This does not apply to a 

scheduled Update Vulnerability Information task. 

To configure the patch download location 

1. On the Update Vulnerabilities Settings dialog, click the Patch tab. 

2. Enter a UNC path where you want the patch files copied. The default location 

is the core server's \LDLogon\Patch directory. 

3. If the UNC path entered above is to a location other than the core server, 

enter a valid username and password to authenticate to that location. 

4. Enter a Web URL where clients can access the downloaded patches for 

deployment. The Web URL should match the UNC path above. 

5. You can click Test Settings to check to see if a connection can be made to 

the Web address specified above. 

6. If you want to restore the UNC path and Web URL to their default locations, 

click Restore to Default. The default location is the core server's 

\LDLogon\Patch directory. 

Scheduling automatic vulnerability updates 

You can also configure vulnerability updates as a scheduled task to occur at a set 

time in the future or as a recurring task. To do this, simply click the Schedule 

periodic update toolbar button to create an Update Vulnerability Information task 

in the Scheduled Tasks window, and then set the schedule options. 

344


The Update Vulnerability Information task will use the current settings in the Update 

Vulnerabilities Settings dialog. So, if you want to change the platform, language, 

patch download, or proxy server settings for a particular update job, you must first 

change those settings in the dialog BEFORE the task is scheduled to run. 

About the Update Vulnerabilities Settings dialog 

Use this dialog to configure settings for vulnerability updates, the patch download 

location, and proxy server information. 

Note: When an Update Vulnerability Information task runs, it uses the settings on 

this dialog that are current at the time, not the settings when the task was created. 

The current settings on this dialog are used by any Update Vulnerability Information 

task when the task is run. Also, the current patch download location settings found 

on the Patch tab of this dialog are used when downloading a patch. 

To save your changes on any tab of this dialog, at any time, click Apply. Clicking 

Close does not imply that your changes will be saved. 

This dialog contains three tabs: 

Download tab 

• Select platforms to update: Determines which platforms' vulnerabilities are 

updated. You can select one or more platforms. 

• Select languages to update: Determines the language versions of the 

selected platforms' vulnerabilities that are updated. 

About the Language neutral option: 

Some vulnerabilities and associated patches are language neutral or 

independent, meaning they are compatible with any language version of the 

OS or application addressed by that vulnerability and patch. In other words, 

you don't need a separate language-specific patch to remediate those 

vulnerabilities because the patch covers all supported languages. For 

example, Linux/UNIX platforms such as Sun Solaris use only language neutral 

vulnerabilities/patches. Microsoft Windows use mostly language-specific 

vulnerabilities/patches, but there are a few language neutral ones available. 

If you've selected the Windows platform, you can select the specific 

language(s) whose vulnerability information you want to update. (You can 

also select Language neutral if you want to update cross-language 

vulnerabilities for Windows, if any are available.) 

If you've selected the Sun Solaris platform, you MUST select the Language 

neutral option. Otherwise, the vulnerability information for this platform isn't 

updated. Selecting specific languages for this platform has no affect on the 

vulnerability update. 

• Put new vulnerabilities in the Enabled Vulnerabilities group: 

Automatically places new vulnerabilities in the Enabled Vulnerabilities group 

instead of the default Unassigned Vulnerabilities group. 

• Download associated patches: Automatically downloads patch executable 

files to the specified download location (see Patch tab), according to one of 

the following download options: 

345

USER'S GUIDE 

Patch tab 

• For detected vulnerabilities only: Downloads only the patches that 

are associated with vulnerabilities detected by the last vulnerability scan 

(i.e., the vulnerabilities that are currently residing in the Detected 

Vulnerabilities group). 

• For all referenced patches: Downloads ALL of the patches that are 

associated with vulnerabilities currently residing in the Enabled 

Vulnerabilities group. 

• UNC path to which the core will write files: Specifies where patch files 

are downloaded. The default location is the core server's \LDLogon\Patch 

folder. You can enter a different UNC path to download patches, but you must 

ensure access to that location by entering valid authentication credentials in 

the fields below. 

• Credentials to store patches: Identifies a valid username and password for 

accessing a location other than the core server. 

• Web URL where clients access the data: Specifies a Web address where 

clients can access downloaded patches for deployment. The default location is 

the core server's \LDLogon\Patch folder. This location will normally be the 

same as the UNC path specified above. 

• Test Settings: Performs a connectivity test to the specified Web URL. 

• Reset to default: Restores both the UNC path and the Web URL to the 

default location, which is the core server's \LDLogon\Patch folder. 

Proxy Server tab 

If your network uses a proxy server for external transmissions (such as Internet 

access), use this tab to enable and configure the proxy server settings. Internet 

access is required for both updating vulnerability information, and for downloading 

patch files from appropriate Web services. 

• Use proxy server: Enables the proxy server option (by default, this option is 

off). If you enable a proxy server, you must fill in the address and port fields 

below. 

• Server: 

• Address: Identifies the IP address of your proxy server. 

• Port: Identifies the port number of your proxy server. 

• HTTP based Proxy: Enables the proxy server, if it's an HTTP-based proxy 

(such as Squid), so that it will successfully connect to and download patches 

from FTP sites. (Patches hosted at some FTP sites cannot be downloaded 

through an HTTP-based proxy unless you first enable this option.) 

• Requires login: Allows you to enter a username and password if the proxy 

server is credentialed instead of a transparent proxy server. 

• Username: Enter a valid username with authentication credentials to 

the proxy server. 

• Password: Enter the user's password. 

346


Creating user-defined vulnerabilities and 

detection rules 

In addition to the known vulnerabilities that you update via the LANDesk Patch 

Manager service, you can also create your own user-defined (or custom) 

vulnerabilities—complete with custom detection rules, associated patch files, and 

special additional commands to ensure successful remediation. 

Vulnerabilities consist of a unique ID, title, publish date, language, and other 

identifying information, as well as the detection rule(s) that tell the vulnerability 

scanner what to look for on target clients. Detection rules define the specific 

platform, application, file, or registry conditions that the vulnerability scanner checks 

for in order to detect a vulnerability (or practically any system condition or status) on 

scanned clients. 

Patch Manager's user-defined vulnerabilities is a powerful, flexible feature that lets 

you implement an additional, proprietary level of patch security on your system. In 

addition to enhancing patch security, custom vulnerabilities can be used to assess 

system configurations, check for specific file and registry settings, and deploy 

application updates, among other innovative uses that take advantage of the 

scanning capabilities of the vulnerability scanner. 

Custom vulnerabilities don't necessarily have to perform remediation actions 

(deploying and installing patch files). If the custom vulnerability is defined with a 

Detect Only detection rule or rules, the vulnerability scanner scans target devices 

and simply reports back the devices where the rule's prescribed condition (or 

"vulnerability") is found. For example, you can write a custom Detect Only rule for 

the vulnerability scanner to check managed devices for the following: 

• Application existence 

• File existence 

• File version 

• File location 

• File date 

• Registry setting 

• And more... 

You can create as many custom vulnerabilities as you need to establish and maintain 

patch security for your environment. 

To create a user-defined vulnerability 


2. Click the Create new vulnerability toolbar button. An editable version of 

the Vulnerabilities Properties dialog opens, allowing you to specify 

vulnerability settings. 

3. Enter a unique ID for the vulnerability. (The system-generated ID code can be 

edited.) 

4. The publish date is today's date and can't be modified. 

5. Enter a descriptive title for the vulnerability. This title displays in vulnerability 

lists. 

347

USER'S GUIDE 

6. Specify the severity level. Available options include: Unknown, Service Pack, 

Critical, High, Medium, Low, and Not Applicable. 

7. Specify the status for the vulnerability. Available options include: Disabled, 

Enabled, and Unassigned. When you specify a status, the vulnerability is 

placed in the corresponding group in the Patch Manager tree view (see "Main 

view" earlier in this chapter). 

8. The language setting for user-defined vulnerabilities is automatically set to 

INTL (International or Language neutral), which means the vulnerability can 

be applied to any language version of operating systems and/or applications. 

9. The Detection Rules list displays all the rules used by this vulnerability. If you 

are creating a new user-defined vulnerability, you should configure at least 

one detection rule that is used to scan for the vulnerability. To add detection 

rules, click Add. (See the procedure below for step-by-step instructions.) 

10. If you want to provide additional information about this vulnerability, click the 

Description tab and type your comments in the text box and/or enter a valid 

Web address where more information is posted. 

As with known vendor vulnerabilities, custom vulnerabilities should include one or 

more detection rules that tell the vulnerability scanner what conditions to look for on 

managed devices. Follow the steps below to create a detection rule for a custom 


To create a user-defined detection rule 

1. Right-click a user-defined vulnerability, and then click Properties. (Or 

double-click the vulnerability.) 

2. Click the Add button located under the Detection Rules list. An editable 

version of the Rules Properties dialog opens, allowing you to configure a 

detection rule. 

3. Enter a unique name for the rule. 

4. The rule's status cannot be modified here. To change the status of a detection 

rule, right-click the rule in any list view, and then click Enable or Disable, 

depending on the current state. 

5. Specify whether the rule is Remediate or Detect Only. If you want this rule 

to perform remediation as well as detection, the patch file fields become 

editable and the Commands tab appears. 

6. If you selected Remediate, enter the patch filename and the URL to that file. 

You can attempt to download the associated patch file at this time by clicking 

Download, or you can download it at another time. 

Also, for a rule that includes remediation, we strongly recommend you create 

a hash for the patch file by clicking Generate MD5 Hash. The actual patch 

file must be downloaded before you can create a hash. For more information 

on the hash, see "Detection Rule: General tab" later in this chapter. 

6. Select the platform(s) you want the vulnerability scanner to run on to check 

for this detection rule's vulnerability. The list of available platforms is 

determined by the vulnerabilities you've updated via the LANDesk Patch 

Manager service. You must select at least one platform. 

348


7. To associate the rule with one or more specific software applications, click the 

Products tab, and then click Edit to open a dialog that lets you add and 

remove products in the Associated Products list. The list of available products 

is determined by the vulnerabilities you've updated via the LANDesk Patch 

Manager service. You do not need to have a product associated with a 

detection rule. Associated products act as a filter during the vulnerability scan 

process. If the specified associated product is found on the client, the 

vulnerability scan quits. However, if the product is found, or if no products are 

specified, the scan continues to the files check. 

8. To configure specific file conditions that you want the rule to scan for, click 

the Files tab, and then click Add to make the fields on this tab editable. The 

first step in configuring a file condition is to specify the verification method. 

The fields on this tab depend on the verification method you select. To save a 

file condition, click Update. You can add as many file conditions as you like. 

For a detailed description of this option, see "Detection Rule: Files tab" later 


9. To configure specific registry conditions that you want the rule to scan for, 

click the Registry tab, and then click Add to make the fields editable. To 

save a registry condition, click Update. You can add as many registry 

conditions as you like. For a detailed description of this option, see "Detection 

Rule: Registry tab" later in this chapter. 

10. To add additional comments, click the Comments tab and type in any text 

you want. 

11. If you selected Remediate for this rule (in step 5), you can configure 

additional commands that are run during remediation on affected clients. To 

configure additional remediation commands, click the Commands tab, and 

then click Add to select a command type and to make the command's 

argument fields editable. Additional commands aren't required. If you don't 

configure special commands, the patch file executes as it normally would by 

itself. For a detailed description of this option, see "Detection Rule: 

Commands tab" later in this chapter. 

Now that you've created a user-defined vulnerability, you can do the same things 

with it as you would with a known vulnerability from an industry source. You can set 

the vulnerability's status to Enabled or place it in the Enabled Vulnerabilities group to 

be included in the next vulnerability scan, place it in the Disabled or Unassigned 

group, view affected computers, enable Auto Fix, create a repair job, or clear 

scan/repair status. To choose an option, right-click a custom vulnerability to access 

its shortcut menu. 

Two operations that are unique to user-defined vulnerabilities are 

importing/exporting and deleting. 

Importing and exporting user-defined vulnerabilities 

Patch Manager provides a way for you to import and export custom vulnerability and 

detection rule definitions. You can't import and export known industry vulnerabilities. 

Vulnerability definitions are exported and imported as an XML-formatted file. 

Import and export is useful if you want to share custom vulnerabilities with other 

core servers. Exporting makes it possible for you to save a backup copy for a 

vulnerability definition that you want to remove temporarily from the core database. 

349

USER'S GUIDE 

You can also use the export/import feature to export a vulnerability, manually edit 

the exported file as a template and save multiple variations of the vulnerability, and 

then import the new vulnerability definitions. If the vulnerability is complex, this 

procedure can be faster and easier than creating multiple definitions in the console. 

To export a custom vulnerability 

1. From a Patch Manager vulnerabilities list, select one or more custom 

vulnerabilities. 

2. Click the Export toolbar button. (Or, right-click the selected vulnerabilities, 

and then click Export.) 

3. Enter the path to the folder where you want to export the vulnerability as an 

individual XML file. 

4. If you've exported the vulnerability before to the specified location and you 

want to replace it, click the Overwrite existing vulnerabilities. 

5. Click Export. Check the Export Status window to see whether the 

vulnerability is successfully exported. 

An exported vulnerability continues to exist in the core database, and 

therefore still appears in the User-Defined Vulnerabilities group, as well as in 

the group that corresponds to its status: Unassigned, Enabled, or Disabled. 

6. Click Close. 

To import a custom vulnerability 

1. In the Patch Manager window, click the Import toolbar button. 

2. Locate and select one or more vulnerability definitions (XML file) you want to 

import, and then click Open. If the vulnerability already exists in the core 

database, you're prompted whether you want to overwrite it. Check the 

status window to see whether the vulnerability is successfully imported. 

3. Click Close. Imported vulnerabilities (new and updated) are placed in the 

User-Defined Vulnerabilities group and in the group that corresponds to its 

status. 

Deleting user-defined vulnerabilities 

If you no longer need a custom vulnerability, you can delete it. Deleting a custom 

vulnerability removes its definition, including its inherent detection rules, from the 

core database and the Patch Manager window. (Exporting does not remove the 

vulnerability information.) 

As with purging known vulnerability information, deleting custom vulnerabilities does 

not remove any downloaded associated patch files. 

To delete custom vulnerabilities, select one or more custom vulnerabilities, and then 

click the Delete user-defined vulnerabilities button in the toolbar. 

Restoring exported custom vulnerabilities 

If you delete a custom vulnerability definition that had previously been exported as 

an XML file, you can restore that vulnerability by importing it back into Patch 

Manager with the Import tool. 

350


Viewing vulnerability and detection rule 

information 

After vulnerabilities have been updated with the latest information from the LANDesk 

Patch Manager service, you can view vulnerabilities and detection rules in their 

respective groups in the Patch Manager window, view them by platform and product, 

move them into different status groups, or copy them into your own custom groups. 

For information on the different groups in the Patch Manager view and how you can 

use them, see "Understanding the Patch Manager window" earlier in this chapter. 

You can also view property details for each of the updated vulnerabilities and 

detection rules by right-clicking an item and selecting Properties. This information 

can help you determine which vulnerabilities are relevant to your network's 

supported platforms and applications, how a vulnerability's detection rules check for 

the presence of a vulnerability, what patches are available, and how you want to 

configure and perform remediation for affected clients. 

User-defined vulnerabilities can be modified 

If you select a known industry vulnerability, its properties dialog is primarily for 

information viewing purposes only. However, if you select a user-defined 

vulnerability, or are creating a new user-defined vulnerability, the fields in the 

properties dialog are editable, allowing you to define the vulnerability and its 

detection rule(s). 

You can also view vulnerability and detection rule information specific to a scanned 

device (or devices) directly from the network view by right-clicking one or more 

selected devices, and then clicking Vulnerability Information. 

About the Vulnerability Properties dialog 

Use this dialog to view vulnerability properties for downloaded vulnerabilities, or to 

create and edit user-defined vulnerabilities. 

This information is read-only for vulnerabilities that have been downloaded via the 

Patch Manager service (see "Updating vulnerability information" earlier in this 

chapter). 

For a user-defined vulnerability, the fields on this dialog are editable. You can specify 

vulnerability settings and enter information in the available fields on each tab in 

order to create your own vulnerability definition (see "Creating a user-defined 

vulnerability" earlier in this chapter). 

You can use the left and right arrow buttons () to view property information for 

the previous or next vulnerability in the order they are currently listed in the main 

window. 

This dialog contains two tabs: 

351

USER'S GUIDE 

General tab 

• Vulnerability ID: Identifies the vulnerability with a unique, vendor-defined 

(or user-defined) alphanumeric code. 

• Publish Date: Indicates the date the vulnerability was published by the 

vendor (or created by a user). 

• Title: Describes the nature or target of the vulnerability in a brief text string. 

• Severity: Indicates the severity level of the vulnerability, according to an 

independent rating (or specified by the user who created the custom 

vulnerability). Possible severity levels include: Service Pack, Critical, High, 

Medium, Low, Not Applicable, and Unknown. 

• Status: Indicates the status of the vulnerability in the Patch Manager 

window. The three status indicators are: Enabled, meaning the vulnerability is 

enabled for the next vulnerability scan on devices; Disabled, meaning it won't 

be scanned for; and Unassigned, meaning it won't be scanned and is in a 

temporary holding area. For more information about these three 

states/groups, see "Understanding the Patch Manager window" earlier in this 

chapter. 

• Language: Indicates the language of the platform for which the vulnerability 

is designed to scan. INTL is the default value for user-defined vulnerabilities, 

meaning it's compatible with any language and can't be changed. 

• Detection Rules: Lists the detection rules associated with the vulnerability. 

Note that Downloaded indicates whether the patch file is downloaded to the 

local repository, and Silent Install indicates whether the patch will install on 

clients without user interaction. You can right-click a rule directly from this 

view to download a patch or to disable/enable the rule. Double-click the rule 

to view its properties. 

Description tab 

Note: If you're viewing a user-defined vulnerability, click Add to create a 

new detection rule (see "Creating a user-defined detection rule" earlier in 

this chapter); click Edit to modify the selected rule; or click Delete to 

remove the selected rule. 

• Description: Provides additional details about the vulnerability. This 

information is provided by vendors' research and test notes (or by the user 

who created the vulnerability). 

• More Information: Provides a HTTP link to a vendor-specific (or userdefined) 

Web page, typically a support site, with more information about the 


About the Detection Rule Properties dialog 

Use this dialog to view detection rule properties for downloaded vulnerabilities' 

detection rules, or to create and edit user-defined vulnerabilities' detection rules. 

This information is read-only for detection rules belonging to downloaded 

vulnerabilities. 

For a user-defined vulnerability's detection rule, the fields on this dialog are editable. 

You can specify detection rule settings and enter information in the available fields 

352


on each tab in order to create custom detection rules. Furthermore, if you've 

selected Remediate for this rule, a Commands tab appears in the dialog to let you 

configure special additional commands that run during remediation. 

You can use the left and right arrow buttons () to view property information for 

the previous or next detection rule in the order they are currently listed in the main 

window. 

This dialog contains five (or six) tabs. 

General tab 

• Rule name: Displays the name of the detection rule. 

• State: Indicates whether the detection rule is enabled or disabled. These two 

states correspond to the Enabled Detection Rules and Disabled Detection 

Rules groups in the Patch Manager window. Enabled rules can be used for 

scanning and disabled rules can't. 

• Remediate or Detect Only: Specifies whether the detection rule will just 

check for the presence of the associated vulnerability (detect only) or also 

remediate the vulnerability if detected. 

• Patch file name: Displays the name of the patch file required to remediate 

the vulnerability if detected. User-defined Detect Only rules do not require a 

patch file. (Note that for user-defined vulnerabilities, a patch file might be an 

executable file, a text file, or a zipped file, depending on the remediation 

action you've chosen.) 

• Patch URL: Displays the HTTP path from where the patch file can be 

downloaded. 

If you're are creating or editing a user-defined detection rule that also 

performs remediation, and you've entered a patch filename and URL, you 

can click Download to attempt to download the patch file at this time. 

You can download the patch file at a later time if you prefer. 

When you download the patch file, LANDesk strongly recommends you 

create a hash for the patch file by clicking Generate MD5 Hash. (Most, 

if not all, known vulnerabilities' associated patch files should have a 

hash.) The patch file must be downloaded before you can create a hash. 

A hash file is used to ensure the integrity of the patch file during 

remediation (i.e., when it's deployed and installed on an affected client). 

The vulnerability scanner does this by comparing the hash code created 

when you click the Generate MD5 Hash button with a new hash it 

generated immediately before attempting to install the patch file from 

the patch repository on the client. If the two hash files match, 

remediation proceeds. If the two hash files do not match, indicating the 

patch file has changed in some way since being downloaded to the 

repository, the remediation process quits. 

• Vulnerability: Displays the ID and title of the vulnerability with which the 

rule is associated. 

• Affected Platforms: Identifies the operating system(s) the vulnerability 

scanner will run on to check for this rule's vulnerability. At least one platform 

must be selected. If a target device is running a different operating system, 

the vulnerability scan quits. 

353

USER'S GUIDE 

Products tab 

• Affected Products: Lists the products associated with the detection rule. 

Select a product in the list to view its name, vendor, and version information. 

If you're creating or editing a user-defined detection rule, click Edit to 

open a new dialog that lets you add and remove products in the list. The 

list of available products is determined by the vulnerabilities you've 

updated via the LANDesk Patch Manager service. You do not need to 

have a product associated with a detection rule. Associated products act 

as a filter during the vulnerability scan process. If none of the specified 

associated products are found on the client, the vulnerability scan quits. 

However, if no products are specified, the scan proceeds to the files 

check. 

• Name: Provides the name of the selected product. 

• Vendor: Provides the vendor name of the selected product. 

• Version: Provides the version number of the selected product. 

Files tab 

• Files: Lists the file conditions that are used to determine whether the 

vulnerability exists on a target client. Select a file in the list to view its 

verification method and expected parameters. If any of these conditions are 

NOT met, the vulnerability is determined to exist on that client. If there are 

no file conditions in the list, the scan proceeds to the registry check. 

If you're creating or editing a user-defined detection rule, click Add to 

make the fields editable, allowing you to configure a new file condition 

and expected values/parameters. A rule can include one or more file 

conditions, depending on how complex you want to make it. To save a 

file condition, click Update. To delete a file condition from the list, select 

it and click Remove. 

• Verify using: Indicates the method used to verify whether the prescribed file 

condition is met on scanned devices/clients. For example, a detection rule can 

scan for file existence, version, date, size, and so on. The expected 

parameters that appear below the verification method are determined by the 

method itself (see the list below). 

If you're creating or editing a user-defined detection rule, select the 

verification method from the Verify using drop-down list. As stated 

above, the parameter fields are different for each verification method, as 

described in the following list: 

• File Existence Only: Verifies by scanning for the specified file. 

Parameters are: Path (location of the file on the hard drive, including 

the filename), and Requirement (must exist or must not exist). 

• File Version: Verifies by scanning for the specified file and its version 

number. Parameters are: Path, Minimum Version, and Requirement 

(must exist, must not exist, or may exist). 

354


Registry tab 

Note: With the File Version, Date, and Size parameters, you can click the 

Gather Data button, after specifying the file path and name, to 

automatically populate the appropriate value fields. 

• File Date: Verifies by scanning for the specified file and its date. 

Parameters are: Path, Minimum Date, and Requirement (must exist, 

must not exist, or may exist). 

• File Size and/or Checksum: Verifies by scanning for the specified 

file and its size or checksum value. Parameters are: Path, Checksum, 

File size, and Requirement (must exist, must not exist, or may exist). 

• MSI Product ID installed: Verifies by scanning to ensure the 

specified MSI product is installed (a product installed by the Microsoft 

Installer utility). Parameters are: Guid (the product's global unique 

identifier). 

• MSI Product ID NOT installed: Verifies by scanning to ensure the 

specified MSI product isn't installed. Parameters are: Guid. 

• Registry: Lists the registry key conditions that are used to determine 

whether the vulnerability exists on a target client. Select a registry key in the 

list to view its expected parameters. If any of these conditions are NOT met, 

the vulnerability is determined to exist on that client. If there are no registry 

conditions in the list, AND there were no file conditions on the Files tab, the 

scan fails. In other words, a detection rule must have at least one file or 

registry condition. 

If you're creating or editing a user-defined detection rule, click Add to 

make the fields editable allowing you to configure a new registry key 

condition and expected parameters. A rule can include one or more 

registry conditions. To save a registry condition, click Update. To delete 

a registry condition from the list, select it and click Remove. 

• Key: Identifies the registry key's expected folder and path. 

• Name: Identifies the expected name of the key. 

• Value: Identifies the expected value of the key. 

• Requirement: Indicates whether the registry key must or must not exist on 

target devices. 

Comments tab 

• Comments: Provides additional information from the patch vendor, if 

available. If you're creating or editing a user-defined detection rule, you have 

the option of typing in your own comments. 

Commands tab 

The Commands tab appears ONLY if the vulnerability is user-defined and the selected 

detection rule performs remediation. This tab doesn't appear for vulnerabilities 

downloaded via the Patch Manager service, or for user-defined vulnerabilities that do 

detection only. 

355

USER'S GUIDE 

Use this tab to configure special additional commands that are run as part of the 

remediation process. These commands are useful if you need to program specific 

actions on target clients to ensure successful remediation. Additional commands 

aren't required. If you don't configure any additional commands, the patch file 

executes by itself by default. If you do configure one or more additional commands, 

you must execute the patch file with the Execute command. 

• Commands: Lists commands in the order they will run on target clients. 

Select a command to view its arguments. You can change the order of 

commands with the Move Up and Move Down buttons. To remove a 

command from the list, select it and click Remove. 

• Add: Opens a dialog that lets you select a command type to add to the 

Commands list. 

• Command Arguments: Displays the arguments that define the selected 

command. An argument's values can be edited. To edit any argument, 

double-click its Value field, and then type directly in the field. For all the 

command types, you can also right-click in the Value field to insert a 

macro/variable into the argument. 

The following list describes the commands and their arguments: 

• Copy: Copies a file from the specified source to the specified destination on 

target clients' hard drives. This command can be used before and/or after 

executing the patch file itself. For example, after extracting the contents of a 

compressed file with the Unzip command, you may want to copy files from 

one location to another. 

The arguments for the Copy command are: Dest (full path where you want to 

copy the file, not including the filename) and Source (full path, and file name, 

of the file you want to copy). 

• Execute: Runs the patch file, or any other executable file, on target clients. 

The arguments for the Execute command are: Path (full path, and file name, 

where the executable file resides; for the patch file, you can use the 

%SDMCACHE% and %PATCHFILENAME% variables), Args (command-line 

options for the executable file; note this field is not required), Timeout 

(number of seconds to wait for the executable to terminate before continuing 

to the next command in the list, if the Wait argument is set to true), and Wait 

(true or false value that determines whether to wait for the executable to 

terminate before continuing to the next command in the list). 

• ButtonClick: Automatically clicks a specified button that displays when an 

executable file runs. You can use this command to program a button click if 

such interaction is required by the executable. 

In order for the ButtonClick command to work properly, the Wait argument 

for the preceding Execute command must be set to false so that the 

executable doesn't have to terminate before continuing to the button click 

action. 

356


The arguments for the ButtonClick command are: Required (true or false 

value indicating whether the button must be clicked before proceeding; if you 

select true and the button can't be clicked for any reason, remediation quits; 

if you select false and the button can't be clicked, remediation will continue), 

ButtonIDorCaption (identifies the button you want clicked by its text label, or 

its control ID), Timeout (number of seconds it takes for the button you want 

clicked appears when the executable runs), and WindowCaption (identifies the 

window or dialog where the button you want clicked is located). 

• ReplaceInFile: Edits a text-based file on target clients. Use this command if 

you need to make any modifications to a text-based file, such as a specific 

value in an .INI file, before or after executing the patch file to ensure that it 

runs correctly. 

The arguments for the ReplaceInFile command are: Filename (full path and 

name of the file you want to edit), ReplaceWith (exact text string you want to 

add to the file), and Original Text (exact text string you want to replace in the 

file). 

• StartService: Starts a service on target clients. Use this command to start a 

service required for the patch file to run, or to restart a service that was 

required to be stopped in order for the patch file to run. 

The arguments for the StartService command are: Service (name of the 

service). 

• StopService: Stops a service on target clients. Use this command if a service 

must be stopped on a client before the patch file can be installed. 

The arguments for the StopService command are: Service (name of the 

service). 

• Unzip: Unzips a compressed file on target clients. For example, you can use 

this command if remediation requires more than one file be run or copied on 

target clients. 

The arguments for the Unzip command are: Dest (full path to where you want 

to extract a compressed file's contents on a client's hard drive), and Source 

(full path and filename of the compressed file). 

Purging vulnerability and detection rule information 

You can purge vulnerability information from the Patch Manager window (and the 

core database) if you determine that it isn't relevant to your environment or if a 

successful remediation makes the information obsolete. 

When you purge vulnerability information, associated detection rule information is 

also removed from the Detection Rules groups in the tree view. However, the actual 

patch executable files aren't removed by this process. Patch files must be removed 

manually from the local repository, which is typically on the core server. 

357

USER'S GUIDE 

To purge vulnerability information 


2. Click the Purge unused vulnerabilities toolbar button. 

3. Select the platforms whose vulnerability information you want to remove. You 

can select one or more platforms in the list. 

If a vulnerability is associated with more than one platform, you must select 

all of its associated platforms in order for the vulnerability's information to be 

removed. 

4. Select the languages whose vulnerability information you want to remove 

(associated with the platform selected above). 

If you select a Windows platform above, you should specify which languages' 

vulnerability information you want to remove. If you select a UNIX platform 

above, you must specify the Language neutral option in order to remove 

cross-language vulnerability information. For more information on the 

language options, see "About the Language neutral option" earlier in this 

chapter. 

5. Click Remove. 

About the Purge Unused Vulnerability Information dialog 

Use this dialog to remove vulnerability, and associated detection rule, information. 

• Select platforms to remove: Determines which platforms' vulnerabilities 

are removed from the core database. 

• Select languages to remove: Determines the language versions of the 

selected platforms' vulnerabilities that are removed. See step 4 above. 

• Remove: Removes vulnerability and detection rule information for the 

selected platform(s) and language(s). 

• Close: Closes the dialog without saving changes and without removing 

vulnerability information. 

358


Scanning clients for vulnerabilities 

Vulnerability assessment means checking the currently installed versions of 

operating system- and application-specific files and registry keys on a client against 

the most current known vulnerabilities in order to identify security risks in your 

systems. 

After reviewing known vulnerability information (updated from industry sources) and 

deciding which vulnerabilities you want to scan for, you can perform customized 

vulnerability assessment on managed clients that have the Vulnerability Scanner 

agent installed. (For information on configuring clients for vulnerability scanning and 

patch deployment, see "Configuring clients to work with Patch Manager" earlier in 

this chapter.) 

Of course, your own user-defined vulnerabilities can also be implemented for 

vulnerability scans. 

When the vulnerability scanner runs, it always reads the contents of the Enabled 

Vulnerabilities group and scans for those specific vulnerabilities. Before scanning a 

device (or devices) for vulnerabilities, you should always make sure the appropriate 

vulnerabilities are included in that group. You can move vulnerabilities into and out 

of the Enabled Vulnerabilities group manually at any time. You can also configure an 

update vulnerabilities process to automatically add new vulnerabilities into the 

Enabled Vulnerabilities group. 

As noted above, if the Vulnerability Scanner agent is selected for installation as part 

of a client configuration script, the scanner automatically runs for the first time on 

target clients as part of that configuration. 

Vulnerability scans add vulnerability information to a client's inventory in the core 

database. This information can be used to generate vulnerability-specific queries, 

policies, and reports. To view a client's vulnerability information, right-click the client 

and then click Vulnerability Information. 

Caution about moving vulnerabilities from the Enabled Vulnerabilities group 

When you move vulnerabilities from the Enabled to the Disabled group, the current 

vulnerability assessment information (information located in the core database about 

which scanned clients detected those vulnerabilities) is removed from the core 

database and is no longer available in either the vulnerabilities' Properties dialogs or 

in the clients' Vulnerability Information dialogs. To restore that vulnerability 

assessment information, you would have to move the vulnerabilities back into the 

Enabled Vulnerabilities group and run a vulnerability scan again. 

The vulnerability scanner can be run directly at a client (Click Start | All Programs 

| LANDesk Management | Vulnerability Scanner), or pushed to clients as a Scan 

for Vulnerabilities task from the core server. 

359

USER'S GUIDE 

To scan for vulnerabilities via a scheduled task 


2. Make sure vulnerability information has been updated recently. 

3. Make sure the Enabled Vulnerabilities group contains only those vulnerabilities 

you want to scan for. 

4. Click the Schedule vulnerability scan toolbar button to add the task to the 


5. Add the target clients that you want to scan. 

6. Click the Set Start Time toolbar button and configure the time and 

recurrence of the task however you like. See "Scheduling tasks" in the Client 

configuration chapter for more information. 

7. Click OK. 

Vulnerability log file 

The vulnerability scanner writes a log file for the most recent scan on the client 

called vulscan.log, and also saves the last five log files in chronological order by 

number. These log files provide information on the time of the vulnerability scan, 

language, platform (Windows 95/98 display as Win9x; Windows 2000 displays as 

Win2k; and Windows XP/2003 display as WinXP), and the processes run by the scan. 

Viewing the most recent vulnerability scan date 

To see when the last vulnerability scan was run on a device, right-click the device, 

click Inventory, and then scroll down to the Last Vulnerability Scan Date 

attribute in the right-hand pane of the Inventory view. 

360


Viewing detected vulnerabilities 

If the vulnerability scanner discovers vulnerabilities for any of the enabled 

vulnerabilities on any of the target devices, this information is reported to the core 

server. You can use any of the following methods to view detected vulnerabilities 

after running a vulnerability scan: 

By the Detected Vulnerabilities group 

Select the Detected Vulnerabilities group in the Patch Manager window to view a 

complete listing of all vulnerabilities detected by the most recent scan. The Scanned 

column indicates how many devices were scanned for a vulnerability, and the 

Detected column shows how many of those devices are affected by that vulnerability. 

By a vulnerability 

Right-click a vulnerability, and then click Affected computers to view a list of 

devices on which the vulnerability was detected by the most recent scan. 

By an individual device 

Right-click a specific device in the network view, and then click Vulnerability 

Information to view detailed vulnerability assessment information and patch 

deployment status for the device (see "About the Vulnerability Information dialog" 

below). 

By a group of selected devices 

Select multiple devices in the network view, right-click the group, and then click 

Vulnerability Information to view a list of vulnerabilities discovered on one of 

more of those devices. When you select a vulnerability in the list, the devices on 

which the vulnerability was detected by the most recent scan display in the bottom 

pane. 

About the Vulnerability Information dialog 

Use this dialog to view detailed vulnerability assessment information and patch 

deployment status for a device. You can also right-click a vulnerability in this view 

and directly create a repair job, or enable/disable the Auto Fix feature. 

• Vulnerabilities Detected: Select this item to display all of the device's 

vulnerabilities detected by the last scan. 

• Vulnerabilities Not Detected: Select this item to display the vulnerabilities 

that were included in the last scan, but were not detected on the device. 

• Vulnerability Information: 

• Vulnerability: Displays the title of the selected vulnerability. 

• Detected: Indicates whether the selected vulnerability was detected. 

• First detected: Displays the date and time the vulnerability was 

initially detected on the device. This information can be useful if you've 

performed multiple scans. 

• Reason: Describes the reason why the selected vulnerability was 

detected. This information can be useful in helping you decide whether 

the security risk is serious enough to prompt immediate remediation. 

• Expected: Displays the version number of the file or registry key the 

vulnerability scanner is looking for. If the version number of the file or 

registry key found on the scanned device matches this number, the 

vulnerability does not exist. 

361

USER'S GUIDE 

• Found: Displays the version number of the file or registry key found 

on the scanned device. If this number is different than the Expected 

number above, the vulnerability exists. 

• Patch Information: 

• Patch Required: Displays the file name of the patch executable 

required to remediate the selected vulnerability. 

• Install Date: Displays the date and time the patch was installed on 

the device, if applicable. 

• Install Status: Indicates whether the deployment/installation was 

successful. If an installation failed, you must clear this status 

information before attempting to install the patch again. 

• Clear Status: Clears the current patch installation date and status for 

the selected client. Clearing this information is necessary in order to 

attempt to deploy and install the patch again. 

362


Downloading patches 

In order to deploy security patches to vulnerable devices, the patch executable file 

MUST first be downloaded to a local patch repository on your network. The default 

location for patch file downloads is the core server's /LDLogon/Patches directory. You 

can change this location on the Patch tab of the Update Vulnerabilities Settings 

dialog. 

Patch download location and proxy server settings 

Patch downloads always use the download location settings currently found on the 

Patch tab of the Update Vulnerabilities Settings dialog. Also note that if your network 

uses a proxy server for Internet access, you must first configure the proxy server's 

settings on the Proxy Server tab of the Update Vulnerabilities Settings dialog before 

you can download patch files. 

Patch Manager first attempts to download a patch file from the URL (shown on the 

Patch Properties dialog). If a connection can't be made, or if the patch is unavailable 

for some reason, Patch Manager downloads the patch from the LANDesk Patch 

Manager service, which is a LANDesk-hosted database containing patches from 

trusted industry sources. 

You can download one patch at a time, or a set of patches together at the same 

time. 

To download patches 

1. From any Detection Rules group in the Patch Manager window, right-click a 

detection rule, and then click Download Patch. You can also download 

patches for user-defined vulnerabilities from the detection rule dialog when 

creating or editing a custom vulnerability. 

2. Or, to download a set of patches, select any number of rules in any Detection 

Rules group, right-click the selection, and then click Download Patch. 

3. The download operation and status displays in the Downloading Patches 

dialog. You can click Cancel at any time to stop the entire download process. 

4. When the download is finished, click the Close button. 

For more information on patch file download status, see "Understanding the Patch 

Manager window" earlier in this chapter. 

Removing patch files 

To remove patch files, you must delete the files manually from the patch repository, 

which is typically on the core server. 

363

USER'S GUIDE 

Remediating vulnerabilities 

Once you've updated vulnerabilities (or created your own user-defined 

vulnerabilities), scanned clients, determined which vulnerabilities require attention, 

and downloaded patches, the next step in implementing patch management is to 

perform vulnerability remediation by deploying and installing the necessary patches 

on target clients. 

Note that remediation, like vulnerability scanning, only works on clients that have 

been configured with the Vulnerability Scanner agent. For more information, see 

"Configuring clients to work with Patch Manager" earlier in this chapter. 

Patch Manager does a smart remediation by installing only those patches that are 

needed on each individual device, not all of the patches referenced by all of the 

vulnerabilities included in the repair job. 

Patch Manager can also take advantage of Management Suite's enhanced package 

deployment capabilities for fast and efficient patch deployment, such as: Targeted 

Multicast, peer download, and checkpoint restart. You can read more about these 

features in the "Distributing software and files" chapter. 

Manually remediate Mac and UNIX clients 

Supported Windows clients can be remediated from the Management Suite console 

using any of the methods described here, but other supported clients such as Mac 

OS X and UNIX Sun Solaris can only be scanned, not remediated, from the 

Management Suite console. You must manually install patches on both Mac and UNIX 

clients. 

Individual and group remediation 

You can remediate a single vulnerability or a set of vulnerabilities with any of the 

three remediation methods described below. 

To remediate one vulnerability at a time, right-click the vulnerability and then click 

Repair. 

To remediate a set of vulnerabilities together, copy vulnerabilities from any of the 

Vulnerabilities groups into a custom group (see "Understanding the Patch Manager 

window" earlier in this chapter), right-click the group, and then click Repair. The 

Auto Fix method isn't available for custom groups; however, you can multi-select 

vulnerabilities in a listing, right-click and select Auto Fix. 

Remediation methods 

LANDesk Patch Manager provides the following methods to remediate vulnerabilities 

(for both individual vulnerabilities and groups of vulnerabilities): 

• Scheduled task 

• Policy-based 

• Auto Fix 

364


Scheduled task remediation can be thought of as a push distribution because the 

patch is pushed from the core server to target clients, while a policy is considered a 

pull distribution because the clients' policy agent checks the core server for 

applicable policies and then pulls the patch from the core server. 

Scheduled task remediation 

Scheduled task remediation is useful if you want to set up a repair job to run at a 

specific time in the future, or as a recurring task. Patch Manager uses the Scheduled 

Tasks tool to configure and process a scheduled vulnerability remediation task. 

To configure scheduled task remediation 


2. Right-click a single vulnerability from one of the Vulnerabilities groups, or 

right-click a custom group of vulnerabilities. 

3. Click Repair. 

4. Edit the Job Name if you want to change the name of the repair job. 

5. Check the Repair as a Scheduled Task check box. 

6. (Optional) If you want the current vulnerable clients automatically added to 

the target list in the Scheduled Tasks window, check the Add vulnerable 

nodes check box. The vulnerable clients are those devices where the 

vulnerability was detected by the last vulnerability scan. You can also add 

more targets once the task is created in the Scheduled Tasks window. 

7. (Optional) If you want patches to be deployed using Targeted Multicast, check 

the Use multicast check box. To configure Multicast options, click the 

Multicast Options button. See "About the Multicast Options dialog" below for 

details. 

8. (Optional) If you want to use peer download strictly for patch deployment, 

check the Peer download check box. If this option is selected, the patch file 

is only deployed if it currently resides in either the clients' local cache or on a 

peer on the same subnet. This option conserves network bandwidth, but note 

that for the patch installation to be successful, it must be in one of these two 

places. 

9. (Optional) If you want to make sure that target clients don't reboot 

automatically, regardless of the patch(es) applied, check the Never reboot 

check box. Some patches require a reboot. However, by checking this option, 

you can apply a patch remotely while avoiding the automatic reboot in 

circumstances where you want to manually reboot the computer at a later, 

more appropriate time. 

10. Click OK. 

11. The task appears in the Scheduled Tasks window with the job name specified 

above, where you can add target devices and configure scheduling options. 

365

USER'S GUIDE 

Policy-based remediation 

Policy-based remediation offers flexibility by letting you dynamically target clients 

based on the results of a custom LDAP or core database query. For example, you can 

configure a remediation policy so that it runs only on clients in a particular directory 

container, or only on clients running a specific OS (or any other inventory attribute 

that can be queried). Patch Manager uses the Application Policy Management tool to 

configure and process remediation policies. 

In order to be remediated by a policy, a client must have the Application Policy 

Management agent installed. When a client's Application Policy Management agent 

runs, it checks the core database for policies that might apply to it. If such policies 

exist, a dialog appears at the client showing recommended and optional policies 

(required policies are automatically applied). 

Remediation (or repair) policies operate in much the same way as application policies 

do, except you're distributing patch files instead of application files. Policy 

management prerequisites, task flow, policy types, and static and dynamic targeting 

are essentially identical between repair policies and application policies. If you want 

to learn more about how policy management operates, refer to the "Managing 

application policies" chapter for details. 

To configure policy-based remediation 


2. Right-click a single vulnerability from one of the Vulnerabilities groups, or 

right-click a custom group of vulnerabilities. 

3. Click Repair. 

4. Edit the Job Name if you want to change the name of the remediation job. 

5. Check the Repair as a Policy check box. 

6. If you want to create a new query, based on this vulnerability definition, that 

can be used later to scan other managed devices, check the Add a query 

check box. 

7. (Optional) If you want to use peer download strictly for patch deployment, 

check the Peer download check box. If this option is selected, the patch file 

is only deployed if it currently resides in either the clients' local cache or on a 

peer on the same subnet. This option conserves network bandwidth, but note 

that for the patch installation to be successful, it must be in one of these two 

places. 

8. (Optional) If you want to make sure that target clients don't reboot 

automatically, regardless of the patch(es) applied, check the Never reboot 

check box. Some patches require a reboot. However, by checking this option, 

you can apply a patch remotely while avoiding the automatic reboot in 

circumstances where you want to manually reboot the computer at a later, 

more appropriate time. 

9. Click OK. 

10. The new policy appears in the Application Policy Management window with the 

job name specified above. From there you can add static targets (users or 

devices) and dynamic targets (query results), and configure the policy's type 

and frequency. For more information, see "Configuring policies" in the 

"Managing application policies" chapter. 

366


Auto Fix remediation 

Auto Fix is a convenient, integrated method for quick remediation in cases where you 

don't want to create a scheduled task or policy-based repair job. For example, if 

there is a new known vulnerability that you want to scan for and repair in a single 

process, you can use the Auto Fix feature. 

Requirements for using Auto Fix 

Only Administrators or users with the Patch Manager right AND the Default All 

Machines scope can enable the Auto Fix feature for vulnerabilities. Management 

Suite users without either the LANDesk Administrator or Patch Manager right won't 

even see this option on a vulnerability's shortcut (right-click) menu. For more 

information on rights and scope, see "Role-based administration" in chapter 1. 

When Auto Fix is enabled, the next time the vulnerability scanner runs (either 

manually or via a Scan for Vulnerabilities task), Patch Manager automatically deploys 

and installs the required patch on any affected target device. With Auto Fix, if a 

patch requires a reboot, the target device always automatically reboots. 

You can enable Auto Fix for an individual vulnerability, or a multi-selected group of 


The Auto Fix column in a Vulnerabilities group listing indicates whether Auto Fix is 

enabled or not, with a Yes or No indicator. 

To configure Auto Fix remediation 


2. Right-click one or more selected vulnerabilities from one of the Vulnerabilities 

groups. (You can't enable Auto Fix on a specific Vulnerabilities custom group.) 

3. Click Enable Auto Fix. 

4. Now run the vulnerability scanner on the devices you want to scan and 

automatically remediate. 

What happens on the client during remediation 

Automated remediation entails deploying and installing patches on managed 

Windows clients, by any of the three methods described in the sections above. 

It is important to remember that a vulnerability repair job can include remediation 

for one or more vulnerabilities. Furthermore, a single detected vulnerability can 

require the installation of one or more patches to fix. Because of these factors, 

remediation might imply the installation of just one patch file on the client, or the 

installation of several patch files on the client, depending on the number and type of 

detected vulnerabilities. 

Almost all patch files install silently (or transparently), requiring zero user interaction 

at the client itself. Some Windows 9.x patches and non-English patches do not install 

silently. You can tell whether a patch installs silently or not by checking the Silent 

Install column in a patch listing in the Patch Manager view. For more information, 

see "About the Patch Manager window" earlier in this chapter. 

367

USER'S GUIDE 

Consolidated reboot 

If a patch file installation requires a reboot (AND the Never reboot option on the 

Repair Vulnerability dialog isn't checked), Patch Manager first installs ALL of the 

specified repair job's patches on the client, and then reboots the client once. 

Additional commands (user-defined vulnerabilities only) 

User-defined vulnerability remediation can include special additional commands that 

are defined when you create a custom detection rule. Additional commands run in 

the order specified on that rule's Commands tab, and according to each commands' 

arguments. Additional commands can run before, during, or after the patch file itself 

executes. 

About the Repair Vulnerability dialog 

Use this dialog to configure a remediation (repair) job. 

• Job name: Identifies the repair job with a unique name. The default is the 

name of the vulnerability or the custom group. You can edit this name if you 

like. 

• Repair as a scheduled task: Configures a scheduled task remediation. 

• Add vulnerable devices to target list: Automatically adds 

vulnerable clients to the target list in the Scheduled Tasks window. 

Vulnerable clients are those affected devices detected by the last 

vulnerability scan. 

• Use Targeted Multicast: Enables Targeted Multicast for patch 

deployment to target devices. 

• Multicast Options: Opens a separate dialog where you can configure 

various multicast options. See "About the Multicast Options dialog" 

below. 

• Repair as a policy: Configures a policy-based remediation. 

• Add a query: Creates a new query, based on the selected vulnerability 

definition, that you can use to scan other managed devices. 

• Peer download (only install from cache or peer): Restricts patch 

deployment so that it will only take place if the patch file is located in the 

clients' local cache or on a peer on the same subnet. This option conserves 

network bandwidth, but note that for the patch installation to be successful, it 

must be in one of these two places. 

• Never reboot: Prevents target clients from rebooting automatically, even if a 

patch requires a reboot. By checking this option, you can apply a patch 

remotely while avoiding the automatic reboot if you want to manually reboot 

the computer at a later, more appropriate time. Note that this option doesn't 

apply to Auto Fix remediation. 

Note: You can read more about the Target Multicast and peer download features in 

the "Distributing software and files" chapter. 

368


About the Multicast Options dialog 

Use this dialog to configure the following Targeted Multicast options for a scheduled 

task remediation: 

• Multicast Domain Discovery: 

• Use multicast domain discovery: Select this option if you want 

Targeted Multicast to do a domain discovery for this job. This option 

won't save the domain discovery results for reuse. 

• Use multicast domain discovery and save results: Select this 

option if you want Targeted Multicast to do a domain discovery for this 

job and save the results for future use, saving time on subsequent 

multicasts. 

• Use results of last multicast domain discovery: Use this option 

once you've had Targeted Multicast do a domain discovery that saved 

the results. 

• Have domain representative wake up computers: Use this option if you 

want computers that support Wake On LAN technology to turn on so they can 

receive the multicast. 

• Number of seconds to wait after Wake on LAN: How long domain 

representatives wait to multicast after the Wake On LAN packet has been 

sent. The default waiting period is 120 seconds. If some computers on your 

network take longer than 120 seconds to boot, you should increase this value. 

The maximum value allowed is 3600 seconds (one hour). 

The options below let you configure job-specific Targeted Multicast parameters. The 

defaults should be fine for most multicasts. Here are what the options do: 

• Maximum number of multicast domain representatives working 

simultaneously: No more than this number of representatives will be 

actively doing a multicast at one time. 

• Limit the processing of machines that failed multicast: When a client 

fails to receive the file through multicast, it will download the file from the 

Web or file server. This parameter can be used to limit the number of clients 

that will obtain the file at one time. For example, if the maximum number of 

threads was 200 and the maximum number of multicast failure threads was 

20, the Custom Job dialog would process no more than 20 computers at a 

time that failed the multicast. The Custom Job dialog will process up to 200 

clients at a time if they successfully received the multicast, but no more than 

20 of the 200 threads will be processing clients that failed the multicast task. 

If this value is set to 0, the Custom Job dialog won't perform the distribution 

portion of the task for any computer that failed multicast. 

• Number of days the files stay in the client cache: Amount of time that 

the file being multicast can stay in the cache on each target computer. After 

this period of time, the file will be automatically purged. 

• Number of days the files stay in multicast domain representative 

cache: Amount of time that the file being multicast can stay in the cache on 

the multicast domain representative. After this period of time, the file will be 

automatically purged. 

369

USER'S GUIDE 

• Minimum number of milliseconds between packet transmissions 

(WAN or Local): Minimum amount of time to wait between sending out 

multicast packets. 

This value is only used when the domain representative isn't multicasting a 

file from its own cache. If this parameter isn't specified, then the default 

minimum sleep time stored on the subnet/domain representative computer 

will be used. You can use this parameter to limit bandwidth usage across the 

WAN. 

• Maximum number of milliseconds between packet transmissions 

(WAN or Local): Maximum amount of time to wait between sending out 

multicast packets. For more information, see Minimum number of milliseconds 

between packet transmissions above. 

Verifying remediation status 

After performing remediation on target clients, Patch Manager reports the status of 

each patch installation. You can check the status of patch installation per 

vulnerability and per target client. 

To verify patch installation on a client 

1. Run the vulnerability scanner on the client. 

2. Right-click a remediated client (device) in the network view, and then click 

Vulnerability Information. 

3. Click the Vulnerabilities Detected item in the left-hand pane, and then 

select a specific vulnerability to the right. 

4. Check the Patch Information fields at the bottom of the view. 

The Install status field indicates whether the installation was successful. 

Possible states include: Succeeded, Failed, and Failed to Download. 

If a patch installation failed, you must first clear the install status information before 

attempting to install the patch again. You can clear the install (repair) status for the 

selected client from the Vulnerability Information dialog. You can also clear the patch 

install status by vulnerability (see below). 

Clearing vulnerability scan and repair status by vulnerability 

You can clear vulnerability scan and repair status information for all devices affected 

by a vulnerability (or vulnerabilities) with the Clear scan/repair status dialog. As 

stated above, if a patch installation fails, you must first clear the install (repair) 

status before attempting to install the patch again. 

You can also use this dialog to remove vulnerability scan information from the 

database for one or more vulnerabilities. 

To clear vulnerability scan and repair status, right-click the vulnerability and select 

Clear scan/repair status, select the desired options, and then click Clear. 

370


Using Patch Manager reports 

When you install the Patch Manager add-on to your Management Suite 8 system, 

several patch management-specific reports are added to the Reports tool. 

Patch Manager reports provide a variety of useful vulnerability assessment and 

remediation (patch deployment) status information for managed clients on your 

network. 

In order to access the Reports tool, and generate and view reports, a Management 

Suite user must have either the LANDesk Administrator right (implying full rights) or 

the specific Reports right. 

Patch Manager Reports 

The following predefined reports are found in the All Patch Manager Reports group in 

the Reports window: 

• Detected Vulnerabilities by Computer: Lists all of the vulnerabilities found 

on the selected devices, including the date they were found. 

• Detected Vulnerabilities by Location: Lists all of the vulnerabilities found 

on the devices for the selected locations. 

• Detected Vulnerabilities by Vulnerability: Lists all of the devices the 

selected vulnerabilities were found on, including the date they were found. 

• Devices Not Scanned for Vulnerabilities: Lists all of the devices that do 

not have vulnerability information recorded in the core database. 

• Devices That Could Not Be Remediated: Lists all of the vulnerabilities for 

the selected devices whose patch could not be deployed, including the date of 

the last attempted remediation. 

• Not Vulnerable and Not Remediated: Lists all of the devices for the 

selected vulnerabilities that were found to not be vulnerable and did not 

require a patch. 

• Remediated Vulnerabilities by Computer: Lists all of the vulnerabilities 

that have been patched on the selected device(s), including the date they 

were patched. 

• Remediated Vulnerabilities by Date: Lists all of the vulnerabilities that 

have been patched for every remediated device over the selected period of 

time. 

• Remediated Vulnerabilities by Location: Lists all of the vulnerabilities that 

have been patched on the devices for the selected location(s). 

• Remediated Vulnerabilities by Vulnerability: Lists all of the devices for 

the selected vulnerabilities that have been patched. 

• Vulnerabilities Over Time: Lists all of the vulnerabilities found on every 

device over the selected period of time. 

These reports follow the same rules as reports in the All Software Licensing Reports 

and All Asset Reports groups, including their ability to be copied, removed, exported, 

and so on from the My Reports and User Reports groups. For more information, see 

"Reports" in the "Managing inventory and reports" chapter. 

371

USER'S GUIDE 

Running reports 

You can run any report from the Reports window. From the Reports window, rightclick 

the report you want to run, and then click Run (or, click the Run toolbar 

button). The report data displays in the Report View. 

372

Chapter 14: Using the Asset Manager add-on 

LANDesk Asset Manager 8 is a powerful asset management solution that lets you 

record, track, and analyze any type of fixed asset within your organization—including 

IT assets like computers and monitors, office equipment, furniture, and any other 

valuable item you want to manage—in addition to critical business information such 

as contracts, invoices, and projects. Asset Manager includes all the tools you need to 

configure data entry forms, enter items into the database with those forms, as well 

as collect and analyze that data with customizable reports. 

For two of the predefined asset types, computers and software, Asset Manager also 

provides the capability to link and update asset data from the Management Suite 

scanned inventory and SLM data. 

Asset Manager is a Web-based application that runs in the LANDesk Management 

Suite Web console. 

Asset Manager 8 Add-On 

Asset Manager, like Patch Manager, is a separately purchased add-on product that 

integrates seamlessly with your current LANDesk Management Suite system. If you 

haven't purchased or installed Asset Manager, the user interface and the capabilities 

described here are not on your core server and will not be available from the Web 

console. For more information about purchasing Asset Manager, visit the LANDesk 

Web site. 

For information on installing and activating the Asset Manager add-on, refer to 

"Installing add-ons" in the Installation and Deployment Guide. 

373

USER'S GUIDE 


• Asset Manager overview 

• Accessing Asset Manager in the Web console 

• Managing assets 

• Working with computer assets 

• Working with software assets 

• Managing contracts 

• Managing invoices 

• Managing projects 

• Managing global lists 

• Using subgroups to organize types 

• Creating new types 

• Using a details summary 

• Adding details 

• Adding table data fields 

• Managing detail templates 

• Adding detail templates 

• Organizing details in sections 

• Using an item list 

• Adding items to the database 

• Associating items 

• Importing items 

• Exporting items 

• Searching for items 

• Using Asset Manager reports 

374

CHAPTER 14: USING THE ASSET MANAGER ADD-ON 

Asset Manager overview 

LANDesk Asset Manager adds easy-to-use features to the Management Suite Web 

console that let you proactively manage all types of fixed (non-scannable) assets 

across your enterprise throughout the entire asset life cycle. In addition to physical 

assets, you can manage other relevant information such as contracts, invoices, and 

projects. If implemented and maintained properly, this type of information 

management can provide the security, access, and control of important data 

necessary to not only make informed business decisions and planning, but improve 

the productivity and efficiency of your organization's everyday business operations. 

Asset Manager also allows you to leverage data for computers and licensed software 

products that has already been scanned or entered into your core database and 

inventory. 

You can also use Asset Manager to import and export asset data to use with other 

data tracking and management applications and databases. 

In short, Asset Manager helps you get the most out of your IT investments. 

Other features and benefits 

In addition to the features mentioned above, with Asset Manager you can: 

• Use predefined types (i.e., data entry forms) or create your own custom 

types that are used to add items to the database. 

• Store asset management data in a single repository—the Management Suite 

core database. A single database simplifies data management, ensures data 

accuracy and integrity, and allows multiple users to enter asset data and 

generate reports at the same time. 

• Associate assets with each other and with other related information, such as 

invoices, users, service histories, etc. 

• Use predefined asset management reports or create your own custom 

reports. 

• Reconcile recorded asset data with actual physical inventories. 

• Track asset data history 

Understanding Asset Manager types and details 

Asset Manager uses types and details to describe the kinds of items (and their 

inherent properties) that can be added into the database. A type simply represents a 

specific kind of asset, contract, invoice, project; and so on. And a detail represents 

specific information about that type. To understand this concept in practical terms, 

it's probably helpful to think of a type as essentially a data entry form (made up of 

details) for a particular kind of item, and each detail as an individual data field on the 

form. 

375

USER'S GUIDE 

Asset Manager has several predefined asset types, contract types, invoice types, 

project types, and global (or universally applicable) types, each defined by its own 

unique arrangement of details. However, you're not limited to these types or details. 

With Asset Manager, you can also create and modify your own custom types, details, 

detail tables, and detail templates in order to meet your asset management 

requirements and goals. You're able to determine the content and layout of a form, 

what type of data is being asked for, whether a data field is required, and more. 

Ultimately, the purpose of asset types and details is to give you a way to configure 

data entry forms that are used to quickly and easily enter data and actually add 

items to the database. 

Asset management task flow 

The following steps provide a general outline of the processes involved in 

implementing an asset management strategy on your Management Suite network. 

Each of these tasks is described in detail in the appropriate sections of this chapter. 

1. Manage (view, organize, edit, and delete) types with the Assets, Contracts, 

Invoices, Projects, and Global Lists pages. 

2. Create types (i.e., data entry forms) with the Add new type page. 

3. Create a type's details with the Add details page. Also, add detail tables and 

detail templates. 

4. Add actual items (by entering data) to the database. 

5. Import and export items. 

6. Use predefined and custom reports to analyze recorded asset data. 

Using role-based administration with Asset Manager 

Role-based administration is Management Suite's access and security model that lets 

LANDesk Administrators restrict access to tools and devices. Each Management Suite 

user is assigned specific rights and scope that determine which features they can use 

and which devices they can manage. For more information about role-based 

administration, see "Using role-based administration" in the Users Guide. 

Role-based administration can also be implemented to control access to features in 

the Management Suite Web console, including Asset Manager. You can learn more 

about how role-based administration works for the basic Web console interface and 

tools in "Using the Web console" in the Users Guide. 

Asset Manager introduces three new roles and corresponding rights to role-based 

administration. A LANDesk Administrator assigns these rights to other users with the 

Users tool in the main Management Suite console (see the Users Guide for details). 

In order to see and use the various Asset Manager features in the Web console, a 

Management Suite user must be assigned the necessary Asset Manager right, as 

described below. 

Note: In addition to users that have only one of the rights below, a user could have 

both the Asset Data Entry and Reports rights. Since Asset Configuration gives full 

access to Asset Management, any combination with it would be redundant. 

376


Asset Configuration 

The Asset Configuration is an administration-level right that provides users the 

ability to: 

• See and access all the Asset Management links in the Web console: Assets, 

Contracts, Invoices, Projects, Global Lists, Detail Templates, and Reports. 

• Create new types 

• Edit types (both predefined and custom) 

• Delete types 

• Create, edit, and delete subgroups used to organize types 

• Create new details for types 

• Edit details (both predefined and custom) 

• Create and modify detail templates 

• Create and modify detail tables 

• Create, edit, and delete sections used to organize details 

• Perform all of the Asset Manager tasks allowed by the other rights listed 

below 

Asset Data Entry 

The Asset Data Entry right provides users the ability to: 

• See and access the Assets, Contracts, Invoices, Projects, and Global Lists 

links in the Web console. 

• Browse types and details (can't add, edit or delete them) 

• Add items to the database by filling in data entry forms 

• Edit items that have been added to the database 

Reports 

The Reports right for asset management-specific reports is the same Reports right 

that allows users to generate and view all other Management Suite reports in the 

main console, and it provides users the ability to: 

• See and access the Assets, Contracts, Invoices, Projects, Global Lists, and 

Reports links in the Web console. 

• Browse types, details, and items (can't add, edit or delete them) 

• Run predefined Asset Manager reports 

• Create and run custom asset reports 

• Edit all report configurations 

• Print all reports 

377

USER'S GUIDE 

Accessing Asset Manager in the Web console 

LANDesk Asset Manager is a browser-based application that is accessed through the 

Management Suite Web console. Asset Manager features and interface do not appear 

at all in the main Management Suite console. In order to use Asset Manager, you 

must already have the Web console software installed on either your core server or 

another Web server on your network. 

For more information about the Web console 

For information on installation prerequisites and procedures for the Web console, 

refer to "Installing the Web console" in the Installation and Deployment Guide. 

For more information on logging in to the Web console and using the default Web 

console features, see "Using the Web console" in the Users Guide. 

Users with a valid Web console account can access the Web console from any 

Windows-based computer running Internet Explorer 5.5 or later. 

To access Asset Manager in the Web console 

1. From a networked computer, open Internet Explorer. 

2. In the Address field, enter the URL to the site hosting the Web console pages. 

Normally the URL is: http://webservername/remote. 

3. If a login dialog appears, enter your Windows username and password for the 

core you're connecting to, and then click OK. 

4. Once you authenticate, Asset Management links appear in the left navigation 

pane for the features you have rights to use (based on role-based 

administration rights). 

What's next 

Now that you have a basic understanding of what you can do with LANDesk Asset 

Manager, click the Asset Management links in the Web console and start using the 

features introduced in this overview. 

Online help 

From any page in the Web console, including Asset Manager pages, click the Online 

Guide link in the upper right corner to access online context-sensitive help for that 

page. 

378


Managing assets 

The Assets page shows all the asset groups and types. You can expand and collapse 

groups by clicking the group name, or by clicking the Expand All and Collapse All 

links. 

Assets are items or property that can't be scanned electronically into the core 

database, with the exception of the computers and software types (see below), but 

that you want to track and manage, such as printers, monitors, phones, desks, 

supplies, etc. There's no limit to the number or variety of assets you can record with 

Asset Manager. 

Asset types represent the data entry forms used to enter asset items into the 

database. You can use the predefined asset types or create your own. 

From any of the type pages, you can: 

• View types in subgroups, as well as by global lists. 

• Create, edit, and delete subgroups by clicking the Manage subgroups link. 

• Check the count of items currently recorded in the database for each type. 

• Print the selected view of groups and types. 

• Search for types in the list. 

• Edit a type's details by clicking the pencil icon. 

• Delete types by clicking the X icon. (You can delete a type only if it doesn't 

have any items recorded.) 

• Create new types in a subgroup by clicking the Add Type link. 

• View a list of all the items that have been added to the database for a 

particular type by clicking the type name. 

• Add items to the database by clicking the plus sign (+) Add... link and filling 

out its data entry form. 

The predefined asset groups and types include: 

Miscellaneous 

• Chair 

• User 

Office Equipment 

• Copier 

• Digital Camera 

• Fax 

• Mobile Phone 

• Phone 

• Projector 

• Television 

379

USER'S GUIDE 

Technology 

• Computer (A special asset type with linked data that can be updated and 

synchronized with inventory data in the core database. For more information, 

see "Working with computer assets.") 

• Monitor 

• PDA 

• Printer 

• Router 

• Scanner 

• Software (A special asset type with linked data that can be updated and 

synchronized with inventory data. For more information, see "Working with 

software assets.") 

• Switch 

380


Working with computer assets 

The computer type is one of two asset types with linked details (data fields) that can 

be updated and synchronized with information from the core database. Designated 

computer type details are linked to a scanned device's hardware inventory (a 

scanned or managed device is one on which the Management Suite inventory 

scanner has been run). The other asset type with linked details that can be updated 

with information from the core database is the software type. 

You can use linked details to populate computers' linked data fields for computers 

that have already been scanned and have an inventory record. For computers that 

aren't yet connected to your network or haven't yet been scanned by the inventory 

scanner, you can add computer items in Asset Manager (using a valid MAC addresses 

or serial number provided by the manufacturer), and populate the other linked data 

fields after the machines have been scanned. 

Linked details for computers 

Only designated computer details are linked and can be updated from a scanned 

computer's hardware inventory. These details are identified by the linked detail icon. 

You can't create your own linked details for the computer asset type. 

The following computer details are linked: 

• Asset ID (This linked detail can be thought of as the "master" link because it 

is used to definitively identify each specific computer asset in the hardware 

inventory, ensure there are no duplicate records, and synchronize the 

appropriate linked data. Asset ID can never be edited manually.) 

• Machine name 

• Manufacturer 

• MAC address 

• Serial number 

• Model 

• Asset tag 

• Domain name 

All other details for the computer type are not linked and must be entered and 

updated manually. 

You can manually enter information in linked data fields only BEFORE updating those 

details with inventory information. Once a computer's linked data has been updated, 

the linked data fields can no longer be edited manually. However, you can 

refresh/update linked data from the inventory as many times as you like. 

Non-linked data fields can always be edited in Asset Manager. Non-linked data does 

not appear in a scanned device's inventory tree. 

381

USER'S GUIDE 

Updating linked data for computers 

You can update all of your scanned computers at once from the computer item list 

page (this may take a long time depending on how many managed devices you have 

in the core database). Or, you can update linked data for an individual computer 

from it's own page. 

To update the computer item list 

1. From the Assets page, open the Technology subgroup, and then click 

Computer to view all the computer assets currently recorded in the 

database. 

2. Click Refresh asset data. 

Scanned devices that do not have a corresponding computer item on this page are 

added to the list, with their linked data fields filled in. If there is no data, the field is 

left blank and can no longer be edited manually, although it can be filled in by a later 

update. 

If a corresponding computer item already exists on this page, its linked data is 

refreshed/updated from the scanned device's inventory. If the information has 

changed in the inventory, the new information replaces the value in the linked data 

field. Only linked data fields are updated. 

To update linked data for one computer item 

1. From the computer item list page, edit the computer by clicking its pencil 

icon. 


The computer's linked data is updated with information from the corresponding 

scanned device's inventory. This process rewrites any manually entered or changed 

value in a linked data field with the current value in the inventory. Empty linked data 

fields are filled in, if that data exists. If there is no data, the field is left blank and 

can no longer be edited manually, although it can be filled in by a later update. 

From a specific computer's page, you can also click Open inventory data to view 

the scanned device's entire inventory tree. 

Note: If the Open inventory data option is not available on a computer's page, it 

indicates the corresponding device has been deleted from the hardware inventory. 

When a device is deleted from the inventory, its asset record is not removed from 

Asset Manager. 

382


Working with software assets 

The software type is one of two asset types with linked details (data fields) that can 

be updated and synchronized with information from the core database. Designated 

software type details are linked to licensed software products' license file 

information. The other asset type with linked details that can be updated with data 

from the core database is the computer type. 

You can use linked details to populate software products' linked data fields for 

software that has a license file recorded in Software License Monitoring (SLM) in the 

main Management Suite console or in the Compliance section in the Web console. 

For more information about the SLM tool, refer to the Users Guide. 

Linked details for software 

Only designated software details are linked and can be updated from SLM. These 

details are identified by the linked detail icon. You can't create your own linked 

details for the software asset type. 

The following software details are linked: 

• Product Link ID (This linked detail can be thought of as the "master" link 

because it is used to definitively identify each specific software asset in SLM, 

ensure there are no duplicate records, and synchronize the appropriate linked 

data. Product Link ID can never be edited manually.) 

• Product name 

• Version 

• Publisher 

• License type 

• Quantity 

• Serial number 

• Purchase date 

• Unit price 

• Order number 

• Reseller 

• Owner 

• Location 

• Note 

All other details for the software type are not linked and must be entered and 

updated manually. 

You can manually enter information in linked data fields only BEFORE updating those 

details with SLM information. Once a software product's linked data has been 

updated, the linked data fields can no longer be edited manually. However, you can 

refresh/update linked data from the product information in SLM as many times as 

you like. 

Non-linked data fields can always be edited in Asset Manager. 

383

USER'S GUIDE 

Updating linked data for software 

You can update all of your software products that have a valid license file at once 

from the software item list page. Note that not all of your licensed software products 

in SLM necessarily have a license file. Only those licensed products with an actual 

license file will be updated. Or, you can update linked data for an individual software 

product (that has a license file) from it's own page. 

To update the software item list 

1. From the Assets page, open the Technology subgroup, and then click 

Software to view all the software assets currently recorded in the database. 


Software products (with a license file) that do not have a corresponding software 

item on this page are added to the list, with their linked data fields filled in. If there 

is no data the field is left blank, and can't be edited. 

If a corresponding software item already exists on this page, its linked data is 

refreshed/updated from the license file information in SLM. If the information has 

changed in SLM, the new information replaces the value in the linked data field. Only 

linked data fields are updated. If there is no data the field is left blank, and can't be 

edited. 

To update linked data for one software item 

1. From the software item list page, edit the software product by clicking its 

pencil icon. 


The software product's linked data is updated with information from the 

corresponding product's license file information in SLM. This process rewrites any 

manually entered or changed value in a linked data field with the current value in 

SLM. Empty linked data fields are filled in, if that data exists. If there is no data, the 

field is left blank and can no longer be edited manually, although it can be filled in by 

a later update. 

384


Managing contracts 

The Contracts page shows all the contract groups and types. You can expand and 

collapse groups by clicking the group name, or by clicking the Expand All and 

Collapse All links. 

Contracts can be any sort of document pertaining to the formal business 

relationships you have with service providers, partners, and vendors that you want 

to record and manage. Record critical information about the contract such as names, 

effective dates, status, contract numbers, terms and conditions, relationships, etc., 

and then associate the contract with the assets it covers. For example, you could 

enter data about a lease agreement for a group of printers, and then associate the 

lease with the printers. 

Adding contract information to the database not only helps you keep track of 

valuable assets but also the important information you need for negotiating terms 

and conditions for future contracts. 

Contract types represent the data entry forms used to enter contract items into the 

database. You can use the predefined contract types or create your own. 















The predefined contract groups and types include: 

Standard 

• Consulting Agreement 

• Escrow 

• Lease 

385

USER'S GUIDE 

Managing invoices 

The Invoices page shows all the invoice groups and types. You can expand and 



Invoices are documents pertaining to the purchase, acquisition, or payment of 

products and services. With Asset Manager, you can enter and store relevant 

information about an invoice and associate it to the corresponding asset. 

Invoice types represent the data entry forms used to enter invoice items into the 

database. You can use the predefined invoice types or create your own. 















The predefined invoice groups and types include: 

Standard 

• Invoice 

• Purchase Order 

386


Managing projects 

The Projects page shows all the project groups and types. You can expand and 



Large, complex projects typically involve the purchase and use of a variety assets 

and related materials. With Asset Manager, you can enter specific project information 

into the database, associate the project with any other recorded item, and then 

generate custom reports to help you track and manage the project. 

Project types represent the data entry forms used to enter project items into the 

database. You can use the predefined project types or create your own. 















The predefined project groups and types include: 

Miscellaneous 

• Ad hoc 

Standard 

• Capital Expenditure 

• Sustaining 

387

USER'S GUIDE 

Managing global lists 

The Global Lists page shows all the global list groups and types. You can expand and 



Global lists refer to lists of standard information, such as locations, companies, and 

users, that can be applied globally to describe assets throughout your organization. 

By defining these global lists in one place, and using them to add standard data to 

other types, you can ensure consistent usage in all your asset management records. 

For example, if you need to update data in a global list, such as a person's last name 

or a company's address, the new information propagates automatically to all other 

items that include that standard global list data. 

Global List types represent the data entry forms used to enter global list information 

into the database. You can use the predefined global list types and create you own 

custom global list types. 

On a data entry form, an Expand/Collapse icon next to a data field's text box 

identifies it as a global list type that can be used to select a detail from a list of that 

global list type's available details. Whereas, an Expand/Collapse icon next to a data 

field name, where there is no text box, identifies a table detail. 

Using global lists to add a detail to a type 

Global lists are different from the asset, contract, invoice, and project types because 

you can use a global list type to add a standard detail (or data field) to any of the 

other types. For example, let's say you're adding a detail to a new asset type; 

choosing "Global List" opens a new dialog where you can select the global list type 

called "locations" (and, if you want to specify a default value, you can also select a 

specific location from the drop-down list of available locations). In this way, global 

list types are in fact global, meaning they're available for all other types, and provide 

standard, consistent information across the database's asset records. 

As previously mentioned, if a detail in a global list type is changed, the change is 

reflected in any recorded item that uses that detail. 

Using global lists to organize and view types 

Global lists serve another unique purpose in Asset Manager. They can be used as 

parent groups to view lists of asset, contract, invoice, and project types. From any of 

the type pages, you can click the Group by drop-down list and select a global list 

(predefined and custom) by which to arrange the types on that page. 

For example, if you want to view computer asset types by location, select the 

"location" global list. Each current location appears as a parent group that can be 

expanded to show the types (in their subgroups) with matching location data. Types 

that do not contain location data are listed under the "No Information" parent group. 

If there aren't any types in the "location" global list type, the "No Information" 

parent group displays, containing all the page's subgroups and types. 

If you select None from the Group by menu, subgroups and types are listed without 

a parent global list group. None is the default setting. 

388


As with other type pages, from the Global Lists page you can: 

• View types in subgroups. (Grouping by global list types is not supported on 

the global lists page.) 













The predefined global list groups and types include: 

Default 

• Company 

• Cost Center 

• Department 

• Location 

• Vendor 

389

USER'S GUIDE 

Creating new types 

Use the Add new type page to create your own custom types for assets, contracts, 

invoices, projects, and global lists. 

As a reminder, it might be helpful to consider types as data entry forms comprised of 

specific details that define an item. Types are divided into five major categories to 

facilitate tracking and reporting: assets, contracts, invoices, projects, and global list. 

For example, a printer is an asset type, a lease is a contract type, and a location is a 

global (i.e., generally applicable) type. To continue the example, a printer asset type 

could be comprised of details (data fields) for manufacturer, model, description, 

service history, warranty type, cost, and so on. A type is used to add items to the 

database. 

Asset Manager comes with several predefined types that can be used to add common 

items to the database. You also have the flexibility to create as many additional 

custom types as you like, to accommodate all of the assets and information you want 

to manage. 

All types are created by the same procedure, described below. 

To create a new type 

1. From any Asset Manager type page (Assets, Contracts, Invoices, Projects, 

Global Lists), click the Add type link next to the group where you want to 

add the type. 

2. In the Name field, enter a unique name for the type. 

3. In the Key field, enter a name for the key detail. Every type must have at 

least one detail known as the "key" so that it can be tracked in the database. 

When you initially create a new type, you're required to specify the name of 

the key detail. 

Note: If the key is the only detail for the type, it must also be a unique and 

required value. You can't delete the key detail. Once designated, you can't 

change the key detail to another detail. 

4. From the Type drop-down list, select the type of information of the key 

detail. Available types include: Integer (whole number), String (alphanumeric 

characters or symbols), Date (date), and Decimal (real number that allows 

two decimal places). 

Note: Static List and Global List are not valid information types for the key 

detail. 

390


5. If you selected the String type, you must specify the maximum number of 

characters allowed in the string by entering a numerical value in the Length 

field. The valid range is from 1 to 255 characters. This field is required for a 

string and is not available for any other information type. 

6. Again, if you selected the String type, you can enter a required format or 

syntax in the Input Mask field. This field only applies to strings and is 

optional. 

The input mask indicates a required format when entering data for this detail 

on a data entry form. For example, if the detail is a serial number that must 

conform to a certain format such as "abc-123456" you would enter an input 

mask like this: aaa-######, where lower-case "a" represents any letter, the 

hyphen is a literal character, and the pound character (#) represents a 

number. For the actual character a, use the /a. For the actual pound 

character (#), use the /# exception. This mask appears on the data entry 

form so the user knows how to enter data for the field. 

7. If you want to specify a value that will automatically appear in the key detail's 

data field on a data entry form, enter that value in the Default Value field. 

You can enter a default value for any type of information. Default values on a 

form can be edited. This field is optional. (To enter a default date, use the 

calendar control.) 

8. Click Save to save the type and its key detail, and to return to the Details 

for... page. At this page you can continue to configure the type by adding 

more details, detail tables, or detail templates. You can also change the 

subgroup where this type resides with the Belongs to drop-down list. 

9. Important: When you're done configuring the type, you must also click Save 

Details on the Details for... page in order to save all the details you've added 

to that type. 

Once a custom type is configured, you can: 






391

USER'S GUIDE 

Using a details summary 

This page provides a summary view of all the details that make up the type named 

at the top of the page. These details are what appear on a data entry form for that 

type. 

Each type's details summary page is unique, depending on the details that have 

been used to define that type. However, the tasks you can perform from any details 

summary page are common. 

From a details summary, you can: 

• View all the details that define the selected type. 

• Edit existing details by clicking the pencil icon next to the detail name. 

• Create new details for a type by clicking the Add details link. 

• Add a group of details to a type at once by clicking the Choose template link. 

• Add a table data field to a type by clicking the Add table link. 

• Delete a detail by clicking the X icon. 

• Organize details in configurable sections by clicking the Manage sections link. 

Note: In order to preserve any changes you've made to details in this list (including 

changes to detail templates and detail tables), you must always click Save Details. 

If you add, modify, or delete one or more details and then click Cancel on this page, 

none of your changes will be saved. 

Understanding the detail icons 

The details summary page includes a legend with icons that indicate different 

characteristics for the detail. Detail icons appear here in a details summary list, as 

well as on an item page and on data entry forms next to data fields. 

The legend shows the following icons: 

Key: Indicates the detail is the key identifying detail for this type. Each type must 

have one, and only one, key detail in order to be saved. Key details are 

automatically unique and required. A key detail can't be deleted or changed. 

Unique: Indicates the detail must have a unique value entered when filling out the 

data entry form. If you enter a duplicate entry (the same value already exists in that 

data field for another item), an error message displays. Unique details are 

automatically required. Types can have multiple details that ask for unique data. 

Required: Indicates the detail must have valid data entered when filling out the 

data entry form. A required detail may or may not be unique. For example, if a detail 

is marked required but not unique, you can enter the same data in that field on data 

entry forms for different items. 

392


Summary: Indicates the detail will appear as a column heading on an item list page. 

Linked: Indicates the detail is linked to corresponding scanned or entered data in 

the core database. This characteristic applies to only some of the details for the 

computer and software asset types. It does not apply to details for any other types. 

You can update and synchronize linked data for computer assets with scanned 

devices' inventory data; and for software assets with data you've entered for 

licensed software products. You can't create your own linked details. 

393

USER'S GUIDE 

Adding details 

Use this page to add a new detail or edit an existing detail. 

To edit an existing detail, click the pencil icon next to the detail name. For a 

description of what information you can and can't edit on a saved detail, see "Rules 

for editing details" below. 

Details represent the data fields on a data entry form for an item you want to add to 

the database, to be able to track and manage with Asset Manager. 

To add a new detail 

1. From any details summary page, click the Add detail link. 

2. In the Name field, enter a unique name for the detail. 

3. From the Type drop-down list, select the detail type. Available types include: 

Integer (whole number), String (alphanumeric characters or symbols), Date 

(date), and Decimal (real number that allows two decimal places), Static List 

(lets you create a predefined list of values, see step 11 below), and Global 

List (lets you select any of the current global list types, see step 12 below). 

4. The Key option is not available because this is not the initial detail. The key 

detail is defined when you initially create the type; it can't be changed or 

removed. 

5. Select the Unique option if you want to indicate on the data entry form that 

this detail (data field on the form) needs to be filled in with a unique value. In 

other words, duplicate entries among recorded items are not allowed in this 

data field. 

If you select the Unique option, the Required option (below) is automatically 

selected as well. A data field that asks for a unique value is also considered a 

required field. 

6. Select the Required option if you want to indicate on the data entry form 

that this detail (data field) must be filled in with valid data. A required field is 

indicated by the red "i" icon on a data entry form. A required data field does 

not necessarily have to be filled in with unique data. 

7. If you selected the String type, you must specify the maximum number of 

characters allowed in the string by entering a numerical value in the Length 

field. The valid range is from 1 to 4,000 characters (for English and European 

languages; Double-byte languages such as Chinese and Japanese allow up to 

2,000 characters). This field is required for a string and is not available for 

any other information type. 

394


8. Again, if you selected the String type, you can enter a required format or 

syntax in the Input Mask field. This field only applies to strings and is 

optional. 

The input mask indicates a required format when entering data for this detail 

on a data entry form. For example, if the detail is a serial number that must 

conform to a certain format such as "abc-123456" you would enter an input 

mask like this: aaa-######, where lower-case "a" represents any letter, the 

hyphen is a literal character, and the pound character (#) represents a 

number. For the actual character a, use the /a. For the actual pound 

character (#), use the /# exception. This mask appears on the data entry 

form so the user knows how to enter data for the field. 

9. If you want to specify a value that will automatically appear in this detail's 

data field on a data entry form, enter that value in the Default Value field. 

This option applies to all the information types and is not required. All default 

values on a form can be edited. (To enter a default date, use the calendar 

control.) 

10. If you want this detail to appear on the item list page for the type you're 

configuring, select the Summary option. This option is checked by default. If 

you clear the Summary option, this detail does not appear on the item's list 

page. 

11. If you want to configure a controlled list of valid data entry values for this 

detail, select Static List type. A new dialog appears to the right that lets you 

add values to the static list. The values you add to this list will be available for 

this detail in a drop-down list on the data entry form. 

To add values to the static list, simply enter a value in the Add Values text 

box and click the plus sign (+). To set a value as the default value 

(automatically appears in the detail's data field on a data entry form), select 

the value and then click Set Default. To remove a value, select it and click 

Remove. 

12. If you want to use a global list type to define this detail, select Global List 

type. A new dialog appears to the right that lets you choose from the current 

global list types (see "Managing global lists"). The values that have been 

added to the database for the selected type will be available for this detail in 

a drop-down list on the data entry form. 

Global lists contain general information that is standard throughout your 

organization, such as vendors, users, and locations. To use a global list type 

to define this detail, first select the subgroup that includes the global list type 

you want from the Select Group drop-down list, and then select the global 

list type from the Select Type drop-down list. (If you want to assign a 

default value to this detail (data field on the form), select a value from the 

Select Default Value drop-down list. Keep in mind that if no data has been 

entered into the database for that type yet, this list will be empty.) 

13. When you're done configuring the settings and values for the detail, click 

Return to form to save the detail and return to the Details for... page. Or, 

click Cancel to exit without saving the detail. 

395

USER'S GUIDE 

14. If you want to place the detail in a specific section on the form, click Manage 

sections, select the section in which you want the detail to appear, click 

Edit, and move the detail to the Current Details box. For more information, 

see "Organizing details in sections." 

15. Important: You must also click Save Details on the Detail for... page to 

save any details you've configured. 

Rules for editing details 

After a type has been saved, you can edit only some of the information for the 

details that define that type. 

Remember that a type must have at least one detail, called the key detail. In 

addition to its key detail, a type can have any number of "non-key" details. 

For both key and non-key details, once saved, you can't edit the following 

information fields on the Edit Detail page: 

• Name 

• Type 

• Key 

• Unique 

• Required 

Whether the other fields can be edited is different for key and non-key details. 

Key details 

For a key detail, the table below shows the fields on the Edit Detail page that can be 

edited, depending on the selected information type: 

Information 

Type 

Length 

Input 

Mask 

Default 

Value 

Summary 

Integer No No Yes Yes 

String Yes Yes Yes Yes 

Date No No Yes Yes 

Numeric No No Yes Yes 

396


Non-key details 

For a non-key detail, the table below shows the fields on the Edit Detail page that 

can be edited, depending on the selected information type: 

Information 

Type 

Length 

Input 

Mask 

Default 

Value 

Summary 

Static 

List 

Values 

Global List 

Default 

Value 

Integer No No Yes Yes No No 

String Yes Yes Yes Yes No No 

Date No No Yes Yes No No 

Numeric No No Yes Yes No No 

Static List No No Yes Yes Yes No 

Global List No No No Yes No Yes 

397

USER'S GUIDE 

Adding table data fields 

Use this page to add a table data field to the selected type. A table consists of one or 

more details and appears as an expandable data field on a data entry form, each 

detail represented by a separate column in the table. 

On a data entry form, an Expand/Collapse icon next to a data field name, where 

there is no text box, identifies a table detail. Whereas, an Expand/Collapse icon next 

to a data field's text box identifies it as a global list type. 

One example of a table data field is a service history, with details such as cost, 

service date, technician, vendor, and so on. 

When filling in a form, users can add as many entries as they like into a table data 

field by clicking the Expand icon, clicking the Add link, filling in the fields, and then 

clicking the Add to table link. This process can be repeated as many times as you 

want to add entries to the table. 

Some predefined types (and their associated data entry forms) include predefined 

tables. You can also create your own custom tables and add them to types. A table is 

specific to the type to which it was added (i.e., it can't be shared with other types). 

To add a table data field to a type 

1. From any details summary page, click Add table. 

2. In the Details for field, enter a unique name for the table. 

3. Click Add detail to define an individual detail that appears as a column in the 

table. A table must include at least one detail (data field on the form). 

4. You can also click Choose template to select from a list of existing detail 

templates that will add several details at once to the table. Each detail 

appears as a single column in the table. 

Details in a table display in the order in which they were entered and can't be 

moved. 

5. When you're done configuring the table, click Save Details to save the table. 

The new table appears in the details list as a Table type. Details display in the 

list in alphabetical order unless they belong to a specific section. 

6. If you want to place the table details in a specific section on the form, click 

Manage sections, select the section in which you want the table to appear, 

click Edit, and move the table to the Current Details box. For more 

information, see "Organizing details in sections." 

7. Important: Click Save Details again (this time from the details summary 

page) in order to save the changes you've made. 

Once a table is configured, you can: 

• Edit a table's details by clicking the pencil icon. 

• Delete an existing table by clicking the X icon. 

398


Managing detail templates 

Use the Detail Templates page to view, create, edit, and delete detail templates. 

Detail templates are sets or groups of details that make it easy and convenient to 

add several details at once to a type. 

Note: You add a detail template to a type from the type's details summary page, not 

from the Detail Template page. You can also add a detail template to a table from 

the table's details summary page. 

Asset Manager does not include any predefined detail templates, but you can create 

as many as you like to facilitate the creation of custom types and tables. 

To create a detail template 

1. From the Asset Management menu in the Web console, click Detail 

templates. 

2. Click Add template. 

3. Enter a unique name for the template in the Details for field. 

4. Add as many details as you want to the template by clicking Add detail. 

5. When you're done adding details to the template, click Save Details to save 

the template and return to the templates list. 

Note: When you add a details template to a type, all of the details contained in that 

template are added as individual details, not grouped as a template. In other words, 

a details summary list does not indicate in any way whether details came from a 

template. 

To edit a detail template, click the pencil icon next to the template name. 

To delete a detail template, click the X icon next to the template name. 

399

USER'S GUIDE 

Adding detail templates 

You can add detail templates to a details summary list for a type or table. Detail 

templates are sets or groups of details that you can use to add several details at 

once. 

Detail templates are not specific to a type or table; you can view and add currently 

available templates from any details summary page. 

To add a detail template 

1. From any details summary page (for either a type or a table), click Choose 

template. All of the existing detail templates appear in a list, and show all of 

the details in each template. 

2. Find the template you want to add to the details summary, and click Add 

template. 

All of the details contained in the template you just added appear as 

individual details in the details summary. They're not grouped or identified as 

coming from a template. 

3. If you want to place any of the newly added details in a specific section on the 

form, click Manage sections, select the section in which you want the detail 

to appear, click Edit, and move the detail to the Current Details box. For 

more information, see "Organizing details in sections." 

4. Important: You must also click Save Details on the Detail for... page to 

save any details you've configured. 

400


Using an item list 

The item list page provides a summary view of all the items recorded in the database 

for the type named at the top of the page. To see a type's item list page, click the 

name of the type on the Assets, Contracts, Invoices, Projects, or Global Lists pages. 

The information that displays in the columned table on an item list page is 

determined by the details that have the Summary option checked. In other words, if 

Summary is checked then the detail appears on the item list page. You can click the 

column headings to sort by that detail (data field). 

To add items to the database, click the Add link, and then fill in the data entry form. 

See "Adding items" for more information. 

To edit an item's recorded data, click its pencil icon, and then enter new data. 

When editing, the item's data entry form includes a few extra options. See "Editing 

an item" for more information. 

To delete an item from the list (and from the database), click its pencil icon, and 

then click Delete. 

Additional item list tasks 

From an item list page, you can also perform the following tasks: 

• Associate items with other items and related information. 

• Import data for items of the selected type. 

• Export data for items of the selected type. 

From the item list page for two asset types, computer and software, you can also: 

• Update designated linked details (data fields) with scanned inventory and SLM 

information from the core database. For more information, see "Working with 

computer assets" and "Working with software assets." 

401

USER'S GUIDE 

Adding items to the database 

This page is the data entry form for the type named at the top of the page. Asset 

Manager includes several predefined asset, contract, invoice, project, and global list 

types, and provides the ability for you to create as many custom types in each of 

those categories as you like. 

When you enter and save the information on a data entry form, the item is recorded 

in the database. 

A slightly different version of this page appears when you're editing an item. See 

"Editing an item" for more information. 

The contents and layout of a data entry form are defined by the type's details and 

sections. See "Using the details summary" and "Organizing details in sections" for 

more information. 

Adding assets—and other important information such as contracts, users, and 

projects—to the database is the central task of someone who wants to gain all the 

benefits of proactive asset management for their organization. Asset Manager 

provides the tools necessary to configure asset types and the detail elements that 

define them, to track that data, and ultimately to analyze and share that data 

through custom asset reports. However, the benefits of asset management to your 

business, in real terms, depends on the recorded data itself. If most of the fields in a 

well-designed and thorough data entry form are left blank, there is very little to 

track, and running reports will be of minimal value. The recorded data is the key, 

and hence, data entry should be considered the most important step in implementing 

an effective asset management solution. 

Although the information asked for on data entry forms can vary, the process of 

adding data is the same, as described below: 

To add an item to the database 

1. From any item list (accessed by clicking the name of a type on either the 

Assets, Contracts, Invoices, or Projects page), click Add. Or, you can access 

the same page by clicking the plus sign (+) Add link next to each item type. 

Note: You can expand or collapse the sections of a form by clicking the 

section name. Also, refer to the Legend at the top of the form to understand 

the icons next to certain data fields. Detail icons are explained in 

"Understanding the detail icons." 

2. Fill in the data fields. When adding or editing a detail, you can only enter data 

compatible with the field type (i.e., only an integer in an integer field, a text 

string in a string field, etc. 

3. To save the item and continue adding more items, click Save and add 

another. 

4. To save the item and return to the previous page, click Save and return to 

list. 

The new item appears in the item list. 

402


Editing an item 

If you're editing an item, this page displays the following additional options: 

• Associate items: Opens the Associate items page where you can create 

associations between the selected item and other items recorded in the 

database. 

• Delete: Removes the item from the item list and from the database. When 

you delete an item, any association to or from the item is also removed. This 

data can't be retrieved unless you've exported it beforehand to a CSV file. 

• Print preview: Opens a print-friendly version of this page in a separate 

window that can be printed from the browser. 

• Last edited by: Lets you view (at the bottom of the page) the user who most 

recently modified this item, their core server, and the time. 

403

USER'S GUIDE 

Associating items 

This page allows you to view, create, and delete associations between the item 

named on this page and any other item recorded in the database. 

Through associations, you can establish and track relationships between any of your 

fixed assets and their supporting items such as contracts, locations, users, projects, 

and so on. For example, you may want to associate printers with their lease 

agreement contract; or PDAs with their users; or phones with their users, locations, 

and service contracts; and so forth. Associations provide another level of asset 

management. 

Note: You can create associations only from an actual item page, not from the item 

list page. 

Associations exist between actual items in the database, not between item types. 

Associations are bidirectional. In other words, if you create an association from a 

printer to a contract, the same association also exists from the contract to the printer 

in that specific contract's page. 

You can associate the following item types with each other: 

• Assets 

• Contracts 

• Invoices 

• Projects 

To create an association 

1. From any item page, click Associate Items. (This is also the way to view an 

item's associations.) 

Note: The Associated Items page refers to the selected item by its key detail. 

2. Use the Search tool to locate items that you want to associate with the 

selected item. From the search results list, check the items you want to 

associate, and then click Add to list. 

3. Click Save to save the associations and return to the item page. 

4. Click Cancel to exit without saving. 

To delete an association, click the X icon next to the association in the list. Deleting 

an item also removes all of its associations from the database. 

Associated item information can be included in Asset Manager reports. 

404


Importing items 

Asset Manager provides the ability to import items for asset, contract, invoice, 

project and global list types. For example, if you have information for all your 

printers in a single spreadsheet, you could import printer data into the item list for 

the printer asset type. 

Importing and exporting lets you use asset management-specific data with other 

data tracking, database, and reporting tools. 

Because you are importing items of a particular type, the Import link is only available 

on the type's item list page. 

A user must have the Asset Configuration or Asset Data Entry right in order to import 

and export items. 

Both import and export support only CSV (comma-separated value) formatted files. 

You import data contained in a CSV file into an existing type. CSV formatted files can 

be used with other data management tools such as Microsoft SQL Server, Oracle, 

Microsoft Access, and Microsoft Excel. 

To import items into an existing type 

1. From the Assets, Contracts, Invoices, Projects, or Global Lists page, click the 

name of the item type you want to import items into. 

2. On the item list page, click Import. 

3. Enter the full path, including the filename, to the CSV file you want to import 

in the File path field. 

4. Click the Sample... link to see a list of all the details used to define the 

selected type. This view shows the detail name and other detail 

characteristics in a column list. Your import file's contents and format must be 

compatible with the details in this list. 

The CSV file must be formatted to match the details (data fields) used to 

define the type. Each line in the file corresponds to an item row on the item 

list page and contains the data for that individual item, separated by commas. 

And each comma-separated value corresponds to a column on the item list 

page. A line must include a value for every detail in the type. For example, if 

the type is defined by ten details, then each line in the CSV file must have ten 

values (a value can be empty as long as it's separated by commas). 

Furthermore, the data in each value must match the data type specified for 

that data field (i.e., integer, string, date, etc.), or the import fails. 

The CSV file's first line must contain the names of the details (that match the 

column headings on an item list page), separated by commas. 

In short, it might be helpful to envision the import file as basically being in 

the same format and layout as an item list page—a table listing where each 

column represents a detail and each line represents an individual item. 

405

USER'S GUIDE 

5. To ignore duplicated data, click Ignore. Or, to update duplicated data, click 

Update. 

If you click Ignore, and a row in the file to be imported has a duplicate key of 

a row that already exists in the database, the duplicate key is NOT imported. 

If you click Update, and a row in the file to be imported has a duplicate key of 

a row that already exists in the database, the duplicate key is imported and 

replaces the existing row. 

6. To import the CSV file, click Import now. 

If formatted correctly, the data in the import CSV file is added to the database and 

appears on the item list page. 

406


Exporting items 

Asset Manager provides the ability to export data for asset, contract, invoice, 

project, and global list types. 

Importing and exporting lets you use asset management-specific data with other 

data tracking, database, and reporting tools. 

When you export a type, all of the items currently recorded in the database for that 

specific type are exported. You can only export data from an item list page. 

A user must have the Asset Configuration or Asset Data Entry right in order to import 

and export items. 

Data is exported as a CSV (comma-separated value) file. As stated in the Importing 

items section, the format of this CSV file essentially matches the layout of an item 

list page, where each line in the file represents a distinct item record, and each 

comma-separated value in a line represents a detail (data field) for that item. All 

items for the selected type are exported in a single file (typename.csv). If the type 

has table data fields, then each table is exported as a separate file (typenametablename.csv). 

To export items 

1. From the Assets, Contracts, Invoices, Projects, or Global Lists page, click the 

name of the item type you want to export. 

2. On the item list page, click Export. 

3. To use an existing export configuration, select it from the Configurations 

drop-down list. 

4. Or, to manually specify the details to be exported for the selected type clear 

the details you don't want to be exported (all details checked by default). 

If you want to save your selected details as a new configuration for this type, 

enter a name in the Configurations Name field, and then click Save. The 

configuration is added to the drop-down list. 

5. Click Export now. The Export window opens displaying the CSV files that can 

be exported. (Multiple files display only if one or more table details were 

selected.) 

6. Click the file you want to export. 

7. At the browser's File Download dialog, click Save, choose a destination on the 

local machine, and then click Save again. 

8. At the Download Complete dialog, click Close. 

9. You can click other files in the Export window, or click Close Window. 

407

USER'S GUIDE 

Using Asset Manager reports 

Asset Manager includes a reporting tool that lets you collect and analyze the asset 

management data you've entered into the database. 

The reporting tool includes several predefined asset management-specific reports 

that you can use to analyze the data you've entered for assets, contracts, invoices, 

and projects. These predefined reports provide examples of how you create and 

configure your own custom reports. 

To view and edit a report's configuration, click the pencil icon. 

To run a report and view the results, click the report name. 

To delete a report, click the X icon. 

Rights required to use asset reports 

A user must have either the Asset Configuration right (which is equivalent to an 

administrator role for Asset Manager features and implies all Asset Manager rights) 

or the Reports right to be able to see and use the Reports link and features in Asset 

Manager. If a user only has the Asset Data Entry right, they will not see the Reports 

link in the left navigation pane of the Web console. On the other hand, if a user has 

the Reports right, they will see the Assets, Contracts, Invoices, Projects, and Global 

Lists links, but they can only browse those pages and can't create, edit, or delete any 

types, details, or actual items. For more information, see "Using role-based 

administration with Asset Manager." 

Rights are assigned to users by a LANDesk Administrator via the Users tool in the 

main Management Suite console. 

The Reports right for Asset Manager is the same Reports right that is used to provide 

access to the reporting tool in the main Management Suite console. Note that none 

of the Asset Manager reports are available in the main Management Suite console's 

Reports tool (even for users with the Reports right). Asset Manager reports are only 

accessible via the Web console. 

Using predefined Asset Manager reports 

Asset Manager includes several predefined reports that generate information about 

the assets, contracts, invoices, projects, and related information recorded in the 

database. Use these reports as examples of what you can do with the Reports tool. 

• Ad-Hoc Projects Completed in Last 30 Days 

• Ad-hoc Projects Started in Last 30 Days 

• All Computers and Associated Items 

• All Consulting Agreements 

• All Leases and Associated Items 

• All Mobile Phones 

• All PDAs 

• All Purchase Orders and Associated Items 

• Computers by Cost Center 

• Computers by Requested Date 

408


• Computers Installed in Last 30 Days 

• Leases by Business Code 

• Leases by Cost Center Location 

• Leases Expired in Last 30 

• Leases Expiring in 30 days 

• Purchase Orders by Cost Center Location 

• Purchase Orders by Vendor 

• Cost Center Location 

• Software by Request Date 

• Software Installed in Last 30 Days 

Creating and running custom reports 

You can create, edit, run, and print your own custom reports. 

There are three types of custom reports: 

Date report: Provides information for a specific type's recorded items, grouped by 

one of its date details. For example, you could create a custom date report that 

gathers information about an asset based on its purchase date, or a contract based 

on its signature date. The results of a date report are determined by a specified 

timeframe (range of days) for the date detail. You can customize the additional 

details that are included in the report. 

Summary report: Provides information for a specific type's recorded items, grouped 

by any one of the its details. Summary reports always show a count number and at 

least one of the item's details. You can customize the additional details that are 

included in the report. 

List report: Provides information for a specific type's recorded items, in a flat list. 

You can customize the additional details that are included in the report. 

Use the procedure below to create and run a custom report: 

To create and run a custom report 

1. From the Reports page, click the Add report link for the type of report you 

want—date, summary, or list. 

2. In the Report name field, enter a unique name for the report. 

3. From the Run report on drop-down list, select whether to report on an 

asset, contract, invoice, or project type. 

4. From the Select type drop-down list, select the specific type for whose 

recorded items you want to gather information. This list includes all the 

currently available types for the selected category. 

If you're creating a list report, skip to step 7. 

409

USER'S GUIDE 

5. For a date report: 

First, from the Group by detail drop-down list, select the date detail you 

want to base this report on, and under which the items in this report will be 

grouped. Or, select a global list type (in parentheses), and then select the 

date detail from its submenu. (The drop-down list includes the currently 

available date details for the selected type, plus any global list types whose 

date details the selected type uses.) 

Then, in the Timeframe field, enter the number of days (before or after 

today) whose dates you want the include in this report. For example, 0 (zero) 

indicates today, -30 indicates 30 days before today (including today), and 30 

or +30 indicates 30 days after today (including today). The date report will 

include all of the type's recorded items whose specified date value matches a 

date within this timeframe. 

6. For a summary report: 

First, from the Group by detail drop-down list, select the detail you want to 

base this report on, and under which the items in this report will be grouped. 

Or, select a global list type (in parentheses), and then select the detail from 

its submenu. (The drop-down list includes all the currently available details 

for the selected type, plus any global list types whose details the selected 

type uses.) 

Then, if you want the summary report to include only the detail selected 

above and an item count, clear the Details check box. If you clear this 

option, the Shows columns and Related details options are dimmed and can't 

be selected. However, if you want to configure additional information to 

appear in the summary report, make sure Details is checked (the default 

setting), which allows you to select the other information options. 

7. Specify the columns (that display details on an item's page) you want to 

include for each item in the report with the Show columns option. You can 

choose to include just the key detail, the summary details, or all details. 

8. Specify additional information you want to include for each item in the report 

with the Related details option. You can choose to include none, table 

details, or associated items. 

9. Click Save and run to save this report configuration and generate the 

report's results. A separate browser (pop-up) window opens and displays the 

report, which you can view and print. 

10. Or, click Save to save the report configuration and return to the Reports page 

without running the report. 

If you selected either of the two save options, the report is added to the alphabetical 

list on the Reports page. 

As with predefined reports, you can view and edit a custom report configuration by 

clicking the pencil icon, and run a custom report by clicking the report name. 

You can print a report from the report's pop-up window, according to the browser's 

Print settings. 

410


411

Chapter 15: Using LANDesk Inventory 

Manager 

LANDesk Inventory Manager is a version of LANDesk Management Suite 8 that 

contains only these inventory-related features: 

• Inventory scanning and inventory-related console features 

• Custom data forms 

• Software license monitoring 

• Unmanaged device discovery 

• Reports for the above features 

The Inventory Manager installation on a core server contains all LANDesk 

Management Suite 8 components, but when you activate a core server with an 

account that is licensed for Inventory Manager, the non-Inventory Manager features 

aren't applicable or visible in the Management Suite and Web consoles. 

If you're using Inventory Manager, refer to these chapters and sections in this guide: 

• Chapter 1: Using the LANDesk Management Suite console. This chapter 

describes the Management Suite console and network view. The role-based 

administration, device monitoring, and some of the Management Suite service 

configuration sections don't apply. 

• Chapter 2: Configuring clients. This chapter focuses on client configuration, 

most of which doesn't apply to Inventory Manager. However, the Unmanaged 

Device Discovery section does apply. 

• Chapter 3: Using queries. The first half of this chapter on queries applies to 

Inventory Manager, the last half on Directory Manager doesn't apply. 

• Chapter 4: Managing inventory and reports. Most of this chapter applies to 

Inventory Manager. 

• Chapter 7: Using the Web console. Generally, the getting started, managing 

inventory data (but not Custom Data Forms), and monitoring software 

licenses sections apply to Inventory Manager. 

• Chapter 8: Monitoring software license compliance. Almost all of this chapter 

applies to Inventory Manager. 

• Appendix A: Additional inventory operations and troubleshooting. Much of the 

detailed inventory information here is useful with Inventory Manager. 

Typically, you can recognize the information that doesn't apply in each chapter 

because those sections refer to Management Suite features like software distribution 

and remote control that aren't part of Inventory Manager. 

413

USER'S GUIDE 

Using Custom Data Forms with Inventory 

Manager 

Management Suite and Inventory Manager include a custom data forms tool (Tools | 

Custom Data Forms) that you can use to create and manage forms. Custom data 

forms provide a way for you to collect information from users and add it to the core 

database. 

Inventory Manager handles custom data forms slightly differently than Management 

Suite. You still create forms the same way, but with Inventory Manager, clients get 

form updates when they send an inventory scan and all clients see all available 

forms. Management Suite allows you to send forms to just the clients you want, but 

since Inventory Manager doesn't have Management Suite's Scheduled Tasks feature, 

you can't schedule a form distribution in Inventory Manager. 

414

Appendix A: Additional inventory operations 

and troubleshooting 

LANDesk Management Suite uses an inventory scanner utility to gather hardware 

and software information for the clients on your network. Inventory scanner basics 

are covered in chapter 4, "Managing inventory and reports." This chapter provides 

additional information about inventory scanning, as well as some troubleshooting 

tips. 


• Scanning custom information 

• Specifying the software scanning interval and history 

• Scanner command-line parameters 

• Scanning standalone clients with a floppy disk 

• Adding inventory records to the core database 

• Adding BIOS text strings to the core database 

• Creating MIF files 

• Scanning NetWare servers 

• Scanning Mac OS X clients 

• Scanning Mac OS 9.2.2 clients 

• Editing the LDAPPL3.TEMPLATE file 

• Troubleshooting the inventory scanner 

415

USER'S GUIDE 

Scanning custom information 

The Windows inventory scanner utility (for Windows 95/98 and Windows 

NT/2000/XP) automatically scans the client's registry for custom information. When 

you configure a client, Management Suite installs the following key into the registry: 

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDESK\INVENTORY\CUSTOM FIELDS 

The inventory scanner always scans the registry for the Custom Fields key and picks 

up any information it finds under that key. It then enters the custom information into 

Custom fields in the core database. The information content doesn't matter. When 

you view this data in the Management Suite console, it displays under Custom fields. 

The inventory scanner reads two data types: 

• REG_SZ 

• REG_DWORD 

Custom field subkeys 

The inventory scanner doesn't scan for any subkeys below Custom fields. 

Custom fields string length 

ASCII character strings must be no longer than 255 characters. Multi-byte character 

set (MBCS) strings must be between 127 and 255 characters. 

Configuring the scanner to scan registry keys 

The inventory scanner can scan for registry keys you specify and add their values to 

the core database. This can be useful for customized software, asset information, or 

other information stored in the registry that you want to include in the core 

database. 

To use registry key scanning, add a section at the very beginning of the 

LDAPPL3.TEMPLATE file with this format: 

[Registry Info] 

KEY=HKLM, Software\Intel\LANDesk, version 

Change the values after KEY= to match the registry key you're looking for. In the 

example above, notice that each registry key element is separated by commas. 

When the inventory scanner retrieves the registry key data, you can view it in the 

Registry category under Custom Data. 

416

APPENDIX A: ADDITIONAL INVENTORY OPERATIONS AND TROUBLESHOOTING 

Specifying the software scanning interval and 

history 

You can specify when to scan a client's software and how long to save the inventory 

changes history log on the core server. These intervals apply to every client. 

Note: A client's hardware is scanned every time it boots and is connected to the 

network. 

To specify the software scanning settings 

1. In the console's network view, click Configure | Services | Inventory | 

Software Scanning. 

2. Specify the frequency of software scanning. 

3. Specify the number of days to save the history. 

The core server and software scanning 

This feature affects only clients. It doesn't affect the core server, which is always 

scanned daily. 

Scheduling an inventory scan task 

If the client is running the LANDesk agents, you can use the Scheduled Tasks tool to 

schedule an inventory scan using a predefined script. You can schedule the inventory 

scanner script with the Schedule Script toolbar button located in the Scheduled Tasks 

window. 

The inventory scanner script is located in the \Program 

Files\LANDesk\ManagementSuite\Scripts directory. The script is a Windows .INI file 

that you can edit with any text editor. If you need to change the options or 

parameters within the script, open it and follow the instructions contained within it. 

Scanner command-line parameters 

You can add command-line parameters to the inventory scanner's (LDISCN32.EXE) 

shortcut properties to control how it functions. 

The following table lists the scanner's command-line parameters: 

Option 

/NTT=IP 

Description 

Core server's IP address or DNS name and 

UDP port. For example, 

/NTT=123.123.123.123:5007 or 

/NTT=CORESERVER:5007. The OS/2 scan 

utility, LDISCAN2.EXE, and DOS scanner 

utility, LDISCAN.EXE, don't use this 

parameter. 

417

USER'S GUIDE 

/NTI=IPX 

/UDP 

Core server's IPX address. For example, /NTI 

=00100302:0040C9B8ODC9:26f5. 

Scanner communicates via UDP instead of 

TCP. Combine this switch with /NTT=[IP]. 

/NTN=NetBIOS 

Lana number 

/NOUI 

/pt 

/i=inifile 

/d=directory 

NetBIOS Lana number the scanner should 

use. 

Forces the scanner to run with no user 

interface. 

Disables priority thread lowering when the 

/NOUI switch is used. By default with /NOUI, 

the scanner runs at a lower priority unless you 

use this switch. 

Provides the path (HTTP, UNC, or a drive 

letter) to the master LDAPPL3 file. 

WLDISCAN.EXE and LDISCN32.EXE also 

copy the LDAPPL3 file they find in this location 

to the client's local LDAPPL3.INI file. The 

scanners compare the date of the master 

LDAPPL3 with the local LDAPPL3.INI; if the 

dates don't match, the master file is copied 

locally. 

Starts the scan in the specified directory. By 

default, the scan starts in the root directory of 

each local hard drive. 

/L Sends the scan to the core server the client 

was configured from. When you use /L, the 

/NTT parameter isn't necessary. 

/sync 

Forces a full scan, including a complete 

software scan. Full scan files can be several 

megabytes in size. 

/n Doesn't search subdirectories. 

/v Issues status messages while scanning, 

except during WLDISCAN. 

/Z=retry count 

/A=timeout 

How many times the scanner tries to resend 

the scan. 

How long the scanner waits before timing out. 

418


/W=wait in seconds 

Have the scanner wait the number of seconds 

specified before starting a scan. 

/ or /h Displays the command-line syntax help. 

/s=servername 

Specifies the core server to store the inventory 

data on. 

/f Forces a software scan regardless of the 

software scan interval set at the console. 

Specify /f- to disable a software scan 

regardless of the software scan interval set at 

the console. 

/t=[path]filename 

/o=[path]filename 

Copies the contents of the specified file to the 

core database. Use this option to enter 

inventory data from standalone clients or from 

separate inventory files. 

Writes inventory data to the specified output 

file. 

/m Creates a non-unicode LDISCAN.MIF file in 

the C:/DMI/DOS/MIFS directory. This file 

contains the inventory data discovered during 

the scan. 

/muni 

/smbios 

(LDISCN32.EXE only) Creates a unicode 

LDISCAN.MIF file in the directory found in 

LDAPPL3.INI file's MIFPATH. This file contains 

the inventory data discovered during the scan. 

Scans SMBIOS using LDISCN32.EXE. 

To scan Windows clients at startup 

1. Place the inventory scanner in the client's startup group. 

2. Click File | Properties, then enter these parameters at the command line: 

/V /S=Servername /NTT or /NTN or /NTI =. 

419

USER'S GUIDE 

Scanning standalone clients with a floppy disk 

To scan a standalone client 

1. Copy the proper inventory scanner utility and a software description file 

(usually LDAPPL3.INI) to a floppy disk. (You may also need to copy 

ELOGAPI.DLL, YGREP32.DLL, LOC16VC0.DLL, INV16.EXE, LOC32VC0.DLL, 

LTAPI.DLL, and LDISCN32.EXE.) 

2. Run the scan with the /O= parameter specifying the path and filename of the 

output file. 

3. At the command-line prompt, enter a unique name for the client. This name is 

saved in the LDISCAN.CFG file on the client's local drive. This name also 

appears in the Description field in the core database. For example: 

ldiscn32.exe /f /v /o=c:\%computername%.scn 

Adding inventory records to the core database 

You can add inventory information from a standalone client or separate inventory 

files by running the inventory scanner from the operating system command line. 

To add inventory records from a file to the core database 

• Run the scan utility with the /S= , /T=, and either the /NTT or /NTI 

parameters. 

Adding BIOS text strings to the core database 

There is a section in the LDAPPL3.TEMPLATE file called [BIOS Info]. This section 

provides the capability to search for information inside the BIOS of a computer. You 

can add one or more entries to the [BIOS Info] section. These entries define new 

keys in the core database and provide parsing instructions to the inventory scanner. 

The parsing instructions identify where to look in the LDBIOS.TXT file for a specific 

string. Using these instructions, the inventory scanner populates the core database 

with the strings from the LDBIOS.TXT file. 

The inventory scanner uses a parsing method to locate BIOS information. This allows 

you to search for information one or more lines away from a specified text string. 

Such a search would enable you to locate random letter and number combinations 

assigned to computer hardware. 

Text strings in LDBIOS.TXT 

During an inventory scan, Management Suite outputs the text strings available in the 

BIOS to a text file called LDBIOS.TXT. This hidden file is stored in the same location 

as the LDISCAN.CFG file, which is by default the root of the C: drive. LDBIOS.TXT 

stores all of the strings that are created by the scanner. If you want to store this 

information in the database, you can store it as a configuration file by using the 

CFGFILES parameter in LDAPPL3.INI. 

420


Sample of BIOS entries in the LDAPPL3.TEMPLATE file 

Here is an example from the [BIOS Info] section in the LDDAPPL3.TEMPLATE file: 

[BIOS Info] 

StringLength=4 

Key = BIOS - Manufacturer 

Parameters = AllValues,FirstInstance 

Value = AMI|American Megatrends::AMI::BIOS - AMI 

Value = Copyright.*Dell::Dell::BIOS - Dell 

[BIOS - AMI] 

Key = % - Version 

Parameters = FirstValue,FirstInstance 

Value = BIOS Version $.*$::\1 

Key = % - Copyright Notice 

Parameters = AllValues,AllInstances 

Value = (C).*$AMI|American Megatrends$ 

[BIOS - Dell] 

Key = % - Version 

Parameters = FirstValue,FirstInstance 

Value = BIOS Version $A.+$::\1 

Value = BIOS Version: $A.+$::\1 

Key = % - Copyright Notice 

Parameters = AllValues,AllInstances 

Value = (C).*Dell|[Cc]opyright.*Dell 

Understanding BIOS entries 

Entries in the [BIOS Info] section consist of the following: 

• [Section name]: Identifies a new component in the core database. 

• StringLength=: Specifies the minimum length of the strings to search for. 

• Key=: Identifies the class and attribute name of the information returned 

from searching the LDBIOS.TXT file. 

• Parameters=: Specifies the search criteria that tells the scanner where and 

how to search for values associated with a specific key. 

• Value=: Specifies the value that is searched for in the BIOS. A value has 

three main sections, each separated by a double colon character (::). The 

strings identified in the value entry are case-sensitive. All characters in the 

value, even spaces, are included in the search unless they are an operator. 

Creating MIF files 

If you need a MIF file that stores a client's inventory information, you can create one 

by running the appropriate scanner at the command line. 

To create a unicode MIF file, use the /MUNI option. To create a non-unicode MIF file, 

use the /M option. 

421

USER'S GUIDE 

To create MIF files 

• Enter this at a DOS prompt: 

LDISCN32 /MUNI /V 

Scanning NetWare servers 

Management Suite uses LDISCAN.NLM to scan NetWare servers for hardware and 

software information. The command-line syntax for LDISCAN.NLM is: 

LOAD LDISCAN[.NLM] INV_SERV=servername 

NTI=IPX address FILE=path [TIME=#] [SCANNOW] [MIF] 

The following table lists the command-line parameters that you can use with the 

NetWare scanner. 

Option 

INV_SERV = serenade 

NTI = IPX address 

FILE = path 

TIME = # 

SCANNOW 

MIF 

Description 

Directs the results of the scan to the specified server. 

The specified server must be running the inventory 

service. 

Gives the IPX address of the core server to send the 

inventory information to. 

Lists the path to the LDAPPL3.INI file. 

Sets the time of day for the server hardware scan in 

whole hours. The clock is in military time, so 0 = midnight 

and 23 = 11 p.m. Configure software scans in Options | 

Software Scanning. The default is 8 p.m. 

Forces an core server scan at the time the NM is loaded. 

Creates the LDISCAN.MIF file for the core server. The 

.MIF file contains the inventory information gathered from 

the server. 

To load LDISCAN.NLM on a NetWare server 

• From the server console, enter the proper syntax at the LDISCAN.NLM 

command line. 

For example, to scan a server daily and record its inventory data in the core 

database on "Server1," enter: 

LOAD LDISCAN INV_SERV=SERVER1 TIMEWORK 

NUMBER:NODE ADDRESS:SOCKET FILERS:MONEYCHANGER 

To unload LDISCAN.NLM from a server, enter: 

UNLOAD LDISCAN 

422


Scheduling NetWare server scans 

LDISCAN.NLM scans recur every day as specified by the TIME=# parameter. The 

TIME parameter is set in military time, so 0 is midnight and 23 is 11 p.m. The default 

is 8 p.m. 

To change the time for server scans 

• Add the TIME = # parameter to the load LDISCAN.NLM entry of 

LD_AUTO.NCF. 

Scanning Mac OS X clients 

The Mac OS X inventory scanner runs from the Mac OS X startup group. When you 

first install the LANDesk agents for OS X, you need to configure the agent 

preferences manually on each client. At a minimum, you must configure the Send 

scan to address option. 

You can change the Mac OS X scanner preferences by opening the Mac OS X System 

Preferences and selecting the LANDesk Client panel. The LANDesk client panel 

has these options: 

• LDMS server address: Enter the core server's IP address or resolvable 

name so the scanner can send your inventory scans up to the core database. 

• Save scan to directory: Choose a directory on this client where you want to 

save the scan data. This option is important if you didn't enter the core server 

address above; the scan data will not be lost, but will be saved on this client 

for future use. 

• Force software scan: Force a software scan to occur each time the 

hardware scan occurs. 

To include a component in an inventory scan 

1. Scroll down the hardware and software lists to see the components a scanner 

can detect on this client. 

2. Click the checkbox next to the hardware or software component you want to 

include in a scan. The next time a hardware or software scan occurs, these 

components will be included in the appropriate scan. 

Scanning Mac OS 9.2.2 clients 

To change Mac inventory scanner preferences, open the Mac scanner from 

Applications (Mac OS9):LANDesk. The scanner scans all local, non-removable 

volumes. You can manually start a scan by clicking the Execute button. 

If you select the Scan to file checkbox, the Mac inventory scanner saves a scan to a 

text file in the extensions folder with the date and time appended to the filename. 

423

USER'S GUIDE 

Selecting Macintosh components to inventory 

The Macintosh inventory scanner provides component categories for Macintosh 

inventory scans. You can select which categories to record inventory information on. 

The following table lists the hardware component categories you can scan for on 

Macintosh clients. 

Hardware 

component 

AB Devices 

CPU 

Monitors 

NuBus Boards 

SCSI Devices 

Volumes 

Description 

Apple Desktop Bus devices such as 

keyboards and mice. 

Microprocessor, coprocessors, and other 

CPU-related components. 

Any display attached to the client. 

Add-on boards designed for Apple's NuBus 

slots. 

Any SCSI hard drives and daisy-chained 

SCSI devices. 

Any local hard drives. 

The following table lists the software component categories you can scan for on 

Macintosh clients. 

Software component Description 

Applications 

Desk Accessories 

Drivers 

Fonts 

INITs 

System Info 

Find any software application on a local hard drive. 

Find any Desk Accessory in the Apple Menu Items folder 

within the System folder. 

Find any device driver functioning on the client. 

Find any font loaded in the System folder. 

Find any INIT loaded in the System folder. 

Discover the version and other information related to the 

operating system and network in use. 

Editing the LDAPPL3.TEMPLATE file 

Information relating specifically to the scanner's inventory parameters is contained in 

the LDAPPL3.TEMPLATE file. This template file works with the LDAPPL3 file to identify 

a client's software inventory. 

You can edit the template file's [LANDesk Inventory] section to configure the 

parameters that determine how the scanner identifies software inventory. By default, 

LDAPPL3.TEMPLATE is located in this directory on the core server: \Program 

Files\LANDesk\ManagementSuite\LDLogon 

424


Use this table as a guide to help you edit the [LANDesk Inventory] section in a text 

editor. 

Option 

Mode 

Duplicate 

ScanExtensions 

Version 

Revision 

CfgFiles 1-4 

Description 

Determines how the scanner scans for software on clients. The default 

is Listed. Here are the settings: 

• Listed: Records the files listed in LDAPPL3. 

• Unlisted: Records the names and dates of all files that have 

the extensions listed on the ScanExtensions line but that are 

not defined in the LDAPPL3. This mode helps discover 

unauthorized software on the network. 

• All: Discovers listed and unlisted files. 

Records multiple instances of files. Set the value to OFF to record only 

the first instance, or ON to record all detected instances. The default is 

ON. 

Sets the file extensions (.EXE, .COM, .CFG, etc.) that will be scanned. 

Use a space to separate the file extensions. By default, only .EXEs are 

scanned. 

Is the version number of the LDAPPL3 file. 

Is the revision number of the LDAPPL3 file; helps ensure future 

compatibility. 

Records the date, time, file size, and contents of the specified files. You 

can leave out the drive letter (for example, c:) if you want to search all 

local drives. You can specify more than one file on each of the four 

lines, but the line length is limited to 80 characters. 

Separate path names on the same line by a space. 

The scanner compares the date and size of the current file with that of 

the previous scan. If the date and size don't match, the scan records 

the contents of the file as a new revision. 

ExcludeDir 1-3 

MifPath 

Excludes specific directories from a scan. You can leave out the drive 

letter (for example, c:) if you want to exclude all local drives. 

Enumeration must start at 1 and be continuous. You must end each line 

with "\". 

Specifies where MIF files are stored on a client's local drive. The default 

location is c:\DMI\DOS\MIFS. 

425

USER'S GUIDE 

UseDefaultVersion 

If set to TRUE, the scanner reports a match when a file matches an 

exact filename and file size entry in LDAPPL3 on filename only (the 

version will be reported as EXISTS). This can cause some false 

positives for applications that share a common filename with an 

unknown application. In the as-delivered LDAPPL3.TEMPLATE file, this 

parameter is set FALSE; that is, only add an entry if the match is exact. 

If the parameter is missing, it defaults to TRUE. 

SendExtraFileData 

If set to TRUE, sends extra file data to the core server. The default is 

FALSE. This means that by default, only path, name, and version are 

entered into the core database. 

To edit the LDAPPL3.TEMPLATE file 

1. From your core server, go to the LDLogon directory and open 

LDAPPL3.TEMPLATE in Notepad or another text editor. 

2. Scroll down to the parameter you're interested in updating and make your 

changes. 

3. Save the file. 


5. Click the Make Available to Clients toolbar button to make the most recent 



Troubleshooting the inventory scanner 

This section describes common inventory scanner problems and possible solutions. 

The inventory scanner hangs 

• Make certain that you aren't including the old /DELL or /CPQ options on the 

command line. Management Suite no longer supports these options. 

• Scan to a file using the /O= parameter. This may show a conflict with the 

network card or the network. 

• If it's still hanging, try rebooting the client with no memory manager or other 

TSRs, then run the scan utility. TSR stands for Terminate and Stay Resident. 

These are usually DOS programs that load, terminate, and leave other 

modules running in memory. 

A client's hardware scans correctly, but its software doesn't 

• Verify that the core database is configured to do a software scan now, and 

use the /f parameter to force a software scan. 

• Scan to a file using the /O= parameter. This should list all of the software at 

the end of the file. 

• Verify that the client is not trying to scan in a binary file in 

LDAPPL3.TEMPLATE's CfgFiles parameter. 

426


The network view provides inventory data for only some clients 

To view client information, ensure that your clients have been scanned into the core 

database. Clients appearing without information haven't been scanned into the core 

database. 

To view a client's inventory data in the network view 

1. Configure the client. 

2. Scan the client into the core database. 

For more information about configuring clients 

Refer to chapter 2, "Configuring clients." 

For more information about scanning clients 

Refer to chapter 4, "Managing inventory and reports." 

The processor speed appears incorrectly or as 0 MHz 

No standard call exists that an application can use to query the speed of a processor. 

To determine the speed of a processor, Management Suite's scan utilities check how 

many operations the processor performs in a given block of time. This means that 

the scan utility must know the processor type so that it can determine how many 

operations per second the processor should complete. Therefore, if a client has been 

optimized or has below-average performance, the scan utility may determine its 

processor speed incorrectly. The difference in actual speed and reported speed is 

usually small. For example, it may report that a 166 MHz client is running at 168 

MHz. 

A client may also show a process speed of 0 MHz for a related reason. Management 

Suite's scan utilities use a table that indicates how many instructions per second a 

processor should execute. When the scan utility's table doesn't have an entry for a 

particular processor type, the scan utility reports 0 MHz. 

Controlling configuration file changes 

If you have problems with corrupted files that prevent users from running Windows, 

use an .INI file to store the latest configuration files (for example, WIN.INI and 

SYSTEM.INI) for the clients on your network. 

Configure LDAPPL3.TEMPLATE to search for the .INI files you want, then set up 

Management Suite to store the number of revisions you want to keep. 

427

USER'S GUIDE 

To specify the files you want stored in the core database 

1. Using Notepad, edit \LDMain\LDLogon\LDAPPL3.TEMPLATE. 

2. On the lines marked CfgFiles, enter the names and paths of the files you 

want recorded, separated by a space. 

There is a maximum of 80 characters per line. You can exclude the drive 

letter and add an extra "\" if you want the scan to search all physical drives. 

3. Save your changes and exit the editor. 

For more information on editing the template file, see "Editing the 

LDAPPL3.TEMPLATE file" earlier in this chapter. 

To specify the number of file revisions to keep in the core database 

1. Click Configure | Services | Inventory. 

2. Specify the number of days you want to keep inventory scans. 

3. Click OK. 

428

Appendix B: Additional OS deployment and 

profile migration information 


Additional OS deployment procedures 

• Creating an imaging boot disk 

• Adding application package distributions to the end of an OSD script 

• Using CSVIMPORT.EXE to import inventory data 

• Creating custom computer names 

• Customizing the SYSPREP.INF [RunOnce] section with tokenized inventory 

values 

• Using images in mixed uniprocessor and multiprocessor environments 

• Adding network adapter drivers 

• Using the LANDesk imaging tool for DOS 

• Using the LANDesk imaging tool for Windows 

Help for the OS Deployment/Migration Tasks wizard 

• Choose a task page 

• Configure imaging task page 

• Enter script information page 

• Enter credentials for image and imaging tool shares page 

• Choose image store and imaging tool location page 

• Enter additional deployment commands page 

• Configure Multicast options page 

• Configure advanced Multicast options page 

• Specify Sysprep file information page 

• Configure multiprocessor information page 

• Specify generic Sysprep options page 

• Specify Sysprep network options page 

• Assign naming convention for target computers page 

• Enter LANDesk client install location information page 

• Select a collection for this profile page 

• About the Collection Manager dialog 

• About the File Rule dialog 

• About the Collection of Rules dialog 

• About the User-Initiated Package dialog 

• Enter credentials for profile storage page 

• Enter DOS commands to execute on the client page 

429

USER'S GUIDE 

Additional OS deployment procedures 

The sections below provide supplemental information about LANDesk's imaging and 

migration capabilities that may be useful as you implement these features. 

Creating an imaging boot disk 

LANDesk OS deployment (OSD) includes a boot disk creation utility that allows you 

to easily create a disk you can use to boot clients into a managed state in your 

Management Suite network. You can use this boot disk to continue OSD jobs on 

clients that do not have an operating system or that failed a job for some reason and 

are no longer bootable. Once you boot a client with this boot disk, you can schedule 

a job for it. 

Note: A user must have administrator rights on the core server if they want to 

create an OSD boot disk (even if they have the Management Suite OSD right). 

Boot disks are associated with the core server where they were created. If you have 

multiple core servers, use a boot disk created from the core server you want the 

client to report to. 

To create an imaging boot disk 


2. In the Manage Scripts window, click the Create Boot Floppy toolbar button 

to open the Create Imaging Boot Disk dialog. 

3. Insert a 1.44 MB diskette into the floppy disk drive and make sure the 

destination floppy drive is correct. 

Note: All data on the diskette will be erased. 

4. Select the network adapter you want this boot floppy to support. Each floppy 

can only support one adapter because of disk space limitations. 

5. Click Start. The Status box indicates the progress of the disk creation. 

6. When finished, click Close to exit the dialog. 

430

APPENDIX B: ADDITIONAL OS DEPLOYMENT AND PROFILE MIGRATION INFORMATION 

Adding application package distributions to the end of an OSD 

script 

You can easily make an Enhanced Software Distribution (ESWD) application package 

distribution part of your OS deployment script. 

To add ESWD packages to an OS deployment script 

1. Open your package script in the LANDesk/ManagementSuite/Scripts directory 

and copy the REMEXECx= package distribution lines. 

2. Edit your script by right-clicking it in the Manage Scripts window and clicking 

Advanced edit. 

3. Paste the ESW REMEXEC commands at the bottom of your script, changing 

the REMEXEC numbering so that the numbers are sequential. 

4. Insert a line before the ESWD lines you pasted in for LDSLEEP, similar to 

below. This allows time for the OS to finish booting before starting the 

package installation. 

REMEXECxx=LDSLEEP.EXE 120 

Replace xx with a unique sequential number. 

Using CSVIMPORT.EXE to import inventory data 

Included with Management Suite is a command-line utility that allows you to import 

inventory data into the core database. This can be useful if you're installing new 

clients and you have information like MAC addresses available. You can use 

CSVIMPORT.EXE to import this data to Management Suite so you can target clients 

ahead of time for OS deployment jobs. 

CSVIMPORT.EXE requires a template file describing the field contents and what 

columns in the core database the data should go in. CSVIMPORT.EXE also requires 

the .CSV file containing the data matching the template file you specify. 

CSVIMPORT.EXE creates miniscan files that you can then copy to the 

LANDesk/ManagementSuite/LDScan directory so they get added to the core 

database. 

Sample template file: 

Network - NIC Address = %1% 

Network - TCPIP - Adapter 0 - Subnet Mask = 255.255.255.0 

BIOS - Serial Number = %2% 

BIOS - Asset Tag = %3% 

Display Name = %4% 

Note that you can include custom data in the files. The entries %1, %2, and so on 

refer to the first, second, and so on columns. The subnet mask in this case will be 

applied to all entries as 255.255.255.0. The template file can't have any header text 

other than the actual template information. 

431

USER'S GUIDE 

Sample .CSV file: 

0010A4F77BC3, SERIAL11, ASSETTAG-123-1, MACHINE1 






Run CSVIMPORT with these three parameters: 

. If you want the output to be entered in the core 

database immediately, specify your LANDesk/ManagementSuite/LDScan directory for 

output. 

Creating custom computer names 

The Assign naming convention for target computers page of the OS 

Deployment/Migration Tasks wizard lets you create computer names based on MAC 

addresses, text you enter, and counters (nnn...). You can also create names based 

on inventory data for asset tags, serial numbers, and login names by creating a 

COMPUTERNAME.INI file in your Management Suite directory. 

COMPUTERNAME.INI syntax: 

[Rename Operations] 

tok0=ASSET TAG 

tok1=SERIAL NUMBER 

tok2=LOGIN NAME 

The values returned by the .INI file substitute for the $MAC token in the wizard's 

naming convention page. 

You can only use the above three inventory values in the file. OS deployment checks 

the options in the numeric tok order. All three of the above tokens don't have to 

be in the file. The first tok option found that has an equivalent database entry 

substitutes for the $MAC token for the client being imaged. For example, in the case 

above, if there were no asset tag or serial number entries in the database, but there 

was a login name, the login name would be used for the $MAC token. If none of the 

options match, the MAC address is used for the $MAC token. 

The login name option returns the login name returned by the most recent inventory 

scan. 

432


Using the nnn computer name token 

The Assign naming convention for target computers page of the OS 

Deployment/Migration Tasks wizard includes an nnn option that substitutes for a 3- 

15 digit number, depending on how many n characters you specify. For each 

computer name template you use in the wizard, OS deployment keeps a running 

counter of the numbers used. This way, subsequent jobs continue where the last job 

left off. 

Every unique template has its own counter. If you always use the same template, 

the counter will span jobs. If you change your template after deploying some clients 

and later decide to go back to the template you originally used, the counter 

remembers where you left off for that template and continues counting. 

Customizing the SYSPREP.INF [RunOnce] section with 

tokenized inventory values 

The SYSPREP.INF contains a [RunOnce] section that specifies programs to run after 

the client boots for the first time. If you add your own programs to that section, you 

can include database tokens on the program command line if they're useful to the 

program you're running. OS deployment substitutes the token you specify with 

corresponding information from the core database. 

Sample tokens: 

%Computer - Device Name% 

%Computer - Login Name% 

%Computer - Manufacturer% 

%Computer - Model% 

%Computer - Type% 

%Computer - BIOS - Asset Tag% 

%Computer - BIOS - Service Tag% 

%Network - TCPIP - Address% 

%System - Manufacturer% 

%System - Model% 

%System - Serial Number% 

%Processor - Processor Count% 

%Computer - Workgroup% 

%Computer - Domain Name% 

You can chain multiple tokens together. For example, to separate two tokens by a 

colon: %Computer - Workgroup%:%Computer - Device Name% could return 

MyWorkgroup:MyComputer. 

Note: You should only use tokens that return a single value. 

433

USER'S GUIDE 

Using images in mixed uniprocessor and multiprocessor 

environments 

Uniprocessor and multiprocessor clients require different Windows 2000 and 

Windows XP images. Depending on your hardware configuration, you may be able to 

use your uniprocessor image on a multiprocessor client, or vice versa. 

Clients that support advanced processor features typically have an Advanced 

Programmable Interrupt Controller (APIC). Clients that support advanced processor 

features can also have an Advanced Configuration and Power Interface (ACPI). 

Note: The support matrix for sharing an image between uniprocessor and 

multiprocessor clients is complex. You should refer to Microsoft's UNATTEND.TXT file 

for more details. Generally, you need to remember the following when sharing 

uniprocessor and multiprocessor images: Both the source and target clients 

must have either an ACPI APIC HAL or a non-ACPI APIC HAL. You can't use 

an ACPI APIC image on a non-ACPI APIC client, or vice versa. 

To configure multiple processor information 

1. In the Sysprep file information page of the OS Deployment/Migration Tasks 

wizard, select Configure advanced multiprocessor options and then click 

Next. 

2. In the Configure multiprocessor information page, select whether you're 

deploying a Windows 2000 or a Windows XP image. 

3. Select whether the image you're using was created on a Uniprocessor or 

Multiprocessor client. 

4. Your source and target clients have the same HAL. If your image was created 

on an APIC ACPI client, select APIC. If your image was created on a non- 

ACPI APIC client, select MPS. 

Adding network adapter drivers 

There are three network adapter driver detection phases that occur during on OS 

deployment job, as follows: 

Phase 1 occurs in Windows: 

NICINFO.EXE detects PnP drivers in Windows 2000, XP, and Me. It also detects 

Windows 9x if IE 4.02 or higher is installed. NICINFO.EXE writes the detected vendor 

and device ID to DOSNIC.INI on the virtual boot image. 

434


Phase 2 occurs in DOS: 

AUTODETE.EXE looks for the DOSNIC.INI left by NICINFO.EXE and reads the vendor 

and device ID. AUTODETE.EXE then refers to NIC.TXT to find the corresponding 

driver to load. It copies the driver from c:\Net\Drivers on the virtual boot image to 

the current RAM drive image (r:\Net by default). AUTODETE.EXE then sets the 

Microsoft DOS network stack configuration files, SYSTEM.INI and PROTOCOL.INI. 

If DOSNIC.INI is empty, AUTODETE.EXE scans all PCI device slots looking for 

network adapter vendor and device IDs. If the ID found matches an entry in 

NIC.TXT, AUTODETE.EXE loads that driver. 

Phase 3 continues in DOS: 

If DOSNIC.INI is empty and AUTODETE.EXE can't match the discovered ID with 

NIC.TXT, it loads the driver specified in the OS Deployment/Migration Tasks wizard. 

If this driver doesn't load, the client will be stuck in DOS, and you'll need to reboot it 

manually. If no driver was specified in the wizard, AUTODETE.EXE saves an 

AUTODETE.LOG file to the drive root and the client boots back into the original 

operating system. 

NICINFO.EXE and AUTODETE.EXE don't support 16-bit PCMCIA network adapters. 

You can load the drivers for these network adapters by selecting the appropriate 

driver in the OS Deployment/Migration Tasks wizard as described in Phase 3. 

NICINFO.EXE can detect network adapters that support CardBus. 

NICINFO.EXE requires PnP support. Windows NT 4 has no PnP support. 

Adding network adapter drivers 

To add network adapter drivers that aren't included in Management Suite 

1. Edit the ALTDRIVERS.INI file in the Management Suite directory. 

2. Edit the NIC.TXT file in the ..\ManagementSuite\OSD\Utilities directory. 

3. Use COPYFILE.EXE to insert the .DOS or .EXE driver file into the virtual boot 

image in ..\ManagementSuite\LANDesk\Vboot\LDVBOOT.IMG 

4. Use COPYFILE.EXE to insert NIC.TXT to the virtual boot image. 

Editing the ALTDRIVERS.INI file 

ALTDRIVERS.INI is the driver description file. 

Sample entry: 

[Intel PRO/1000 Adapters] 

DRIVER=E1000.DOS 

PROTOCOL=E1000 

435

USER'S GUIDE 

The description between [ ] can be anything. This is the text that appears in the OS 

Deployment/Migration Tasks wizard when you manually select a network adapter 

driver: 

• DRIVER is the .DOS or .EXE network adapter driver. 

• PROTOCOL often is the same as the driver name or the manufacturer name. 

Editing the NIC.TXT file 

NIC.TXT has information for detecting network adapters. You'll need to edit the 

NIC.TXT to add custom adapter information. Here's a sample entry: 

ven=115D "Xircom" 

dev=0003 "Xircom CardBus Ethernet 10/100 Adapter" 

drv="CBENDIS.EXE" 

prot="XIRCOM" 

These are the four possible keys and values: 

• ven is four characters (for example, 1 must be 0001); description can be 

anything. 

• dev is four characters; description can be anything. 

• drv is the driver name; default extension is .DOS. 

• prot is the protocol, often the same as the driver name or the manufacturer. 

As you can tell by looking at NIC.TXT, not all drivers have all keys. 

Injecting driver changes back into the virtual boot image 

To inject driver changes back into the virtual boot image, use copyfile. The syntax is: 

COPYFILE 

Example: 

COPYFILE c:\Program 

Files\LANDesk\ManagementSuite\LANDesk\Vboot\LDVBOOT.IMG 

c:\Drivers\MYNIC.DOS\Net\Drivers\MYNIC.DOS 

Note: The variable can't contain the drive letter designation. 

You need to copy the .DOS or .EXE network adapter driver to c:\Net\Drivers and the 

updated NIC.TXT to c:\Net 

436


Using the LANDesk imaging tool for DOS 

Note: When you install the OS deployment and profile migration component, files for 

the LANDesk imaging tool are automatically installed on your core server. If you 

want to run the LANDesk imaging tool from a different location, you need to copy the 

following four files: IMAGEALL.EXE, IMAGE.EXE, RESTALL.BAT, and BACKALL.BAT. 

LANDesk's imaging tool for DOS (IMAGE.EXE) is a DOS-based backup and restore 

utility that creates a snapshot of an entire partition or volume and saves it to a set of 

files, or saves it directly to most ATAPI CD-R/RW drives. If something should ever 

happen to that partition or volume, you can simply restore the snapshot image. 

Limitations 

IMAGE.EXE relies on the BIOS for processing disk functions. If a computer BIOS 

limits access to the hard drive for any reason and no drive manager is available to 

correct the limitation, IMAGE.EXE will also be limited. 

System requirements 

• IBM-compatible personal computer with an i80386-compatible microprocessor 

or greater 

• 16 MB RAM 

• XMS 

Getting started 

IMAGE.EXE is installed as part of LANDesk OS Deployment in the \Program 

Files\LANDesk\ManagementSuite\osd\imaging directory. 

Environment variables 

You can use several different environment variables with IMAGE.EXE: 

• IMSG displays a message on the screen. To create a message with IMSG, use 

the set command (i.e., set imsg=). 

• IBXT changes the method used to burn a set of CDs so that IMAGE.EXE 

doesn't prompt for the last CD during a restore. Set IBXT to a value of 1. 

(i.e., set ibxt=1). This setting may not work with all CD-R/RW drives. 

• IAR enables IMAGE.EXE to auto-respond to prompts and error messages 

when creating an image to a file. Set IAR to Y or N (i.e., set iar=Y). With this 

setting, all 'Y'es or 'N'o prompts that require users to press Enter are 

automatically responded to. You can use DOS errorlevels in a batch file to 

determine if the operation succeeded or failed. 

• IOBS=A tests the network speed and uses the best buffer size for 

uploading/downloading an image. 

437

USER'S GUIDE 

Command-line options 

You can use command-line options with IMAGE.EXE. Separate the options by spaces 

and enter them in the order shown below. Use the / command-line option to view a 

list of additional command-line options not explained here. 

To create a compressed image to a file 

Format 1: image /Ch# d:\filename.img (no validation) 

Format 2: image /Ch#V d:\filename.img (validation) 

Format 3: image /Ch#VB d:\filename.img (byte-for-byte validation) 

Explanation: Replace the h with the source hard drive number from 0 to 7 and the # 

with the partition entry ID. For most users, the partition ID is a number from 1-4, or 

for volumes, a number formatted as 0xPVV where P is the extended partition and VV 

is the volume number in hexadecimal from 01 to FF. 

If you don't know the partition or volume ID, run IMAGE.EXE without any commandline 

options and select Create Image. The screen that lists the partitions and 

volumes will display the ID in parentheses as a hexadecimal number. You should 

prefix that number with a 0x on the command line. 

To create an uncompressed image to a file 

Format 1: image /Ch# /U d:\filename.img (no validation) 

Format 2: image /Ch#V /U d:\filename.img (validation) 

Format 3: image /Ch#VB /U d:\filename.img (byte-for-byte validation) 

Explanation: Same as above. 

To create a compressed image to a CD drive 

Format 1: image /Ch# /CDx (ATAPI) 

Format 2: image /Ch# /CDSx (ASPI) 

Explanation: The h and # information is the same as above. The x after /CD is the 

CD drive number to use. Omit the x (/CD or /CDS) to get a list of the devices. 

To create a uncompressed image to a CD drive 

Format 1: image /Ch# /U /CDx (ATAPI) 

Format 2: image /Ch# /U /CDSx (ASPI) 


438


To restore an image from a file 

Format 1: image /R d:\filename.img (no validation) 

Format 2: image /RV d:\filename.img (validation if needed) 

Explanation: Restores the image to the same hard drive and drive location that it 

was backed up from. 

To restore an image from a CD 

Format 1: image /R /CDx (ATAPI) 

Format 2: image /R /CDSx (ASPI) 

Explanation: The x after /CD is the CD drive number to use. Omit the x (/CD or 

/CDS) to get a list of the devices. 

To limit the file size on creation 

Format: d:\filename;s 

Explanation: Replace the s after the ";" with 0 for 2 GB, 1 for 698 MB, or 2 for 648 

MB. 

Issues to be aware of 

• When creating an image, you shouldn't use the partition being backed up as 

the location of the image file. If you do, the partition will be updated at the 

same time you're trying to back it up. When you restore the partition, the file 

system won't be in a consistent state. 

• When restoring an image, you shouldn't restore over the partition that 

contains the source image file. If you do, the restore will overwrite the file 

system structures and the image file itself. 

• After restoring, the system will reboot. This is required because the partitions 

and file system being used by the OS have changed. If a reboot didn't occur, 

the OS would still think the partition and file system was as it was before the 

restore. This could cause data corruption. You can override a command-line 

restore with /RN, but it should only be used by advanced users who know it's 

safe to not reboot. 

• When you do a command-line restore, the restored partition goes to the same 

hard drive number and physical location on the drive as where it was backed 

up from. If it was a volume and there is no extended partition now at that 

location, then it will attempt to create the original extended partition. If it 

can't create the extended partition, it will be restored as a primary partition. 

If it was a primary partition and now an extended partition encompasses that 

location, then it will be restored as a volume. If an existing partition or 

volume occupies the same starting location as the partition to be restored, 

then a warning message is issued before overwriting that partition or volume. 

• To restore via booting the CD, you must have an ATAPI CD drive. For SCSI 

drives, you must create your own CDBOOT.F35 file to load the appropriate 

DOS ASPI drivers and launch IMAGE.EXE via AUTOEXEC.BAT if desired. 

439

USER'S GUIDE 

Using the LANDesk imaging tool for Windows 

LANDesk's imaging tool for Windows (IMAGEW.EXE) is a Windows 32-based backup 

and restore utility that creates a snapshot of an entire partition or volume and saves 

it to a set of files, or saves it directly to most types of DVD+RW or CD-R/RW drives. 

If something should ever happen to that partition or volume, you can simply restore 

the snapshot image. 

IMAGEW.EXE is compatible with LANDesk's imaging tool for DOS (IMAGE.EXE). 

Limitations 

For use with Windows 9x/Me, IMAGEW.EXE requires that the system support Int 13h 

extensions. If your computer BIOS limits access to the hard drive for any reason and 

no drive manager is available to correct the limitation, IMAGEW.EXE will also be 

limited on those OSes. 

System requirements 

• IBM-compatible personal computer with an i80386-compatible microprocessor 

or greater 

• Windows 32-based environment with 32 MB RAM minimum recommended 

• Administrator privileges when running on Windows NT, Windows 2000, or 

Windows XP 

IMAGEW.EXE is installed as part of LANDesk OS Deployment in the \Program 

Files\LANDesk\ManagementSuite\osd\imaging directory. 

Creating images 

You can use various environment variables and command-line options to ensure that 

the images you create meet your requirements. 

Environment variables 

Environment variables for IMAGEW.EXE must be used with command-line options. 

The following environment variables are available: 

• IBXT changes the method used to burn a set of CDs so that IMAGEW.EXE 

doesn't prompt for the last CD during a restore. Set IBXT to a value of 1 (i.e., 

set ibxt=1). This setting may not work with all CD-R/RW drives. 

• IAR enables IMAGEW.EXE to auto respond to prompts and error messages 

when creating an image to a file. Set IAR to Y or N (i.e., set iar=Y). With this 

setting, all 'Y'es or 'N'o prompts that require users to press Enter are 

automatically responded to. You can use DOS errorlevels in a batch file to 

determine if the operation succeeded or failed. 

440


Command-line options 

You can use command-line options with IMAGEW.EXE. Separate the options by 

spaces and enter them in the order shown below. Use the / command-line option 

for additional command-line options not explained here. 

To create a compressed image to a file 

Format 1: imagew /Ch# d:\filename.img (no validation) 

Format 2: imagew /Ch#V d:\filename.img (validation) 

Format 3: imagew /Ch#VB d:\filename.img (byte-for-byte validation) 

Explanation: Replace the h with the source hard drive number from 0 to 7 and the # 

with the partition entry ID. For most users, the partition ID is a number from 1-4, or 

for volumes, a number formatted as 0xPVV where P is the extended partition and VV 

is the volume number in hexadecimal from 01 to FF. 

If you don't know the partition or volume ID, run IMAGEW.EXE without commandline 

options and select Create Image. The screen that lists the partitions and 

volumes will also display the ID in parentheses as a hexadecimal number. You should 

prefix that number with a 0x on the command line. 

To create an uncompressed image to a file 

Format 1: imagew /Ch# /U d:\filename.img (no validation) 

Format 2: imagew /Ch#V /U d:\filename.img (validation) 

Format 3: imagew /Ch#VB /U d:\filename.img (byte-for-byte validation) 


To create a compressed image to a CD drive 

Format 1: imagew /Ch# /CDx 

Explanation: The h and # information is the same as above. The x after /CD is the 

CD drive number to use. Omit the x (/CD) to get a list of the devices. 

To create an uncompressed image to a CD drive 

Format 1: imagew /Ch# /U /CDx 


To restore an image from a file 

Format 1: imagew /R d:\filename.img (no validation) 

Format 2: imagew /RV d:\filename.img (validation if needed) 

Explanation: Restores the image to the same hard drive and drive location that it 

was backed up from. 

441

USER'S GUIDE 

To restore an image from a CD 

Format 1: imagew /R /CDx 

Explanation: The x after /CD is the CD drive number to use. Omit the x to get a list 

of the devices. 

To limit the file size on creation 

Format: d:\filename;s 

Explanation: Replace the s after the ";" with 0 for 2 GB, 1 for 698 MB, or 2 for 648 

MB. 

Issues to be aware of 

• When running under Windows NT/2000/XP Pro, you must have administrator 

privileges. Under Windows 2000/XP, you can run as any user by right-clicking 

and selecting the Run As option. 

• When creating an image, you shouldn't use the partition being backed up as 

the location of the image file. If you do, the partition will be updated at the 

same time you're trying to back it up. When you restore the partition, the file 

system won't be in a consistent state. 

• If you create a backup without a lock being obtained, that backup may not be 

in a consistent state if updates to the drive were occurring during the backup. 

• When restoring an image, you can't restore over the partition that contains 

the source image file. If you do, the restore will overwrite the file system 

structures and the image file itself. 

• After restoring, the system may need to reboot. This is required under certain 

conditions and determined by the program. If you don't reboot when asked, 

the OS will think the partition and file system is as it was before the restore, 

potentially causing data corruption. You can override a command-line restore 

with /RN, but it should only be used by advanced users who know it's safe to 

not reboot. 

• When you do a command-line restore, the restored partition will go to the 

same hard drive number and physical location on the drive as where it was 

backed up from. If it was a volume and there is no extended partition now at 

that location, then it will attempt to create the original extended partition. If it 

can't create the extended partition, it will be restored as a primary partition. 

If it was a primary partition and now an extended partition encompasses that 

location, then it will be restored as a volume. If an existing partition or 

volume occupies the same starting location as the partition to be restored, a 

warning message is issued before overwriting that partition or volume. 

• To restore via booting the CD, you must have an ATAPI CD drive. For SCSI 

drives, you must create your own CDBOOT.F35 file to load the appropriate 

DOS ASPI drivers and launch IMAGEW.EXE via AUTOEXEC.BAT if desired. 

442


Help for the OS Deployment/Migration Tasks wizard 

This section provides descriptions of the options and settings found on each page 

(and dialog) of the OS Deployment/Migration Tasks wizard. This wizard is used to 

create scripts that capture or deploy OS images, and capture or restore user profiles. 

Scripts can then be scheduled as tasks on target clients on your network. The wizard 

is accessed from either the Toolbar button or shortcut menus in the Manage Scripts 

window (Tools | Manage Scripts). 

You can also access this information by clicking the Help button on the corresponding 

wizard page itself. 

For detailed step-by-step instructions on how to use the OS Deployment/Migration 

Tasks wizard, and what you need to know in order to plan and implement image 

deployment and migration jobs, see Chapter 9, "Deploying OS images and migrating 

profiles." 

Note: All pages of the OS Deployment/Migration Tasks wizard are described here. 

However, the pages you actually see when running the wizard depends on the type 

of imaging or migration task you selected on the first page of the wizard. 

About the OS Deployment/Migration Tasks wizard: 

Choose a task page 

Use this page to specify which type of OSD/Profile Migration script you want to 

create, based on the following tasks: 

• Capture image: Creates a script that captures and stores an OS image from 

a client. Images can be captured using the built-in LANDesk imaging tool that 

installs with Management Suite, or a third-party tool such as Ghost*, 

PowerQuest*, or another tool of your choice. 

• Capture profile: Creates a script that captures and stores a client's unique 

user settings, application and desktop settings, and files. You can also use 

this option to access the Collection Manager dialog to create a User-initiated 

profile migration package that can be run locally at individual clients. 

• Deploy image: Creates a script that deploys a previously captured OS image 

to target clients. 

• Deploy image (with profile capture and restore): Creates a script that 

performs a comprehensive deployment and migration job (capturing profile 

data, deploying an OS image, and then restoring the profile). 

• Restore profile: Creates a script that restores previously captured profile 

data (user settings, application and desktop settings, and files) to target 

clients. 

• Generic DOS tasks: Creates a script that runs DOS commands (including 

application launches) on clients. 

Related Topics 


• Creating migration scripts with the OS Deployment/Migration Tasks wizard 



443

USER'S GUIDE 


Configure imaging task page 

Use this page to configure the following characteristics of an OS imaging task: 

Note: Some of the options listed below may be disabled, depending on what type of 

task (capture or deploy) you selected on the first page of the wizard. 

• Use Multicast: Uses existing multicast domain representatives on subnets of 

your network to deploy the OS image via LANDesk's Targeted Multicasting 

technology. Targeted Multicasting enables you to transmit software packages 

to multiple clients at once, significantly reducing time and bandwidth 

requirements. Instead of sending a package across the wire for each client, 

only one transfer is made for each subnet. 

Note: Before using Targeted Multicasting, make sure the Targeted 

Multicasting components are in place on the subnet you're distributing to. 

Targeted Multicasting requires Management Suite 6.62 or later agents 

and a 6.62 or later multicast domain representative. 

• Image is Sysprepped: Indicates that you used Microsoft Sysprep to 

configure the OS image to be deployed. Selecting this option allows you to 

specify Sysprep file information and deployment options later in the wizard. 

• Include profile migration: Integrates both profile capture and restore 

processes as part of the image deployment job. Selecting this option allows 

you to specify profile migration options later in the wizard. 

• Choose network adapter to use if the driver autodetection fails: 

Ensures that the image deployment job is successful to all target clients. We 

recommend that you enable this option, and then select a network adapter 

that is common to your systems. This is especially important if you're 

deploying to laptops. You should carefully choose a listed network adapter to 

ensure your job succeeds. 


OS deployment uses a phased approach to network adapter detection: 

• OS deployment first tries to detect the network adapter from the 

target client's operating system prior to imaging over it. 

• If that fails, OSD will reboot the target client and try to detect the 

network adapter from DOS. 

• If that fails, OSD uses the network adapter you specified in the 

Undetectable network adapters option on this page of the wizard. 

• If the adapter you specify fails, you must go to the target client and 

manually reboot it. The client will reboot normally into its original OS. 






444



Enter script information page 

Use this page to identify the OS deployment or profile migration script. The text you 

enter here is used when the script displays in the Manage Scripts and Scheduled 

Tasks windows: 

• Script name: Identifies the script with a unique name. If the name you enter 

is already being used, you'll be prompted to replace the existing script. You 

should enter a name that helps you quickly and easily identify the script by its 

function or by the intended target clients on your network. 

• Script description: (Optional) Helps you remember the script with the text 

you type in here. 


Note: If you add this script to the LANDesk PXE DOS Menu, the 

description you enter here will appear in the menu. 




• Configuring the LANDesk PXE DOS (Boot) Menu 


Enter credentials for the image and imaging tool share(s) page 

Use this page to provide authentication credentials for the network share, or shares, 

where the OS image and the imaging tool used to create the image are stored: 

Note: You can enter only one set of credentials that will be used to access both 

shares, so the shares must have matching credentials. The credentials must belong 

to a local user account on the client hosting the share. 

• Username: Identifies a user account with credentials required for the user to 

log on to the network share. 

• Password: Provides the user's password. 

• Domain: Provides the user's Active Directory domain. 




445

USER'S GUIDE 


Choose image store location and imaging tool page 

Use this page to specify the image type you want to capture with this script, where 

the image will be stored, and where the imaging tool is located: 

• Image type: Identifies the file type (format) of the image file captured by 

this script, selected from the list of imaging tools. 

• UNC path where the new image will be saved: Locates the server and 

share where the image file will be stored. The image must be stored on a 

share accessible by clients. Note that the share name cannot include any 

spaces. You can enter just the client name in UNC format, then browse for the 

remainder of the path by clicking the browse button. 

Note: During the imaging process, clients will map this UNC path to 

drive I:. 

• UNC path to imaging tool: Locates the server and share where the imaging 

tool (matching the image type selected above) is located, including the tool's 

executable filename. Note that the share name cannot include any spaces. 


Note: During the imaging process, clients will map this UNC path to 

drive H:. 





Choose image to restore to targeted clients page 

Use this page to specify the type of image you want to restore with this script, where 

the image is stored, and where the imaging tool is located: 

• Image type: Identifies the file type (format) of the existing image file you 

want to deploy with this script, selected from the list of imaging tools. 

• UNC path to image file to restore: Locates the server and share where the 

image file is stored, including the image filename. The image must be stored 

on a share accessible to clients. 

• UNC path to imaging tool: Locates the server and share where the imaging 

tool (matching the image type selected above) is located, including the tool's 

executable filename. 





446



Enter additional deployment commands page 

Use this page to customize the script by adding DOS commands, imaging tool 

command-line parameters, and 'RunOnce" commands: 

Note: The RunOnce commands option displays only when you are creating an image 

deployment script, not when you are creating an image capture script. 

• Enter commands to run before the client is rebooted and imaged: Lists 

DOS commands or Windows program executables. You can add commands in 

this text box, one per line, as if you were typing at a DOS command prompt. 

Commands are sent to clients one at a time. 

Note: Once these commands complete, the OS will shut down and the 

client will reboot in its virtual boot partition. 

• Enter additional command-line parameters for the imaging tool: Lists 

command-line parameters for the selected imaging tool. You can add 

parameters in this text box at the end of the default command line. Refer to 

your imaging tool documentation for available command-line parameters. 

• Enter the RunOnce commands that will run after Sysprep setup runs 

on the client: (This option only applies to image deployment scripts) Lists 

commands that launch application programs you want Windows to run the 

first time the client boots (after Sysprep finishes). You can add commands in 

this text box, one per line, as if you were typing at a DOS command prompt. 

Note: These commands are added to the Windows RunOnce registry 

key: 

\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ 

RunOnce 

• Finish: Saves the image deployment script and then exits the wizard. 

• Cancel: Exits the wizard without saving the script. 




447

USER'S GUIDE 


Configure Multicast options page 

Use this page to configure the following basic LANDesk Targeted Multicasting options 

for an image deployment script: 

• Use Multicast domain discovery: Searches for multicast domain 

representatives on subnets of your network prior to using Targeted 

Multicasting to deploy the image to clients across the network. 

• Use Multicast domain discovery and save results: Searches for multicast 

domain representatives on subnets of your network prior to deploying the 

image, and saves the resulting data to help facilitate future Targeted 

Multicasting deployments. 

Only one discovery's results are saved at a time, so selecting this option 

for an image deployment script will replace the results of the previous 

discovery. 

• Use results of last Multicast domain discovery: Uses the most recent list 

of discovered multicast domain representatives when deploying the image to 

clients. 

Note: Select this option ONLY if you've already saved the resulting data 

of a multicast domain representative discovery at least once. 

• Configure advanced Multicast options: Allows you to further customize 

Targeted Multicasting behavior for a deployment script by configuring 

advanced Multicast options on the next page of the wizard. 




448



Configure advanced Multicast options page 

Use this page to configure the following advanced LANDesk Targeted Multicasting 

options for an image deployment script: 

• Maximum number of Multicast Domain Representatives working 

simultaneously: Controls the maximum number of multicast domain 

representatives that can actively deploy an image via Targeted Multicasting at 

the same time. 

• Number of days files stay in the client cache: Controls the amount of 

time the image file being multicast can reside in the local cache on each 

target client. After this period of time, the file will be automatically purged. 

• Number of days files stay in the Multicast Domain Representative 

cache: Controls the amount of time the image file being multicast can stay in 

the cache on the multicast domain representative. After this period of time, 

the file will be automatically purged. 

• Minimum number of milliseconds between packet transmissions: 

Controls the minimum amount of time to wait between sending out multicast 

packets. This value is only used when the multicast domain representative is 

not multicasting a file from its own cache. You can use this parameter to limit 

bandwidth usage across the WAN. 

Note: If this parameter is not specified, then the default minimum sleep 

time stored on the subnet's multicast domain representative will be used. 

• Maximum number of milliseconds between packet transmissions: 

Controls the maximum amount of time to wait between sending out multicast 

packets. 




449

USER'S GUIDE 


Specify Sysprep file information page 

Use this page to provide the following information about the Sysprep file 

(SYSPREP.INF) used by this script to modify the image being deployed: 

• SYSPREP.INF file source - Use existing SYSPREP.INF file as a 

template: Uses an existing SYSPREP.INF file as a template for a new file and 

indicates where the existing file is stored. The new SYSPREP.INF file, 

containing the settings you specify in this wizard, overwrites the existing 

default Sysprep file. If you want OSD to base its SYSPREP.INF file on one 

you've already created, you can browse for that file. If you don't select an 

existing SYSPREP.INF, OSD creates a new one. 

Note: After you finish the wizard, you can edit the SYSPREP.INF 

associated with a script by right-clicking that script and clicking 

Advanced Edit. 

• SYSPREP.INF location in the image being deployed: Locates where the 

SYSPREP.INF file was stored on the hard drive of the client where Sysprep 

was originally run. In other words, the client whose image is being deployed 

by this script. 

• SYSPREP.INF multiprocessor image support - Configure advanced 

multiprocessor options: Allows you to configure an image to support 

multiprocessors (on Windows 2000 or Windows XP clients) on the next page 

of the wizard. 


Note: Only select this option if the processor count within your image is 

different than the processor count on any of your target clients. 



450



Configure multiprocessor information page 

Use this page to configure the following multiprocessor settings for the image being 

deployed by this script: 

• Enter the Operating System type for the image being deployed: 

Specifies the OS that is part of the image being deployed, either Windows 

2000 or Windows XP. 

• On what type of computer was the image created: Indicates whether the 

image being deployed was created on a uniprocessor or multiprocessor client, 

with either the APIC or MPS architecture. 

• Enter the location of the HAL-related .INF files inside your image: 

Specifies the path to the HAL-related .INF file for the image being deployed 

by this script. By default, the wizard uses Microsoft's default .INF file paths for 

each OS. If you used the default paths when setting up your client for 

imaging, leave the information in this text box as is. Otherwise, type in the 

different path you used to the HAL-related .INF file. 

Additional multiprocessor information 

Uniprocessor and multiprocessor clients require different Windows 2000 and 

Windows XP kernels. Depending on your hardware configuration, you may be able to 

use your uniprocessor image on a multiprocessor client, or vice versa. 

Clients that support advanced processor features typically have an Advanced 

Programmable Interrupt Controller (APIC). Clients that support advanced processor 

features can also have an Advanced Configuration and Power Interface (ACPI). 

The support matrix for sharing an image between uniprocessor and multiprocessor 

clients is complex. You should refer to Microsoft's Sysprep documentation for more 

details. 

WARNING: As a general rule when considering sharing uniprocessor and 

multiprocessor images, remember that both the source and target clients must have 

either an ACPI APIC HAL or a non-ACPI APIC HAL. You can't use an ACPI APIC image 

on a non-ACPI APIC client, or vice versa. 




451

USER'S GUIDE 


Specify generic Sysprep options page 

Use this page to specify the following generic settings for the SYSPREP.INF file used 

by this script to modify the image being deployed: 

• Time zone: Indicates the time zone where the target clients are located. 

• Volume license key: Specifies the license number for the OS that is being 

deployed. 

• Local administrator password for this image: Provides the 

administrator's password for the client that was imaged. 

• Name: Identifies the target clients with a name, such as a department name 

or geographic location. 

• Organization: Identifies your organization with a name, such as a division or 

company name. 





Specify Sysprep network options page 

Use this page to specify the following network settings you want to include in the 

SYSPREP.INF file for this image: 

• Workgroup: Indicates that your target clients reside in a workgroup. If you 

select this option, enter the name of the workgroup in the text box. 

• Domain: Indicates that your target clients reside in a domain. If you select 

this option, enter the name of the domain in the text box and provide the 

following domain account information: 

• Username: Identifies the name of a user in the domain that has 

privileges to add a machine account to the domain. 


• Add machine to OU: Specifies the path (using LDAP path syntax) to 

a specific Microsoft Active Directory OU where you want to add the 

target clients being imaged. 




452



Assign naming convention for target computers page 

Use this page to assign the naming convention for target clients that will be imaged 

by the image deployment script: 

• First attempt to get and use existing computer names from the 

Inventory database: Preserves existing Windows computer names if the 

targeted clients have already had the inventory scanner run on them. The 

image will attempt to use any computer names that already exist in the core 

database. 

• When necessary, use the following template to name target 

computers: Provides a template that defines a naming convention to create 

unique names for target clients that do not currently have a device name 

assigned to them in the core database. This template is useful for CBAdiscovered 

and PXE-booted clients. See the examples on the wizard page. 


• Creating custom computer names 




Enter LANDesk client install location information page 

Use this page to provide the following information needed by the image to install 

LANDesk client software onto target clients: 

• UNC path to directory containing WSCFG32.EXE: Specifies the UNC path 

(usually \\\LDLogon) to the core server or service center where 

WSCFG32.EXE (the Management Suite client Setup file) resides. 

• Authentication credentials: Provides a username, password, and domain to 

authenticate to the core server or service center, so that the image can install 

WSCFG32.EXE onto target clients. 




453

USER'S GUIDE 


Select a collection for this profile page 

Use this page to select a collection of rules for the profile migration script and to 

access the Collection Manager dialog. A collection determines the profile content to 

be migrated (captured or restored) by the migration script: 

• Available collections: Lists all of the available collections on your core 

server. A collection is a user-defined set of rules, each rule identifying a 

specific application, desktop setting, or file that can be migrated. When you 

highlight a collection in the list, a description of that collection appears in the 

message box below. 

Note: You can select only one collection for each migration script. 

However, you can create and modify as many collections as you like, 

using different combinations of application, desktop, and file rules. 

• Manage: Accesses the Collection Manager dialog, where you can create and 

edit collections and file rules and create user-initiated migration packages. 




• About the Collection Manager dialog 

About the Collection Manager dialog 

Use this dialog to create, edit, or delete collections of rules, as well as specific file 

rules. You can also use this dialog to create or delete user-initiated profile migration 

packages: 

(You can access the Collection Manager dialog from either the OS 

Deployment/Migration Tasks script wizard, or directly from the Manage Scripts 

toolbar in the console.) 

• File rules: Displays all available file rules in the list box. You can create a 

new file rule or edit an existing one. 

Note: When you delete a file rule, the rule is removed from the core 

server. Any collection that contained that rule provides a notice about 

this change the next time you open or edit the collection. 

• Collections: Displays all available collections in the list box. You can create a 

new collection or edit an existing one. 

Note: When you delete a collection, the collection is removed from the 

core server. Any migration script referencing that collection will not run 

properly. You should also delete the script. 

454


• User-Initiated packages: Displays all available packages in the list box. You 

can create a new migration package, which is a self-extracting executable file 

that can be run on individual clients. You can't edit an existing user-initiated 

package. 


Note: When you delete a user-initiated package, the package is removed 

from the core server. Other copies of the package may still exist 

depending on how and where you distributed the package to users. 

• Creating file rules 

• Creating collections 

• Creating user-initiated migration packages 



About the File Rule dialog 

Use this dialog to create new file rules or edit existing ones (in the Collection 

Manager dialog, click File rules and then click New). 

A file rule determines which files are migrated, based on the following criteria: drive 

and directory location, subdirectories, file naming (including wildcard support), and 

destination location. 

• Rule name: Identifies the file rule with a unique name. If you enter the 

name of an existing file rule, you'll be asked whether you want to replace it. 

Use a name that will help you identify the purpose or content of the file rule. 

• Rule description: (Optional) Helps you remember the file rule. 

• Source directory: Specifies the drive and directory path to the location of 

the files you want to migrate. 

Note on disk partitions: You can migrate files from a client's fixed 

drives, including disk partitions. Removable media, such as CD-ROM 

drives, and network shares are not supported. If the target client does 

not have a matching disk partition drive letter, a new directory named 

"Migrated_[drive letter]_Drive" is created at the root of the target client's 

C drive, and the files (along with their associated directory structure) are 

migrated to that new directory on the target client. 

• Include subdirectories: Searches for files in all subdirectories of the 

specified source directory. 

• Remap destination directory: Moves files to a path on the target client that 

is different than the source directory path. A file's associated directory 

structure will still be preserved under the remapped path. 

• Destination directory: Specifies the drive and directory path on the target 

client where you want to migrate files that match the location and naming 

criteria. 

455

USER'S GUIDE 

• Files to include: Captures files in the specified source directory that match 

the filename syntax you enter here. You can use exact filenames to limit the 

inclusion to an individual file. You can also use wildcard naming syntax (* and 

) to include files by file type/extension (i.e., *.txt), prefix (i.e., myname*.*), 

or any other valid wildcard usage. 

Note: Separate multiple filenames with a semi-colon character (;). 

• Files to exclude: Does not capture files in the specified source directory that 

match the filename syntax you enter here. You can use exact filenames to 

limit the exclusion to an individual file. You can also use wildcard naming 

syntax (* and ) to exclude files by file type/extension (i.e., *.txt), prefixes 

(i.e., myname*.*), or any other valid wildcard usage. 


Note: If the include control and the exclude control contradict each 

other, the exclude control takes precedence and the file(s) will not be 

captured by the file rule. 

• Migrating files and folders 



About the Collection of Rules dialog 

Use this dialog to create new collections and edit existing ones (in the Collection 

Manager dialog, click Collections and then click New). 

A collection is a user-defined set of application, desktop and file rules, that 

determines the profile content to be migrated. 

• Collection name: Identifies the collection with a unique name. If you enter 

the name of an existing collection, you'll be asked whether you want to 

replace it. Use a name that will help you identify the purpose or content of the 

collection. 

• Description: (Optional) Helps you remember the collection. The description 

you enter here will display in both the Collection Manager dialog and the 

Selecting a collection page of the wizard to help you identify the collection. 

• Rules: Indicates the profile content you want migrated by this collection. Use 

the plus-sign and minus-sign boxes to expand and collapse the tree structure 

to view all of the Applications, Desktop Settings, and File Rules. You can 

select any combination of the rules available in the Rules tree listing when 

defining a collection. 




456


About the User-Initiated Package dialog 

Use this dialog to create a self-extracting executable file that can be run on clients as 

a user-initiated profile migration (in the Collection Manager dialog, click Userinitiated 

packages and then click New). 

Note: User-initiated migration packages can be run on LANDesk-managed clients, as 

well as computers that are not managed by the LANDesk agents. 

• Package name: Identifies the user-initiated profile migration package with a 

unique name. If you enter the name of an existing profile migration package, 

you'll be asked whether you want to replace it. Use a name that will help you 

identify the purpose or content of the user-initiated package. 

Note: Do not type the filename extension here; the .EXE extension will 

be appended automatically to the name you enter. 

• Rule collection: Lists all of the of available rule collections. The collection 

you select determines the content of the user-initiated profile migration. You 

can select only one collection per migration package. 

Note: The user-initiated migration package (*.EXE) is saved by default to the 

following directory on your core server: 

c:\Program Files\LANDesk\ManagementSuite\LDLogon\PMScripts\Executables 


• Creating user-initiated profile migration packages 

• Running user-initiated profile migration packages 

• Creating a collection 



457

USER'S GUIDE 


Enter credentials for profile storage page 

Use this page to specify where to store the profile data and to provide authentication 

credentials: 

• UNC path to profile storage directory: Specifies the UNC path to where 

the profile data will be stored. You can enter just the computer name in UNC 

format, then browse for the remainder of the path by clicking the Browse 

button. 

• User name: Identifies a user with valid authentication credentials to the 

specified UNC path. 


• Domain: Provides the user's domain. 

• Force authentication using these credentials: Forces an authentication 

(log out and log in) using the credentials specified above on clients that are 

scheduled for a profile migration IF the currently logged in user's credentials 

fail. If such a failure occurs, checking this option ensures that the client has 

sufficient rights to access and save data on the network share where the 

profile data will be stored. 

• Default local user account(s) password: (Only available for a profile 

restore script) Provides a password that will become the common default 

password for all of the new migrated local user accounts created on the target 

client. If a user account already exists, settings are migrated, but the current 

password is preserved and should be used to log in. 

Note: If you leave this text box empty, the password is automatically set 

to the default: password. 

• Finish: Saves the profile migration script and exits the wizard. 




458



Enter DOS commands to execute on the client page 

Use this page to create a script that runs DOS commands (including application 

executable names) on target clients. The commands are sent to clients one at a 

time. 

• DOS command text box: DOS commands can be added to this box, one per 

line, as if you were typing at a DOS command prompt. You can enter as many 

commands as you like. 

• Abort this job if any command fails: Causes the imaging job to abort if 

any of the DOS commands entered on this page fail. Applications (launched 

from the DOS command line) that generate a DOS errorlevel code when 

failing will also cause the imaging job to abort. If no errorlevel code is created 

when a command or application fails, the imaging job will continue. 

• Finish: Saves the DOS commands script and then exits the wizard. 


Related topics 




459

Appendix C: Additional software distribution 

information 

This chapter explains how to use LANDesk Management Suite's Enhanced Software 

Distribution (ESWD) to distribute software and files to clients throughout your 

network. 


• Scripting guide for .CFG files 

• Troubleshooting .CFG files and their packages 

• Scripting guide for deployment scripts (.INI files) 

• Understanding Enhanced Software Distribution error codes 

• Files used in Enhanced Software Distribution 

461

USER'S GUIDE 

Scripting guide for .CFG files 

This section describes what you can do with scripts and scripting commands as you 

build a software distribution package. At the end of this section, there's a sample 

script with remarks that explain the important parts of the script. 

For detailed instructions about creating and modifying .CFG files, see the Package 

Builder online help. Click Start | Programs | LANDesk Management | LANDesk 

Enhanced Package Builder. Click Help | Index and select the following online 

help topics: 

• Getting started with Package Builder 

• Creating a simple installation 

• Package Builder commands 

• How does Package Builder do an installation 

• Using variables in commands and assigning values 

Scripting basics 

The Package Builder wizard steps you through the process of creating a software 

distribution package. The wizard saves the commands required to perform the same 

installation on other computers. It writes these commands to an ASCII file with a 

.CFG extension. You can edit this script file after creating it in Package Builder, or 

you can create one from scratch and build it into a package. 

The Package Builder online help provides syntax information for each of the script 

commands. To access the help for a specific command, highlight a command in the 

left panel and press the F1 key. 

To access a specific script file, start Package Builder and click File | Open. Browse to 

the Configs directory in the Package Builder Working directory and select a file. 

Once a script has been modified, click Build | Build to build the script into a 

package. 

Script commands 

Each script includes two sections. Specific commands at the top of the script define 

the operating parameters, and the balance of the commands describes the 

installation of the application included in the software distribution package. 

All of the commands included in a script can be grouped into one of these functional 

categories: 

• Base Installation 

• Appearance 

• Messages & Input 

• System Changes 

• If Conditions 

• Defaults & Calls 

These categories contain related commands that describe the installation process for 

each package. Some commands describe the operating parameters of the installation 

462

APPENDIX C: ADDITIONAL SOFTWARE DISTRIBUTION INFORMATION 

and must be placed at the top of the script file. For details about each command, see 

the Package Builder online help. 

Editing packages with the Package Builder 

The Package Builder interface is divided into three areas: 

• In the left pane, the functional categories are listed. Expand each functional 

category to display the individual commands within that category. 

• The right pane is divided into two screens: The upper portion displays the 

script itself. The lower portion is a GUI template that contains entry boxes for 

the parameters of the highlighted command. 

To see the details of a command in the script, highlight the command and view the 

parameter details in the lower portion of the screen. 

To add a new command to the script, select the location in the script where the 

command should be located. Next, highlight the command in the left pane. Now 

complete the syntax template in the lower portion of the screen. When you've 

selected the command parameters, click Add to insert the new command. 

Processing custom scripts 

Custom scripts are processed in three sections: 

• Premachine—The Premachine section of the custom script is processed first, 

and only once at the start of the task. Use this section for tasks that have no 

targeted client, and/or for Targeted Multicast. During the Premachine section 

of the script, only local commands, LOCxxx, should be used. 

• Machine—The commands in this section of the script run second and only 

once per targeted client. These commands can use either the remote or local 

execution commands, and are primarily used for remotely executing 

SDCLIENT.EXE. Before the commands in this section of the script can be 

performed, the ESWD agent must be installed on the targeted clients. 

• Postmachine—This section is processed last, and again, only once after all 

clients have been processed. Software distribution does not add commands to 

this section, and it only supports the local commands, LOCxxx. The 

commands in this section won't be processed if clients in the task can't run 

them. The InventoryScanner.ini script that comes with Management Suite 

contains details about the script commands. 

Command-line parameters 

Software distribution is facilitated by a deployment script. SDCLIENT.EXE manages 

the packages using command-line parameters from the script file that are passed to 

the application. 

SDCLIENT.EXE supports the following command-line parameters: 

sdclient.exe /p="" [/g=] [/All] [/R] [/N] [/An] 

[/Ac] [/Ab] [/fui] [/msi] [/exe] [/bw=xxx] [/E] 

463

USER'S GUIDE 

Parameter 

name 

/p= 

/g= 

/All 

Description 

Package Path. The package path must be specified, regardless of the 

package type. This parameter specifies the UNC or URL path to the package 

that is to be installed on the local client. 

Package GUID. For ESWD or AutoInstall packages. This parameter specifies 

the GUID for the package. The package GUID is used to check the local .CFG 

file cache for a copy of the package's .CFG file. 

Uninstall Flag. This flag is set to indicate that the ESWD or MSI package 

should be uninstalled rather than installed. This flag is case-sensitive (/all 

won't work). 

/R Always Reboot Flag. This flag indicates that the client should always be 

rebooted after the package installation. Not all MSI packages follow this 

guideline. 

/N Never Reboot Flag. This flag indicates that the client should never be 

rebooted after the package installation. 

/An 

/Ac 

/Ab 

/fui 

/msi 

/exe 

/Ah 

/bw=xxx 

Silent Installation Flag. This flag indicates that the installation should be silent. 

This means that no UI, or the smallest amount of UI possible, should be 

displayed during the installation. 

Disable Cancel Flag. This flag prohibits the user's ability to cancel the 

installation. 

No Background Flag. This flag only applies to ESWD packages. When a 

package is being installed, the blue background won't be displayed. 

Full UI Flag. This flag indicates that the full UI for legacy and MSI packages 

should be used. 

MSI Package Flag. This flag indicates that the package path points to an MSI 

package file. 

Executable Package Flag. This flag indicates that the package path points to a 

legacy package or a generic executable file. 

Application Healing Flag. This flag indicates that the script is installed with the 

Application Healing option. 

Bandwidth Requirements. Specifies a minimum bandwidth requirement for the 

package script to be run. 

/F Generic File Flag. This flag causes SDCLIENT.EXE to download the file to the 

LDCLIENT directory. 

Simple sample script 

This script contains some of the commands used to install Package Builder on a 

package-building computer. Major sections or commands are described with remarks 

(REM). 

REM This is the Package Builder installation 

REM Set screen graphics environment 

464


SCREENCOLOR: (0,0,255), (0,0,255) 

ANIMATION: "W:\Software\Install\Intel\duck\DISK01.BMP", 

"W:\Software\Install\Intel\duck\DISK02.BMP", 











"W:\Software\Install\Intel\duck\DISK13.BMP" 

SCREENGRAPHIC: "W:\software\INSTALL\Intel\OAKLAN~1.BMP", topleft 

REM TITLE: "LANDesk Management Suite", fontsize=25, color=yellow 

REM SUBTITLE: "Package Builder", fontsize=18, italic, color=yellow 

REM Configure uninstallation options 

UNINSTALL: yes, removegroup, packagename="Package Builder" 

UninstallBeginPrompt: "Do you wish to remove the LANDesk Management 

Suite Package Builder programs and directories from your system" 

UninstallEndPrompt: "LANDesk Management Suite Package Builder programs 

and directories have been successfully removed from your system." 

REM Check for sufficient disk space before installation 

IF DISKSPACE() < 4000K 

BEGINFIRSTSCREEN caption="Not Enough Disk Space", Package Builder 

requires 4 MB of disk space. Please arrange your hard disk so that a 

sufficient amount of disk space is available. 

ENDFIRSTSCREEN 

REM This is only shown if there is less than 4 MB of disk space. 

ENDIF 

REM Define splash screen text 

BEGINFIRSTSCREEN caption="LANDesk Management Suite Package Builder", 

This installation program will set up LANDesk Management Package 

Builder onto your hard disk. Contact your LANDesk Software Customer 

Support representative if there are problems setting it up on your 

computer. 


REM Define default directory from which to work. Notice the variable 

$ProgFilesDir$ comes from a Windows system environment variable. The 

DEFAULTDIR command must be used before any file commands are used. 

DEFAULTDIR: "$ProgFilesDir$\Intel\Package Builder", prompt="Please 

enter the drive and directory:", caption="Directory Name", text="The 

software will install onto your system in a directory. Please accept 

the suggested directory location or type in one of your own. Make 

certain to provide both a drive letter and the directory name." 

REM Add files common to all versions of Package Builder. Only one has 

been included in this sample script. 

FILE: "CTL3D.000", overwrite=yes, 

From="W:\Software\Install\Intel\CTL3D.DLL" 

REM Install registry information 

BEGINREGISTRY 

KEY: new, "HKEY_CLASSES_ROOT\CFG" 

VALUE: reg_sz, replace, "Default", "txtfile" 

ENDREGISTRY 

REM Setup Windows menu items 

465

USER'S GUIDE 

WINITEM: "LANDesk Management Suite", "$DEFAULTDIR$\Builder.exe", 

"Package Builder", replace, allusers 

WINITEM: "LANDesk Management Suite", "$DEFAULTDIR$\Replicator.exe", 

"Package Builder wizard", replace, allusers 

WINITEM: "LANDesk Management Suite", "$DEFAULTDIR$\ENUBLDRI.hlp", 

"Package Builder wizard help", replace, allusers 

REM Define and display final screen 

BEGINLASTSCREEN caption="LANDesk Management Suite Package Builder", 

The installation of the Management Suite Package Builder is now 

complete. 

ENDLASTSCREEN 

Registry commands 

Commands that modify the registry begin and end with BeginRegistry and 

EndRegistry commands. In between these commands are the commands that 

identify the registry key and the value. The Package Builder wizard flags two keys as 

dangerous: 

• \HARDWARE 

• \SYSTEM\CURRENTCONTROLSET 

These keys are considered dangerous because they are usually not compatible with 

any computer other than the package-building computer. When these keys are 

modified, the Package Builder wizard places such commands within an IF 

$DANGEROUS$ = "TRUE" statement. If the changes to these keys are compatible 

with your target computers and you want them executed, you must define a 

$DANGEROUS$ variable at the top of the script and set its value to TRUE. 

Launching a package from a package 

You can specify INST32.EXE on the command line of a RunAtExit command in one 

package in order to launch another package. The syntax is: 

RunAtExit "INST32.EXE PACKAGENAME.EXE" 

If the package is found on the network, this is more efficient than just running 

"PACKAGENAME.EXE." It allows you to specify a package name via an HTTP path. For 

example: 

http://myservername/packages/PACKAGENAME.EXE 

Sample script with more complex commands 

This next script is organized into sections with a brief explanation for each. Any 

applications launched by a RunAtStart or RunAtMiddle command must be closed for 

the script to continue processing. 

The beginning section of this script enables you to include a window title, package 

name, animated or still graphics, and audio, as well as color and font selections. A 

RunAtStart command enables you to execute an external application at the 

beginning of the installation. 

466


Next, the BeginFirstScreen command enables you to inform the user about the 

installation by displaying a text message. Finally, the Backup command indicates 

that any files that are to be replaced will be backed up, and the OverWriteFile 

command indicates that the user will be prompted before any existing files are 

overwritten. 

ANIMATION: "C:\WINDOWS\CIRCLES.BMP", "C:\WINDOWS\CARVED~1.BMP", 

"C:\WINDOWS\BUBBLES.BMP", "C:\WINDOWS\BLUERI~1.BMP", 

"C:\WINDOWS\BLACKT~1.BMP" 

RUNATSTART: "c:\program files\accessories\mspaint.exe" 

TITLE: "Package Builder Functionality Script for Windows 98", bold 

INTROSCREEN: "C:\WINDOWS\SETUP.bmp", waittime=5, full 

INTROSOUND: "C:\WINDOWS\MEDIA\START.WAV" 

SCREENCOLOR: magenta, yellow 

SCREENGRAPHIC: "C:\WINDOWS\PINSTR~1.BMP", topleft 

FONTNAME: "Tahoma" 

BEGINFIRSTSCREEN title="First Screen", caption="Screen #1" 

This is the text that appears on the first screen. 


BACKUP: YES 

OVERWRITEFILE: ask 

The following examples show different prompt options. Text for each prompt can be 

modified. 

CancelPrompt: "Cancel" 

CopyFilePrompt: "UPLOAD IN PROGRESS" 

OkPrompt: "GOOD JOB" 

QuitPrompt: "Do you really want to quit" 

CopyTitlePrompt: "Copying..." 

NextPrompt: "Next" 

BackPrompt: "Back" 

NoPrompt: "No" 

YesPrompt: "Yes" 

This section runs an external application and waits for that application to be closed 

before continuing. When the script continues, the user is prompted for input. Based 

on the selected option, the application continues and copies a file on the local drive 

or exits. 

RUNATMIDDLE: "c:\windows\calc.exe" 

ASK1: Yesno, caption="Sample question.", text="This is an example using 

Yes / No buttons. Choose `Yes' to continue, `No' to exit." 

IF $ASK1$= "yes" 

WINGROUP: "New Program Group", prompt="Select a group", 

caption="Program Group selection", text="Please select a program 

group." 

ELSE 

IF $ASK1$= "No" 

EXITMESSAGE 

Sorry you had to leave so soon! 

EXIT 

ELSE 

ENDIF 

ENDIF 

PROGRESSBAR: 302K 

COPY: "C:\windows\setup.bmp", "C:\windows\temp\p1.bmp" 

RENAME: "C:\windows\temp\p1.bmp", "C:\windows\temp\renamed p1.bmp" 

467

USER'S GUIDE 

This section launches an application as the last command before the script is 

completed. The RunAtExit command does not have to be the last line of the script. 

This section also places a shortcut on the desktop and creates an uninstall package. 

RUNATEXIT: "C:\WINDOWS\CDPLAYER.EXE" 

BEGINLASTSCREEN title="Last screen", caption="The last screen" 

This should be the last screen you see. 

ENDLASTSCREEN 

SHORTCUT: "c:\windows\notepad.exe", "NOTEPAD", 

dir="c:\windows\desktop\" 

UNINSTALL: yes, makeicon, removegroup, packagename="Package Builder 

Functionality" 

HTTP and UNC paths 

These are examples of software distribution .INI files that reflect the differences 

between HTTP and UNC path script files. 

HTTP path script file: 

; This file was generated by Desktop Manager 

[MACHINES] 

REMEXEC0=C:\ldclient/sdclient.exe -p=http:///packages/test 

package.exe -g={6DD454C0-11D3A0D1-a000B3B5-9BACBBC99CFC6D- 

9CE3504801A0D4B2FZ0829F08} -Ac -Ab 

UNC path script file: 

; This file was generated by Desktop Manager 

[MACHINES] 

REMEXEC0=C:\ldclient\sdclient.exe -p=\\sample_core\onefile\test 

package.exe -g={6DD454C0-11D3A0D1-a000B3B5-9BACBBC99CFC6D- 

9CE3504801A0D4B2FZ0829F08} -Ac -Ab 

Notice that both .INI files have similar elements. In the MACHINES section, the -P 

option designates the path where the client will download the software package. In 

the HTTP example, the path is http:///packages/test package.exe. 

The next option is the -G option, which is the GUID, a unique number identifier for 

each package. This number identifier is generated by the Package Builder, and it 

helps prevent confusion during installation between packages with similar names. 

468


Troubleshooting .CFG files and their packages 

Deciding what works and what doesn't work is the first step in script debugging. 

These are some basic troubleshooting tips that can help you resolve script errors: 

• Create a new script that consists of only the portion of the script that 

produces an error. Check the functionality of this script and modify as 

required using the online command help. 

• Compare the new script to an existing script to check for syntax. 

Use the following guidelines when you create packages on your package-building 

computer. These tips will help you avoid unnecessary errors. 

Using commands 

Don't pass variables to the DLL Load command in Package Builder 

If you create a package that depends on passing a variable into the DLL Load 

command, it won't work if the variable doesn't arrive at the correct time. If the .DLL 

doesn't receive the expected variable, the package won't complete the installation 

correctly. To avoid this problem, don't pass variables into the DLL Load command; 

the other DLL parameters work correctly. 

Using the Package Builder RunAtMiddle, RunAtStart, and RunAtExit commands 

The Package Builder RunAtMiddle, RunAtStart, and RunAtExit commands require the 

full path to the executable to run correctly. Also, the RunAtMiddle command must be 

positioned in the script after the DEFAULTDIR function to work correctly. RunAtStart 

and RunAtExit commands can be anywhere in the script and will run correctly. 

Rebooting during package creation 

When using the Package Builder wizard to create a package, you may be prompted 

to reboot the package-building computer. In many cases, rebooting before 

completing the package-building process causes the package to improperly install at 

the client. The application becomes configured for the package-building computer 

rather than the targeted client. However, in some cases, the reboot is required 

because the installation program accesses the installation CD after reboot. 

You need to test the resulting package to determine whether you can stop the 

installation process and create the package before the reboot, or whether you need 

to reboot the package-building computer during the software installation and then 

continue to create the package. 

469

USER'S GUIDE 

Creating and naming software distribution packages 

Package names can't be changed once they're created 

You can't change a package name once you complete the package creation step. If 

you attempt to directly change the filename, your users can't access that package 

correctly. 

Package names can't include hyphens or periods 

If you use hyphens or periods in a package name, the package-creation process will 

truncate the name when it encounters them. You can still access the package in a 

script, and users can install it, but the truncated name might be confusing. Don't use 

hyphens or periods in a package name. You can use the underscore (_) character 

instead. 

We recommend that you create a new working directory each time you begin 

creating a package. To create this directory, start the Package Builder wizard, and 

click Scan Options. In the Temporary Work Directory box, either type in the full 

path to a directory or browse to its location. Package Builder prompts you for 

permission to create a directory that does not already exist. 

Store only software distribution packages in your distribution location 

You should only keep packages in the Web server location or UNC folder that you set 

up for software distribution. If you store other types of executable files in this folder, 

they may be confused with packages when you're creating distribution package 

scripts. If you create a distribution script for an executable that's not a package, the 

distribution will fail. Store only software distribution packages in your distribution 

location. 

For more information about creating and modifying packages, see the topic "Working 

with the Package Builder" in the Package Builder online help. 

File collections can't contain more than 296 files 

When you create a file collection package, you can add as many as 296 separate files 

or folders. If you attempt to add more than 296 items, the file collection stops. Files 

contained in an included folder count as one item, not as separate files. 

470


Scripting guide for deployment scripts (.INI files) 

You don't have to use the Create Software Distribution Script window to create the 

deployment script file. A deployment file is an .INI file containing the settings the 

client should use for installing a package. You can create your own deployment files 

in a text editor such as Notepad if you prefer. 

A software distribution .INI script file has these components: 

[MACHINES] 

REMEXEC0=C:\ldclient\sdclient.exe 

/p="http://computer_name/95Packages/Acro32_95.exe" 

/g={281B46C0-11D3766F-a0008bab-F9751AC966F808- 

66E3BC2DF01A0D4B2F88670DE4} 

/Ac 

/N 

REMEXEC0 command parameters 

The parameters for the REMEXEC0 command have been placed on separate lines to 

make the components more visible. When placed in an .INI file, the command needs 

to be on one line. 

REMEXEC0 is the Remote Execute command. If you want to use more than one 

REMEXEC0 command in a single script file, increment the command each time it is 

used. For example, if you used three REMEXEC calls in a single .INI file, they should 

be REMEXEC0, REMEXEC1, and REMEXEC2. These commands don't need to 

increment if they're in separate files. 

The c:\Ldclient\SDCLIENT.EXE parameter is the correct path to the ESWD agent. 

The /p parameter is the path statement where the client can download the package. 

For example: 

/p="http://computer_name/95Packages/Acro32_95.exe" 

The /g parameter points to a GUID identification number for the package. For 

example: 

/g={281B46C0-11D3766F-a0008bab-F9751AC966F808- 

66E3BC2DF01A0D4B2F88670DE4} 

If you use this parameter, the client will only download the package with that exact 

ID number. Use the Create Distribution Script window to generate this ID number, 

because it's embedded in the software package. 

The /Ac parameter hides the install from users. They can only cancel the installation 

if they're prompted for something. The /Ab parameter hides the background. The /An 

parameter hides all of the UI and prevents any interaction (prompts) from reaching 

the users. 

The /Ah+ parameter heals a package that was previously installed, without 

prompting the user. The /Ah- parameter reinstalls a package that was previously 

installed, without prompting the user. 

The /N parameter doesn't force a reboot on the computer after the package is 

installed. The /R parameter forces a reboot on the computer after the package is 

installed. If you don't use either the /N or /R parameters, the computer will reboot 

only if files in use were updated or a reboot is needed to complete the installation. 

471

USER'S GUIDE 

An optional /D parameter opens a debug window used to view operational 

parameters for SDCLIENT.EXE. The debug window displays the package path and 

name, the GUID, any error or message codes, as well as the exit code returned to 

the Scheduled Tasks window. 

If the software distribution script is designed to uninstall an existing application, two 

uninstall option parameters can be used: 

• The /Au parameter uninstalls the last instance of a package and rolls back 

one install instance. 

• The /All parameter uninstalls all instances of a package and completely 

removes the package. 

If you follow these guidelines, you can create your own software distribution scripts 

and schedule them to be sent to clients. These scripts are stored in the DTM\Scripts 

folder on the core server. 

472


Understanding Enhanced Software Distribution 

error codes 

From the console, the right panel in the Scheduled Tasks window displays the status 

of a distribution. When it has finished, the panel will either display success or an 

explanation of why it failed. In addition, each targeted client has log files that 

contain information about the distribution. The status and errors are logged to the 

following files: 

• If the error occurred while attempting to access the package, the error is 

logged in the AICLIENT.LOG file. 

• If the error occurred while processing the package (for example, copying 

files), the error is logged in the INST32.LOG file. 

• The SDCLIENT.LOG file contains general summary information about each 

installation request received from the core server. 

These log files are stored on each client. The following table lists the error codes you 

may encounter in these files. 

Error 

code 

Definition 

101 The user cancelled the install. 

102 File access was denied. 

103 The password used isn't valid. 

104 No network found, or incorrect path provided. 

105 A download error occurred. 

106 A socket could not be created. 

107 Unable to open an HTTP session. 

108 A CFG download error occurred. 

109 A save CFG error occurred. 

110 No save CFG folder exists. 

111 A file access error occurred. 

112 A get CFG error occurred. 

113 Unable to create a backup CFG. 

114 A spawn error occurred because another package is already being installed. 

117 The backup directory can't be created. 

180 Networking error. Can't initialize. 

473

USER'S GUIDE 

188 Timed out while downloading over HTTP. 

189 HTTP connection aborted. 

191 Host not found. 

197 HTTP file not found. 

201 The UNC file cannot be found. 

202 The file was not found on the installation disk. 

203 Unable to create a file in the specified location. 

204 Not enough disk space on the destination drive for installation. 

205 An invalid drive was specified, or the drive required for this install was not available. 

206 

The file has a long filename and can't be installed by the 16-bit install program. You 

still have the option to continue to install other files. 

207 The specified file is not an executable. 

208 Multiple uninstall registry entries exist with the same source path. 

209 Unable to locate the uninstall executable. 

210 Encountered an invalid compressed file, or HTTP error(s). 

211 A successful AFXSOCKETINIT command must occur before using this API. 

212 The network subsystem failed. 

213 No more file descriptors are available. 

214 The socket can't be created. No buffer space was available. 

215 The specified address was already in use. 

216 The connection attempt was rejected. 

217 The provided host address was invalid. 

218 The network can't be reached from this host at this time. 

219 The attempt to connect timed out without establishing a connection. 

220 The virtual circuit was aborted due to a timeout or other failure. 

221 The virtual circuit was reset at the remote site. 

222 A non-stated HTTP error occurred. 

223 An HTTP error occurred; the file wasn't open for reading. 

224 An HTTP error occurred; no content-length setting provided. 

225 An HTTP error occurred; not enough memory available. 

226 A memory allocation error occurred. 

227 Unable to read the file. 

474


228 Insufficient memory available. 

229 The .CFG file has an error at line XX. 

240 

The temporary path specified is invalid. It can't be accessed or created. The target 

computer has a configuration problem. 

301 This application has never been installed on this computer; it can't be uninstalled. 

475

USER'S GUIDE 

Files used in Enhanced Software Distribution 

This is a list of the files used in ESWD, as well as descriptions of how they work 

together. You can use this information to customize how packages are created, 

stored, and deployed in your organization. 

These files are installed at the core server: 

• ManagementSuite\CUSTJOB.EXE 

• ManagementSuite\SDMAKINI.DLL 

• ManagementSuite\LANDesk.ManagementSuite.WinConsole.dll 

• ManagementSuite\INSTALL\EN_PKG_BLDR\SETUP.EXE 

• ManagementSuite\LDLOGON\SDCLNSTL.EXE 

These files are installed at the client: 

• C:\LDCLIENT\SDCLIENT.EXE 

• C:\LDCLIENT\AICLIENT.DLL 

• C:\LDCLIENT\SDMCACHE (this is an empty folder) 

• C:\LDCLIENT.LOG (this file is created by the SDCLIENT.EXE file) 

• INST32.EXE 

• EUNINST32.DLL (or other locale-specific resource file) 

• $WINDIR$\aiclient.log 

• $WINDIR$\inst32.log 

File descriptions 

SETUP.EXE: This standalone, binary installation file is used to create packagebuilding 

computers, placing the Package Builder, Package Builder wizard tools, and 

accompanying online help files onto the computer. Each application that you package 

with Package Builder is made into a self-extracting .EXE. 

If you're using the Web Console, you must copy the .EXE to the packages directory 

on your Web server for users to access. 

SETUP.EXE installs the following types of files on the package-building computer in 

the Program Files\Intel\Package Builder directory: 

• BUILDER.EXE: Enhanced Package Builder executable 

• ENUBLDR.DLL: Enhance Package Builder resource file 

• REPLICATOR.EXE: Package Builder wizard executable 

• ENUREPLC.DLL: Package Builder wizard resource file 

• BASIC.CFG: A simple installation script for building a software distribution 

package 

• TYPICAL.CFG: A more complex installation script for building a software 

distribution package 

• ENUBLDR.HLP: Help file for the Package Builder 

• ENUBLDRI.HLP: Help file for the Package Builder wizard 

CUSTJOB.EXE: This file is launched directly by the Scheduler when a job is to begin. 

476


SDC_INSTALL.INI: This job script is processed by CUSTJOB.EXE. It copies 

SDCINSTL.EXE to a remote computer and then executes it on that computer via the 

Common Base Agent (CBA). This file is placed in the DTM\Scripts folder. 

SDCLNSTL.EXE: This file installs the ESWD client files SDCLIENT.EXE and 

AICLIENT.DLL on Windows 95/98 and Windows NT/2000/2003/XP clients. This file is 

placed in the DTM\LDLogon folder on the core server. 

SDCLIENT.EXE: This file is ultimately placed on the client in the C:\LDClient folder. 

It's invoked with command-line parameters that include the URL or UNC path of the 

distribution package to be installed. This invocation is normally a result of the core 

server Scheduler calling CUSTJOB.EXE. 

AICLIENT.DLL: This file is called by SDCLIENT.EXE; it's copied to the same folder 

as SDCLIENT.EXE. 

INST32.EXE: This is the actual installer program. It's embedded within every selfextracting 

package. It's also installed into the LDClient directory and launched by 

SDCLIENT.EXE whenever a request to install a software package is received. 

ENUINST32.DLL: This is a locale-specific resource file, and its name varies with the 

locale. 

AICLIENT.LOG: This is a rolling log. Once it exceeds 50 KB, the next install causes 

it to be renamed to AICLIENT.LOG1. When the new AICLIENT.LOG file exceeds the 

50 KB limit, AICLIENT.LOG1 is renamed to AICLIENT.LOG2. It's incremented one 

more time to AICLIENT.LOG3. It is deleted the next time the 50 KB limit is exceeded 

on the current AICLIENT.LOG file. 

INST32.LOG: This is a rolling log. Once it exceeds 50 KB, the next install causes it 

to be renamed to INST32.LOG1. When the new INST32.LOG file exceeds the 50 KB 

limit, INST32.LOG1 is renamed to INST32.LOG2. It's incremented one more time to 

INST32.LOG3. It is deleted the next time the 50 KB limit is exceeded on the current 

INST32.LOG file. 

477

USER'S GUIDE 

About the Deploy Package wizard 

The following sections describe the pages and options in the Deploy Package wizard. 

About the Deploy Package page 

Use this page to select the package you want to deploy. 

• Web path: Click Web Path for packages stored on a Web server. You must 

include http:// in the URL. 

• File share path: Click File Share Path for packages stored on a null-session 

share on a file server. This path must follow the UNC path convention, 




browse dialog opens. 

About the Create Application Policy page 

Use this page to specify the script type. You have several options depending on the 

package you're deploying. Install and Uninstall are only available if the package is 

an ESWD package or an MSI package. 

• Script name: Enter a descriptive name for the script you are creating. 

• Install: Specifies that you want to use an installation package to install 

software. 

• Uninstall: Specifies that you want to use an installation package to remove 

software. When this flag is set, the script removes everything that was 

installed with the installation script. 

About the Create Script page 

Use this page to specify the script type. You have several options depending on the 

package you're deploying. Install and Uninstall are only available if the package is 

an ESWD package or an MSI package. Macintosh OS 10.2 scripts only have the 

Script Name field available to them. 

• Script name: Enter a descriptive name for the script you're creating. 

• Install: Specifies that you want to use an installation package to install 

software. 

• Uninstall: Specifies that you want to use an installation package to remove 

software. When this flag is set, the script removes everything that was 

installed with the installation script. 

478


• Use Multicast to distribute this package: Enables Targeted Multicast so 

that multiple computers receive the same distribution simultaneously. 

• Only cache the file(s) on the computer using multicast: This option is 

available when Use Multicast to distribute this package is enabled. This option 

only multicasts the selected file or package to the target computers' multicast 

cache directory (SDMCACHE). Doing this can make a future distribution job 

quicker. 

If you use this option to get a file or package out to clients, the next time you 

launch a distribution job that uses this file, each client will look in its 

SDMCACHE directory for the file first before checking a Web server or UNC 

path. Each client that has the file locally will then install the package from the 

SDMCACHE directory without using additional network bandwidth to transfer 

the file. When selected, this option disables the Install and Uninstall options. 

About the Multicast Domain Options page 

This page appears only when you've selected Multicast as the distribution type. Use 

this page to configure multicast options. 

• Use multicast domain discovery: Use this option if you want Targeted 

Multicast to do a domain discovery for this job. This option won't save the 

domain discovery results for reuse. 

• Use multicast domain discovery and save results: Use this option if you 

want Targeted Multicast to do a domain discovery for this job and save the 

results for future use, saving time on subsequent multicasts. 

• Use results of last multicast domain discovery: Use this option once 

you've had Targeted Multicast do a domain discovery and save the results. 

• Have domain representatives wake up computers: Use this option if you 

want computers that support Wake On LAN* technology to turn on so they 

can receive the multicast. You can use the Multicast Options dialog to 

configure how long domain representatives wait to multicast after the Wake 

On LAN packet has been sent. The default waiting period is 120 seconds. 

• Advanced multicast options: Use this option to set advanced options. The 

defaults are fine for most jobs. 

About domain discovery 

Domain discovery is only necessary on networks with subnets that can see each 

other's multicast traffic. If your subnets don't see each other's traffic, you can save 

time by first saving the results of a domain discovery and then selecting Use results 

of last multicast domain discovery so Targeted Multicast doesn't do a domain 

discovery before each job. 

If your network subnets do see each other's multicast traffic, you can help Targeted 

Multicast work faster by pre-discovering your domains with the 

multicast_domain_discovery.ini script included in the DTM\Scripts directory. This 

script doesn't do anything on target computers. Run this script from the Scheduled 

Tasks window against a target list that spans your network. This will save the 

domain discovery results for future use. You may want to run this script periodically 

before large sets of multicast distributions. 

479

USER'S GUIDE 

If you selected Use cached file in Configure | Management Suite Services | 

Multicast, Targeted Multicast will go through a discovery process even if you 

selected Use results of last multicast domain discovery. Targeted Multicast 

needs to do this to find out which potential multicast domain representatives have 

the file in their cache. 

About the Additional Files page and Select Files to Deploy page 

The Additional Files page appears if you're doing a software distribution. The Select 

Files to Deploy page appears in the file transfer script wizard. Both pages are the 

same aside from their title. Use this page to select additional files. You can select 

one file at a time. 

• Web path: Click for packages stored on a Web server. You must include 

http:// in the URL. 

• File share path: Click for packages stored on a null-session share on a file 

server. This path must follow the UNC path convention, 




browse dialog opens. If you want to browse a Web server directory in the 

Select Package Location browser window, you must include a trailing slash on 

your URL (/), otherwise the browser window displays an error. 

• Add: Click Add to add a program directly from the path edit box once you've 

entered the full path and filename. 

• Remove: Select a file you've added and click Remove to remove a file from 

the list. 

About the Download Options page 

Use this page to configure bandwidth throttling and packet delays. 

• Peer download (only install from cache or peer): Only allow packages to 

download if they are in the local cache or on a peer in the same multicast 

domain. This option conserves network bandwidth, but for the package 

installation to be successful, the package must be in one of these two places. 

One way of using this option is to first copy the package to a client on each 

subnet with the Only cache the file(s) on the computer using multicast 

option earlier in the wizard. 

• Dynamic bandwidth throttling: Specifies that the network traffic a client 

creates has priority over distribution traffic. If you select this option and leave 

the Minimum available bandwidth percentage at 0, once the client 

initiates network traffic, the distribution cuts back to about one packet per 

second until the traffic stops. 

This option forces a full download of the file into the client's cache, which also 

enables byte-level checkpoint restart, where downloads resume where they 

left off if interrupted. If you're reinstalling or repairing an ESWD package or 

an MSI package, you may not want to use the Dynamic bandwidth 

throttling option because these package types normally only download the 

files they need. 

480


• Minimum available bandwidth percentage to use on client: Specifies 

how much dynamic bandwidth throttling to apply. You can enter values of up 

to 50 percent of the total network bandwidth available to the client. For 

example, if there were one other application consuming network bandwidth 

on the client during a distribution and you set the bandwidth percentage to 50 

percent, the distribution job would take 50 percent and the client application 

would take 50 percent. In practice, this percentage is variable because the 

operating system automatically allocates much of the network bandwidth 

depending on the number of applications needing bandwidth and their 

priority. 

• Delay between packets (peer): This option specifies the delay between 

packets for peers on the same subnet. You can use this delay to force 

distributions to be faster or slower. Increasing the delay between packets 

makes the distribution slower and uses less bandwidth. You can use this 

option with Dynamic bandwidth throttling, but if these options are used 

together the packet delay has more of an affect. 

• Delay between packets (source): Specifies the delay between the package 

source and client destination. Increasing the delay between packets makes 

the distribution slower and uses less bandwidth. You can use this option with 

Dynamic bandwidth throttling, but if these options are used together the 

packet delay has more of an affect. 

About the Job Options page 

Use this page to configure how this distribution will be deployed. If you're 

distributing an MSI file or generic executable, you have the option to enter any 

command-line options that need to be passed to the file after the multicast. 

• Script uses default distribution limit: You can limit the number of 

computers Targeted Multicast distributes to simultaneously. This option uses 

the default value you set in the Configure | Management Suite Services 

dialog's Custom Jobs tab under Distribute to X computers 

simultaneously. 

• Script uses custom distribution limit: Use this option to override the 

default for the current job by specifying a different value. 

• Only install from cache or peer: This option prevents target computers 

from going beyond their subnet to install a package. Computers will first look 

in their multicast cache directory and if the package isn't there, they'll check 

with peers on their subnet for the package. If no peers have the package, the 

distribution fails. This option minimizes network traffic across subnets. You 

can use this option after you've copied a package to each subnet with the 

Create Scripts page's Only cache the file(s) on the computer using 

multicast option. 

• Verify file before client install: Generates a hash (CRC) for the package 

you're distributing once you finish the wizard. Clients can then use this hash 

value to make sure the package/file they receive isn't corrupt. Depending on 

the size of the package/file you're distributing, you may have to wait several 

minutes for the hash calculation. 

• Do not attempt task completion: Use this option to not use the task 

completion feature to retry failed jobs. Normally, when task completion is 

installed on clients, failed jobs will be retried the next time task completion 

runs. Failed jobs will still be logged if you use this option. 

481

USER'S GUIDE 

• Command line entry for MSI packages or generic EXE: This option only 

appears if you're distributing an MSI package. You can enter command-line 

options for the MSI package here. 

About the Feedback Options page 

Use this page to help determine how much the user sees during the installation or 

removal of the software. You have these options: 

• Hide all feedback from user: This option hides the installation from the 

user as much as the software distribution package allows. If you created the 

software distribution package to be silent, this option ensures that it will be 

silent. If the software distribution package has been created with userinteraction, 

this option can't guarantee that all user-interaction will be 

eliminated. 

• Display installation/removal progress to user: This option enables you 

to choose one of the following: 

• Display background screen: This option controls whether the full 

background screen, which hides the desktop, is displayed during the 

process. 

• Allow user to cancel: This option enables the user to cancel the 

action: either an installation or removal. Generally, for application 

policies, this isn't recommended. 

Setting feedback for other package types 

The feedback options help determine how much the user sees during the installation 

or removal of the software. For MSI packages, packages created with earlier versions 

of Management Suite, and generic executables, you have two options. However, the 

internal settings of these packages may cause UI to be generated regardless of these 

settings. 

• Hide all feedback from user: This option hides the installation from the 

user as much as the package allows. If you created the package to be silent, 

this option ensures that it will be silent. If you created the package with userinteraction, 

this option can't guarantee that all user-interaction will be 

eliminated. 

• Display installation/removal progress to user: This option enables you 

to choose one of the following: 

• Allow user to cancel: This option enables the user to cancel the 

action: either an installation or removal. Generally, for application 

policies, this isn't recommended. 

• Display full package UI: This option controls whether the full 

background screen, which hides the desktop, is displayed during the 

process. 

482


About the Reinstall and Heal Options page 

Use this page to set what happens when applications are already installed on clients. 

If you have applications that aren't responding to a normal package heal, the full 

reinstall option might work better. Healing tends to take less time than a full 

reinstall. 

• Heal (repair) the package: This option only updates registry keys and 

replaces program files that the agent detects as different than those in the 

installation package. 

• Perform a full reinstall of the package: This option completely reinstalls 

the package, replacing all files and recreating all registry keys. 

• Allow the user to decide whether to heal or to reinstall: This option 

prompts the user for which type of install to do. 

About the Reboot Options page 

Use this page to configure whether the computer is rebooted after the software has 

been installed or removed. You have three options: 

• Never reboot: Clients won't reboot after a package installation. If you select 

this setting and your package requires a reboot, clients may encounter errors 

running the application until they do reboot. If the package is an ESWD 

package, this option overrules any settings in the package. If the package is a 

generic executable or an MSI package, the package setting may overrule this 

option. 

• Reboot only if necessary: Clients will reboot it the package requires it. 

• Always reboot: Clients will reboot regardless of whether the package 

requires it or not. 

About the Deployment Timing Options page 

Use this page to control when the package is deployed after arriving at the client. 

You don't have to select any of these options if you want the package to be deployed 

as soon as you have scheduled it. Before using these options, make sure you have 

deployed the Local Scheduler agent to your clients. 

If you want your clients to have some control, you have two options: 

• Delay installation/removal until next user login: This option delays the 

deployment until the next time any user logs in to the computer. 

• Allow user to delay task: This option enables the user to delay the task. 

You can customize this option by configuring the following: 

• Specify a custom delay message option: If you enable this option, you 

can specify a custom delay message. 

• Delay timeout (in seconds): This option enables you to specify how long to 

wait for the user to enter a delay time. The default is to wait for 60 seconds. 

If the user fails to interact with the request for a delay time within this 

specified time, the deployment begins. 

483

USER'S GUIDE 

About the Bandwidth Options page 

Use this page to control the network bandwidth that the package requires for 

deployment. You don't have to select any of these options if you want all selected 

clients to receive the package regardless of their bandwidth. 

Bandwidth control is important for clients that have a slow WAN or a dialup 

connection. You usually won't want to deploy a multi-megabyte package to clients on 

slow links. Choose from the following options: 

• Require a non-RAS network connection: This option enables the 

bandwidth requirement. Select one of the following: 

• Allow any non-RAS network connection: This option enables WAN 

and LAN clients to receive the package. 

• Only allow a high-speed network connection: This option enables 

only LAN clients to receive the package. 

If you're using PDS to detect network connection speed, high-speed and low-speed 

connections return the same information. For accurate detection of high-speed 

network connections, you need to use ICMP. 

ICMP sends ICMP echo requests of varying sizes to the remote computer and uses 

the round trip time of these echo requests/responses to determine the approximate 

bandwidth. However, not all routers or computers support forwarding or responding 

to ICMP echo requests. ICMP also distinguishes between LAN (high speed) and WAN 

(slow, but not dialup) connections. 

If your network isn't configured to allow ICMP echo requests, you can select PDS. If 

you're using PDS, the Only allow a high-speed network connection option won't give 

you accurate control. 

About the Finished page 

This page summarizes the actions you've selected for deploying the package. Before 

continuing, make sure your clients meet all the requirements listed in the warning 

section. 

If you click Set as Default, the configuration options you've selected will be set as 

the default values for the Deploy Package wizard. 

Click Finish, and the wizard will return you to the Scheduled Task window if you're 

creating a software distribution script, or to the Application Policy Manager window if 

you're creating an application policy. From these windows, you can add targets for 

package deployment. 

484


About the Multicast Options dialog 

The Create Distribution Package Script wizard has a Multicast Options dialog where 

you can configure job-specific Targeted Multicast parameters. The defaults in this 

dialog should be fine for most multicasts. Here are what the options do: 

• Maximum number of multicast domain representatives working 

simultaneously: No more than this number of representatives will be 

actively doing a multicast at one time. 

• Limit processing of machines that failed multicast...: When a client fails 

to receive the file through multicast, it will download the file from the Web or 

file server. This parameter can be used to limit the number of clients that will 

obtain the file at one time. For example, if the maximum number of threads 

was 200 and the maximum number of multicast failure threads was 20, the 

Custom Job dialog would process no more than 20 computers at a time that 

failed the multicast. The Custom Job dialog will process up to 200 clients at a 

time if they successfully received the multicast, but no more than 20 of the 

200 threads will be processing clients that failed the multicast task. If this 

value is set to 0, the Custom Job dialog won't perform the distribution portion 

of the task for any computer that failed multicast. 

• Number of days the files stay in the client cache: Amount of time that 

the file being multicast can stay in the cache on each target computer. After 

this period of time, the file will be automatically purged. 

• Number of days the files stay in multicast domain representative 

cache: Amount of time that the file being multicast can stay in the cache on 

the multicast domain representative. After this period of time, the file will be 

automatically purged. 

• Minimum number of milliseconds between packet transmissions 

(WAN or Local): Minimum amount of time to wait between sending out 

multicast packets. This value is only used when the representative isn't 

multicasting a file from its own cache. If this parameter isn't specified, then 

the default minimum sleep time stored on the subnet/domain representative 

computer will be used. You can use this parameter to limit bandwidth usage 

across the WAN. 

• Maximum number of milliseconds between packet transmissions 

(WAN or Local): Maximum amount of time to wait between sending out 

multicast packets. For more information, see Minimum number of milliseconds 

between packet transmissions above. 

• Number of seconds to wait after Wake On LAN: How long domain 

representatives wait to multicast after the Wake On LAN packet has been 

sent. The default waiting period is 120 seconds. If some computers on your 

network take longer than 120 seconds to boot, you should increase this value. 

The maximum value allowed is 3600 seconds (one hour). 

485

USER'S GUIDE 

About the Create Custom Script dialog 

Use this page to create a custom script. Once you enter a script name and click OK, 

the script opens in Notepad so you can edit it. For more information on scripting, see 

"Scripting guide for .CFG files" earlier in this chapter. 

About the Create Application Policy wizard page 

Use the Create Application Policy wizard page to specify the name of the policy you 

are configuring and whether to install or uninstall that policy. 

• Application policy name: Enter a name for the application you're 

configuring. This name appears in the Application Repair List column. 

• Install: Select this option to install the policy on clients. 

• Uninstall: Select this option to uninstall the policy from clients. 

About Handheld Manager 

LANDesk Handheld Manager is an add-on to LANDesk Management Suite 8 that helps 

you manage mobile devices. LANDesk Software, Inc. has partnered with XcelleNet 

Afaria* to provide mobile management support. With Handheld Manager, your 

mobile devices send inventory data to the Management Suite core database. 

Handheld Manager also allows you to distribute single files or single-file packages 

(32-bit Windows platforms only) to your mobile devices. 

Handheld Manager must be installed on your Management Suite 8 core server. The 

Afaria agent must be installed on any mobile devices you want to receive distributed 

packages. 

For more information, see the documentation on your Handheld Manager CD. 

To distribute a package via Handheld Manager 

1. Create the package you want to distribute. Click Tools | Create Distribution 

Package Script, select the file you're deploying, and in the Deploy Package 

wizard click Deploy the package using mobile deployment. Finish the 

wizard. 

2. From the console, schedule a job to distribute the package to your mobile 

devices. 

3. When the scheduled time arrives, the Scheduler will launch the mobile task 

processor (LDHTASK.EXE) to process the task. 

4. Once launched, LDHTASK.EXE will transfer the file from the original location 

you specified to the handheld files directory on the core server. 

5. Once the file is in the directory, the mobile devices that are part of the 

scheduled task will be marked as ready for processing in the core database. 

This task will remain in the Scheduled Tasks window until the target clients 

have completed the task. 

6. The next time a mobile device contacts the core server via the Afaria agent, 

the device will check to see if its unique device ID is scheduled for any tasks. 

If the device is scheduled for a task, the Afaria agent will retrieve and install 

the scheduled file. Management Suite receives job status from the Afaria 

agent. You can see status messages in the Scheduled Tasks window. 

486


About the Multicast Software Distribution Status window 

This window appears when there's an active Targeted Multicast distribution 

happening. This window shows the following information: 

• Package URL or UNC address: This is the location of the package you're 

currently attempting to distribute. 

• Status: A real-time report on how the distribution is proceeding or, if the 

distribution is complete, how well the job completed. 

• Multicast Domains: The field on top shows all of the subnets and the 

multicast domain representatives that are being used in the distribution. 

When you highlight each domain representative, the lower window displays all 

of the computers that are receiving their distribution from that domain 


Each computer in the lower window contains information on how the 

distribution completed on that computer. There are several information fields 

on the far right of each computer listed, including Packets Missed, Resend 

Requests, and Slowdown Requests. These fields do not contain any 

information until after the distribution is complete. 

• Packets Missed: Shows the number of is the number of packets that the 

client was not able to obtain from the subnet representative. If this number 

was not 0, then the distribution failed. 

• Resend Requests: Shows the number of times the client had to request that 

packets be resent from the subnet representative. This is a good way to 

gauge, for example, how busy the client was when dealing with other 

processes during the distribution. 

• Slowdown Requests: Shows the number of times the client had to ask the 

subnet representative to slow the packet stream. In this case, high numbers 

usually indicate that a computer is having some hardware problem that is 

slowing the distribution. If you have a large number of computers that have a 

high number of slowdown requests, you should check the Delay/Packet 

number on the subnet representative. There's often a correlation between the 

Delay/Packet number and the number of slowdown requests. 

This window closes automatically after 10 seconds. If you'd like the window to 

remain open during the entire distribution, click Keep Dialog Open and the window 

will stay open until you close it manually. Keeping the dialog open will stop script 

execution, so make sure you close the dialog when you're done. 

487

LANDesk Management Suite 8.1 - LANDeskÂ® Software Downloads ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template ?