Managing Symantec Endpoint Protection with Symantec Software Management Solution, Part 2: Quick Delivery

In Part 1 I covered the basics of a Software Resource for Symantec's Software Management built upon the Altiris Notification Server infrastructure, focusing on Symantec Endpoint Protection (SEP). In part two we move into a deployment method of SEP, allowing an administrator to push out SEP to target systems using Software Management's Quick Delivery functionality. A Quick Delivery can be considered an event, where SEP is delivered at a scheduled time to a filter of systems. This method is not intelligent beyond the configuration set by the administrator.

Introduction

Quick Delivery allows software to be downloaded and executed on target systems. For Symantec Endpoint Protection (SEP), Quick Delivery task types can be used to initially roll the software out, or execute a single action against an existing install of SEP. This can be Upgrades, Repairs, Uninstalls, or other maintenance-related tasks that might be required (kicking off a Live Update, for example). This one-event method is great for quick rollouts, emergency updates, remediation for compromised systems, etc.

Task Server

For Quick Delivery Tasks, Task Server is the mechanism that downloads and executes the Task. Task Server is a server-pushed task initiated by a Task Server and pushed down to the target systems at the scheduled time. This does require a system to be on-line and available for the task to successfully execute. Drawbacks to this method include:

1. Target availability at time of execution
2. The Task will not show in the Altiris Agent UI except only as a status

Pros to this method include:

1. Immediate action at scheduled time
2. Ability to immediately run a Task right after it is created (the Policy method requires a target system to request an updated configuration before the policy is received)
3. Large simultaneous deployment (assuming proper Task Server Site Server deployment for large environments)
4. Incorporating other Solution technologies

Here are other Resources to help provide details on how Task Server works, and how it is configured:

• https://kb.altiris.com/article.asp?article=47298&p=1 - Planning and Design Considerations for Hierarchy and Site Management - This power point presentation discusses Site Management, which includes the deployment of Task Site Servers.
• https://kb.altiris.com/article.asp?article=46065&p=1 - Task Server 7.0 SP2 Release Notes - This contains the Release Notes for Task Server 7.0 SP2 (this is the current version at the publish time of this document).
• https://kb.altiris.com/article.asp?article=47300&p=1 - Task Management Enhancements in Notification Server 7 - A quick slideshow showing features for Task Server, formatted in a comparison from version 6.0 of Task Server.

Please see the Task Server Jobs section for more information after Quick Delivery is discussed in detail below.

Package Delivery

Package Delivery is essentially a Quick Delivery without integration into the Software Resource Model. Use of this Task type should only be considered if you've upgraded from the Altiris Platform 6.0 to 7.0 and have a SEP package already configured to do what you want. This is for using Legacy packages, and a Quick Delivery should be used for anything created on the 7.0 platform.

The following steps illustrate how to use this.

1. They are found and configured at Manage > Jobs and Tasks > browse through the tree under System Jobs and Tasks > Software > and select Package Delivery.
2. Right-click on the Package Delivery folder > go to New > Task.
3. From the left-hand tree, under the Software section, click on Package Delivery.
4. Provide a name at the top of the right-pane.
5. Use the Package field to find your 6.x version package for SEP.
6. Select the appropriate command line for the Task.
7. You have Advanced options by clicking the Advanced button. These will be covered in detail under the Quick Delivery section (same options available).
8. Click OK to save the Task.
9. Deployment/Scheduling options are covered in the Quick Delivery section.
10. Done!

SEP Quick Delivery Task

Creating a Quick Delivery Task is straight forward. Note that this process assumes the following points:

1. The Altiris Agent has been deployed to all target computers.
2. The Software Management Solution plug-in has been deployed to all target systems. This is controlled in the Console under Settings > Agents/Plug-ins > All Agents/Plug-ins > Software > Software Management > Windows.
3. A valid License is applied to allow deployment to the number of targets in the Task (and any other Tasks that have claimed licenses for individual systems).

Task Creation Walkthrough

The following steps walk you through creating a Quick Delivery Task for SEP 11.

1. They are found and configured at Manage > Jobs and Tasks > browse through the tree under System Jobs and Tasks > Software > and select Quick Delivery.
2. Right-click on the Package Delivery folder > go to New > Task.
3. From the left-hand tree, under the Software section, click on Quick Delivery.
4. Provide a name at the top of the right-pane.
5. In the Software resource field, type the beginning of your Software Resource name and click the dropdown. Select the SEP Resource you created (either on your own or as part of this article series in Part 1).
6. Click the dropdown next to Command line and choose the appropriate command-line for what you want the Quick Delivery Task to do, for example SEP Install. Directly below the field you'll see the command-line listed in the gray box.
7. Select the Package from the Package dropdown. See this screenshot for an example:

   

8. Click Advanced.
9. Normally the defaults under the Download options are sufficient. The following options can be used depending on how you want to handle the Package:
      a. Location on the destination computer: If you want the installation files to download to a specific location, use this option and supply the path, for example: C:\SEP\Install Files\
      b. If you want the execution to occur against the source (Package Server or NS), use the options Use the following settings to download and run > Run from the server if bandwidth is above > Any connection speed.
      c. Delete package from client computer: Use this option to manage deletion of executed packages to conserve hard drive space.
10. Click the middle Run Options tab.
11. The default options shows 'Current logged-on user'. Often standard Users do not have rights to install software on their systems. Change this option to either Altiris Agent credential (usually the local System Account) or a Specific user that had install rights on the target computers.
12. Uncheck the option "Allow user interaction". This option will cause the Task to only run if a user is logged on, so it is recommended to uncheck the option. See the following screenshot for a sample:

    

13. Under the third tab (also labeled Run options in CMS SP1) you have additional options.
14. Change the End task after ___ minutes to a value that allows even lower-end machines to finish installing SEP.
15. Click OK to save any changes to the Advanced options.
16. Click OK to save the new Quick Delivery Task.

Schedules and Targets

Under the Task Status section you can create a schedule that will have a filter or target of systems applied to it. There are two main options:

• Quick Run - This is meant to apply to a single system. This is useful when testing a Task you have just created.

  NOTE: Always test a Task before rolling it out to the environment! The Quick Run is very useful for this purpose.

• New Schedule - This option allows scheduling or 'Run now' for the Task.

The following walkthrough covers the two main use-cases:

1. Browse to the SEP Quick Delivery Task you created.
2. Click the New Schedule button.
3. Select the Schedule option that fits your need. This includes Now (great for an emergency push to protect systems without SEP, or updated out of date SEP installations) and Schedule.
4. For schedule you have dynamic options including repeating the task or to tie into a Shared Schedule on the NS.
5. Check the box Override Maintenance Windows. For the Quick Delivery use cases, normally a maintenance window should be overridden. If this is not checked, the Task will not run until the next Maintenance window. See this screenshot for an example:

   

6. The Quick add dropdown under Selected Devices allows single-system additions to the schedule.
7. Click on the Add dropdown and select Computers or Devices.
8. Either select the specific computers or use the Select a Group to add groups of systems (such as integration with AD Groups imported into the NS).
9. Use the single selection or all arrows to move systems from the selection box on the left into the target on the right. See this screenshot for an example:

   

10. Click OK to create the Target.
11. The scheduling page will now show the systems you selected.
12. Click Schedule to initiate the Task.

Statuses

For each schedule you create, you'll have a row under the Task Status section. You can refresh this page manual to track the progress, or you can use the auto-refresh controlled by the dropdown arrow next to the refresh button. See this screenshot for an example:

If you double-click on the row, you'll get a more detailed status report. You can use this interface to track the progress of the Quick Delivery Task deployment.

Task Server Jobs

As discussed briefly above, Task Server requires an active status in order to send the task down to the target systems. While this may be a problem for systems that are powered down, Task Server does allow power management features to be coupled with other Tasks, such as our Quick Delivery. Intel vPro power on technology, Wake on LAN, DASH, and Alert Standard Format (ASF) can be utilized to wake up systems that need to run a Quick Delivery Task.

To use a Quick Delivery SEP Task within a Job that contains power-management usage, see these steps:

1. They are found and configured at Manage > Jobs and Tasks > browse through the tree under System Jobs and Tasks > Software > and select Quick Delivery.
2. Right-click on the Package Delivery folder > go to New > Client Job.
3. From the right-pane click Add Existing or New. Add a supported Power Management function from the available Tasks or Task types.
4. After the power management task is added, click Add Existing and browse down the left-hand tree until you locate the Quick Delivery Task you created for SEP.
5. Now this Job will run the power management task first to ensure systems are awake, and will then run the SEP task we configured.

Power Management isn't the only Task that can be added to a Job. You can utilize any of the Symantec Management products supported in NS.

Conclusion

Quick Tasks give the administrators the ability to swiftly deploy SEP where needed. Using custom Filters you can even target systems that you know, via Inventory Solution, that do not have SEP installed. Within minutes the vulnerable systems can be running the install for SEP. Now add all the other Task functionality from Task Server and it creates a powerful tool.

Read Part 3 here: Managing Symantec Endpoint Protection with Symantec Software Management Solution, Part 3: Applicability and Detection Rules