cancel
Showing results for 
Search instead for 
Did you mean: 
mhday
Level 7
Report Inappropriate Content
Message 1 of 11

VSE Auto Install ... Run once or Run immediately

Jump to solution

I just noticed our “VSE 8.7 Auto Install” Assigned Client Task is disabled.  I have no idea how it got disabled.


I manage the servers just for my team on EPO.  The EPO master andSQL servers were just recently upgraded from 4.0 to 4.6 by the EPO administrator and he also migrated them from physical to virtual.


I assume this task is an essential task, it looks to me like it’s the only way to ensure the approved version of VSE get’s pushed out to servers that need them; such as new server builds.


My question lies on the format of the job.  It seems obvious that I need to re-enable the task but I noticed that the job is set to run immediately.  The administrator recommended that the job be set to run once.


What is McAfee’s recommendation?  And if the recommendation is to Run Once are there any recommended options?


Either way I re-enable the task (run immediately or run once) will the software attempt to install or reinstall on servers that already have it?  I want to make sure it only gets pushed out and installed on new servers or those that are not compliant and need it repaired.


Thanks for your help.

1 Solution

Accepted Solutions
McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

Deployment tasks like this are the mechanism by which ePO ensures that a point product is installed on a machine - generally therefore the recommendation for these tasks is that they run as often as possible

This is why deployment tasks have the "run this task at every policy enforcement" option. This means that if for example VSE were locally removed from a machine for any reason - naughty users with admin rights, for example - then on the next policy enforcement it will be reinstalled.

If you select the "run at every policy enforcement" option, it doesn't really matter whether you choose Run Immediately, Run Once, or a normal scheduled task: once the task has run for te first time, from then on it runs at each enforcement.

What is McAfee’s recommendation?  And if the recommendation is to Run Once are there any recommended options?

I'd therefore recommend a Run Immediately task with the "run at every enforcement" option enabled.

Either way I re-enable the task (run immediately or run once) will the software attempt to install or reinstall on servers that already have it?  I want to make sure it only gets pushed out and installed on new servers or those that are not compliant and need it repaired.

Deployment and upgrade tasks in ePO are a two-stage process: first, the machine is examined to see if anything needs to be installed (or removed.) If the answer to this is yes, then the task proceeds to install or remove as required: if the answer is no, then the task exits. This means that you can enable the task across the board - any machines that already have the product installed will simply exit the task, and those that don't will run the installation.

HTH -

Joe

10 Replies
McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

Deployment tasks like this are the mechanism by which ePO ensures that a point product is installed on a machine - generally therefore the recommendation for these tasks is that they run as often as possible

This is why deployment tasks have the "run this task at every policy enforcement" option. This means that if for example VSE were locally removed from a machine for any reason - naughty users with admin rights, for example - then on the next policy enforcement it will be reinstalled.

If you select the "run at every policy enforcement" option, it doesn't really matter whether you choose Run Immediately, Run Once, or a normal scheduled task: once the task has run for te first time, from then on it runs at each enforcement.

What is McAfee’s recommendation?  And if the recommendation is to Run Once are there any recommended options?

I'd therefore recommend a Run Immediately task with the "run at every enforcement" option enabled.

Either way I re-enable the task (run immediately or run once) will the software attempt to install or reinstall on servers that already have it?  I want to make sure it only gets pushed out and installed on new servers or those that are not compliant and need it repaired.

Deployment and upgrade tasks in ePO are a two-stage process: first, the machine is examined to see if anything needs to be installed (or removed.) If the answer to this is yes, then the task proceeds to install or remove as required: if the answer is no, then the task exits. This means that you can enable the task across the board - any machines that already have the product installed will simply exit the task, and those that don't will run the installation.

HTH -

Joe

bakerrl
Level 11
Report Inappropriate Content
Message 3 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

My experience with the Run ImmediatelyTask is it is a one shot deal.  From my previous testing the machine or machines you set it on will only get it once.  If you bring another machine into the tree where that setting is created it will not get the task and run.

From the epo v4.6 Product guide on Page 154 concerning a Run Immediately task.

"If you create a McAfee Agent Product Deployment or Product Update task during this procedure, one of the available options is Run at every policy enforcement. This option has no effect as the task is deleted after it finishes."

Also if the option to "Run at Every Policy Enforcement is selected it causes the agent to contact it's DR or the EPO Server to see if it has a new product to install.  Regradless of whether the source files are already on the machine.

So if you have your enforcement interval set to the default of 5 minutes and you have 20k clients you will have them contacting your DR or ePO Server every 5 minutes to see if there is a new product update.  Most orgs set their enforcment interval to 60 minutes but you would still have all the machines contacting your DR's every 60 minutes.

I perfer to set a scheduled Deployment Task a few times a day to ensure the product is installed.   The ePO v4.5 Best Practices Guide has good suggestions on scheduling your Deployment Tasks and randomizing them.

Just my 2 cents and I could be way off base.  I know everyone has their way of doing things. 

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

bakerrl wrote:

My experience with the Run ImmediatelyTask is it is a one shot deal.  From my previous testing the machine or machines you set it on will only get it once.  If you bring another machine into the tree where that setting is created it will not get the task and run.

Hmm.. that's definitely not how it's supposed to work. Each machine that gets the task should run it as soon as it receives it, so if you assign it at a group level, and then add a new machine to that group, the machine will receive the task and run it.  I've just done a quick test and it works - not sure what happened in your environment, I'm afraid

From the epo v4.6 Product guide on Page 154 concerning a Run Immediately task.

"If you create a McAfee Agent Product Deployment or Product Update task during this procedure, one of the available options is Run at every policy enforcement. This option has no effect as the task is deleted after it finishes."

This only refers to one-shot tasks created by the Run Now option in ePO 4.6, not to "normal" tasks - these are not deleted after they run

Also if the option to "Run at Every Policy Enforcement is selected it causes the agent to contact it's DR or the EPO Server to see if it has a new product to install.  Regradless of whether the source files are already on the machine.

So if you have your enforcement interval set to the default of 5 minutes and you have 20k clients you will have them contacting your DR or ePO Server every 5 minutes to see if there is a new product update.  Most orgs set their enforcment interval to 60 minutes but you would still have all the machines contacting your DR's every 60 minutes.

This is true, although the amount of traffic is fairly small - it's only checking to see if there are new detection scripts: it doesn't pull the entire install set again, for example. But this is certainly something to consider especially in bandwidth-critical environments.

I know everyone has their way of doing things. 

That's for sure

Regards -

Joe

bakerrl
Level 11
Report Inappropriate Content
Message 5 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

Ok.  Thanks for the education on a Run Now versus the Run Immediately task.

Learn something new everyday!

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

No problem - it's relatively new so not that many folks actually know about it

Regards -

Joe

Highlighted
mhday
Level 7
Report Inappropriate Content
Message 7 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

Joe,

Thanks so much for your valuable assistance! 

We are using EPO 4.6.  I don't see the option to "run at every enforcement" on the task but the administrator showed me that it's located in Menu - Policy - Client Task Catalog under the McAfee Agent.  And it looks like I'd need to duplicate that to update it to "run at every enforcement" as it’s currently not selected

But the administrator does not recommend selecting this option.  We have a fairly large environment ...20,000+ McAfee agents on servers and workstations in many locations all over the world. Our policies are enforced every hour.  His previous testing with EPO 4.0 on two physical servers proved this caused too much network traffic.

The options I was referring to is on the scheduling tab of the Client Task.

If I cannot select "run at every enforcement" should I still set the job to Run immediately?

Regards,

Mike

mhday
Level 7
Report Inappropriate Content
Message 8 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

One minor change to my environment statement ... the policy will affect about 1500 servers.   The EPO environment consists of 20,000 EPO McAfee agents enterprise wide, but this VSE task would only affect 1500 servers.

Mike 

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 9 of 11

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution
If I cannot select "run at every enforcement" should I still set the job to Run immediately?

In that case, no, you should set up a normal scheduled task and set it to repeat at regular intervals. A Run Immediately task is effectively a special type of Run Once task - as such it will only run once regardless of whether it succeeds or fails.

HTH -

Joe

Re: VSE Auto Install ... Run once or Run immediately

Jump to solution

Hi Joe,

perhaps you can raise this issue internally again:

In older Mcafee Agent Versions (afaik before MA 3.0) the "Run daily" option with "Run missed task enabled" caused the agent to execute the task immediately if it was missed. This is not true for McAfee Agents since 3.x.

An example:

MA 2.x:

1) Create a daily deployment task starting at 00:01 AM

2) Option "Run missed task enabled"

When a new clients is installed at 08:15 AM it gets the task and executes it immediately because of the "Run missed task" option. So e.g VSE is installed immediatley and the task is also running on a daily basis.

MA > 3.x:

1) Create a daily deployment task starting at 00:01 AM

2) Option "Run missed task enabled"

When a new clients is installed at 08:15 AM it gets the task but does NOT execute it. It is waiting until it "misses" the task once - so the first execution is the next day it is switched on leaving it unprotected for a whole day.

The previous behaviour was very good because it solved the problem described by bakerrl.

Regards Tom

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community