1 of 1 people found this helpful
what is your primary goal? Deploying the McAfee Agent as soon as possible after Ad sync, or deploying agent and VirusScan "together" (i.e. in order and as fast as possible) regardless if and when the node was sync'ed into ePO?
If you can arrange that each new host when getting prepared (including its being put into AD) receives at least the McAfee Agent, then there would be no use doing the AD sync. If not, then you could use a third party management software - if you have one - to do the same (and AD sync were not needed, to).
Otherwise, if your hosts are set to automatic IP lease from DHCP server, then you could use the RSD sensor installed on the DHCP server to "discover" these hosts and via an automatic RSD response, the McAfee Agent would be pushed to these clients (when they are less likely to be turned off right after the IP lease from DHCP).
I presume that AD sync is trying to push the MA only after - or in parallel with - the sync, and not more. RSD would however try to push everytime the client appears in the DHCP traffic, which by default is quite often, so this effort would be "continuous".
If you do not install Virusscan and McAfee Agent manually in one go, then you would need to push first the agent, then via a deployment task VirusScan afterwards, which is not happening at once.
thank you for reply.
My primary goal is, to deploy the agent and all products as soon as possible after AD-sync.
I will describe my problem:
- a new client is integrated to the domain (at day)
- the client is put into an ou "clients"
- ePO ad sync task starts at night / client is offline
- the next day, when the client is online, the agent-deploy should start, because the client was offline, while ad-sync runs ... and that does not work
I don't like to use a gpo, because i would like to manage it all from ePO (but since now i think, it would not work like this).
The ePO "client-taks" for deploying does not deploy new agents - it just can update agents, like mcafee told me.
An alternative would be using the RSD (said mcafee) - but i am not very familiar with it and i do not want to use ip-ranges or something like that.
I think using a gpo would do - but an integrated solution would be perfect, so if you have any hints / alternatives for me I would appreciate very much.
1 of 1 people found this helpful
Taking your intention into consideration that you want everything to be done by ePO, I see now no other way than to use the rogue system detection (RSD) sensor and the RSD response together. This facility is for trying to get hosts ePO-managed that is detected by the sensor and found to be non-managed.
Basically it fits in the process you describe at the point when the clients become online. Supposing they request IP from a DHCP server, an RSD sensor installed on the DHCP server would by all means detect each client's traffic and could trigger the RSD response which in turn would attempt to install the McAfee Agent onto them.
This does not require even a logon for the user, so could happen without a logon script.
We here use this facility just as I described and it works (only the process of getting host managed for the first time is different).
Here is briefly what you need to do:
1. Check-in RSD sensor install into ePO master repository. Check in the RSD extension, too (for RSD 2.0 there is a SP2 extension, use that). Review and configure RSD sensor policies (see ePO product guide and context help)
2. If you use ePO 4.0, install RSD server on the ePO server, for ePO 4.5 it is already incorporated into ePO server
3. Deploy RSD sensor to the/all DHCP server/s via a client deployment task (you need to manually install McAfee Agent on the DHCP server, too, beforehand).
4. Create an RSD response with the following action: deploy McAfee Agent. Make exceptions later in this response (filter) when it detects non-Windows hosts, devices requesting IP from DHCP.
Additional things to consider: you will need to supply a domainname/username and password combination in the RSD response so that it can push the agent onto the admin share of the detected client.
If you map the AD structure via the AD sync, no IP rules might be necesary on the groups, yet later on, you could find that for some reason it is worth using (for example you need to create a separate group that is unlike AD structure, using IP and IP sorting could be useful for client to get into this new group).
Schedule VirusScan and other product deployments at a later time when the clients can get online so the agent are already in place.
Let us discuss it further if you still have problems.
thank you for your response and hints.
I am still in the process of finding the best solution for me.
For now I will try it like this:
- AD Sync every hour
- Automated task, wich looks for non-managed computers and then pushes the agent
It looks "more transparent" for me, like using the RSD - but maybe it looks like that, because i am not familiar with the RSD, so I can not see the benefits for me - but I will
try so, now I got that good suggestions from you.
Thank you and regards