1 2 Previous Next 10 Replies Latest reply on Dec 8, 2011 5:42 AM by metalhead

    VSE Auto Install ... Run once or Run immediately

      I just noticed our “VSE 8.7 Auto Install” Assigned Client Task is disabled.  I have no idea how it got disabled.


      I manage the servers just for my team on EPO.  The EPO master andSQL servers were just recently upgraded from 4.0 to 4.6 by the EPO administrator and he also migrated them from physical to virtual.


      I assume this task is an essential task, it looks to me like it’s the only way to ensure the approved version of VSE get’s pushed out to servers that need them; such as new server builds.


      My question lies on the format of the job.  It seems obvious that I need to re-enable the task but I noticed that the job is set to run immediately.  The administrator recommended that the job be set to run once.


      What is McAfee’s recommendation?  And if the recommendation is to Run Once are there any recommended options?


      Either way I re-enable the task (run immediately or run once) will the software attempt to install or reinstall on servers that already have it?  I want to make sure it only gets pushed out and installed on new servers or those that are not compliant and need it repaired.


      Thanks for your help.

        • 1. Re: VSE Auto Install ... Run once or Run immediately
          JoeBidgood

          Deployment tasks like this are the mechanism by which ePO ensures that a point product is installed on a machine - generally therefore the recommendation for these tasks is that they run as often as possible

          This is why deployment tasks have the "run this task at every policy enforcement" option. This means that if for example VSE were locally removed from a machine for any reason - naughty users with admin rights, for example - then on the next policy enforcement it will be reinstalled.

          If you select the "run at every policy enforcement" option, it doesn't really matter whether you choose Run Immediately, Run Once, or a normal scheduled task: once the task has run for te first time, from then on it runs at each enforcement.

           

          What is McAfee’s recommendation?  And if the recommendation is to Run Once are there any recommended options?

           

          I'd therefore recommend a Run Immediately task with the "run at every enforcement" option enabled.

           

           

          Either way I re-enable the task (run immediately or run once) will the software attempt to install or reinstall on servers that already have it?  I want to make sure it only gets pushed out and installed on new servers or those that are not compliant and need it repaired.

           

          Deployment and upgrade tasks in ePO are a two-stage process: first, the machine is examined to see if anything needs to be installed (or removed.) If the answer to this is yes, then the task proceeds to install or remove as required: if the answer is no, then the task exits. This means that you can enable the task across the board - any machines that already have the product installed will simply exit the task, and those that don't will run the installation.

           

          HTH -

           

          Joe

          • 2. Re: VSE Auto Install ... Run once or Run immediately
            bakerrl

            My experience with the Run ImmediatelyTask is it is a one shot deal.  From my previous testing the machine or machines you set it on will only get it once.  If you bring another machine into the tree where that setting is created it will not get the task and run.

             

            From the epo v4.6 Product guide on Page 154 concerning a Run Immediately task.

             

            "If you create a McAfee Agent Product Deployment or Product Update task during this procedure, one of the available options is Run at every policy enforcement. This option has no effect as the task is deleted after it finishes."

             

            Also if the option to "Run at Every Policy Enforcement is selected it causes the agent to contact it's DR or the EPO Server to see if it has a new product to install.  Regradless of whether the source files are already on the machine.

             

            So if you have your enforcement interval set to the default of 5 minutes and you have 20k clients you will have them contacting your DR or ePO Server every 5 minutes to see if there is a new product update.  Most orgs set their enforcment interval to 60 minutes but you would still have all the machines contacting your DR's every 60 minutes.

             

            I perfer to set a scheduled Deployment Task a few times a day to ensure the product is installed.   The ePO v4.5 Best Practices Guide has good suggestions on scheduling your Deployment Tasks and randomizing them.

             

            Just my 2 cents and I could be way off base.  I know everyone has their way of doing things. 

            • 3. Re: VSE Auto Install ... Run once or Run immediately
              JoeBidgood

              bakerrl wrote:

               

              My experience with the Run ImmediatelyTask is it is a one shot deal.  From my previous testing the machine or machines you set it on will only get it once.  If you bring another machine into the tree where that setting is created it will not get the task and run.

               

               

              Hmm.. that's definitely not how it's supposed to work. Each machine that gets the task should run it as soon as it receives it, so if you assign it at a group level, and then add a new machine to that group, the machine will receive the task and run it.  I've just done a quick test and it works - not sure what happened in your environment, I'm afraid

               

               

              From the epo v4.6 Product guide on Page 154 concerning a Run Immediately task.

               

              "If you create a McAfee Agent Product Deployment or Product Update task during this procedure, one of the available options is Run at every policy enforcement. This option has no effect as the task is deleted after it finishes."

               

              This only refers to one-shot tasks created by the Run Now option in ePO 4.6, not to "normal" tasks - these are not deleted after they run

               

               

              Also if the option to "Run at Every Policy Enforcement is selected it causes the agent to contact it's DR or the EPO Server to see if it has a new product to install.  Regradless of whether the source files are already on the machine.

               

              So if you have your enforcement interval set to the default of 5 minutes and you have 20k clients you will have them contacting your DR or ePO Server every 5 minutes to see if there is a new product update.  Most orgs set their enforcment interval to 60 minutes but you would still have all the machines contacting your DR's every 60 minutes.

               

              This is true, although the amount of traffic is fairly small - it's only checking to see if there are new detection scripts: it doesn't pull the entire install set again, for example. But this is certainly something to consider especially in bandwidth-critical environments.

              I know everyone has their way of doing things. 

               

               

              That's for sure

               

              Regards -

               

              Joe

              • 4. Re: VSE Auto Install ... Run once or Run immediately
                bakerrl

                Ok.  Thanks for the education on a Run Now versus the Run Immediately task.

                 

                Learn something new everyday!

                • 5. Re: VSE Auto Install ... Run once or Run immediately
                  JoeBidgood

                  No problem - it's relatively new so not that many folks actually know about it

                   

                  Regards -

                   

                  Joe

                  • 6. Re: VSE Auto Install ... Run once or Run immediately

                    Joe,

                     

                    Thanks so much for your valuable assistance! 

                     

                    We are using EPO 4.6.  I don't see the option to "run at every enforcement" on the task but the administrator showed me that it's located in Menu - Policy - Client Task Catalog under the McAfee Agent.  And it looks like I'd need to duplicate that to update it to "run at every enforcement" as it’s currently not selected

                     

                    But the administrator does not recommend selecting this option.  We have a fairly large environment ...20,000+ McAfee agents on servers and workstations in many locations all over the world. Our policies are enforced every hour.  His previous testing with EPO 4.0 on two physical servers proved this caused too much network traffic.

                     

                    The options I was referring to is on the scheduling tab of the Client Task.

                     

                    If I cannot select "run at every enforcement" should I still set the job to Run immediately?

                     

                    Regards,

                    Mike

                    • 7. Re: VSE Auto Install ... Run once or Run immediately

                      One minor change to my environment statement ... the policy will affect about 1500 servers.   The EPO environment consists of 20,000 EPO McAfee agents enterprise wide, but this VSE task would only affect 1500 servers.

                       

                      Mike 

                      • 8. Re: VSE Auto Install ... Run once or Run immediately
                        andrep1

                        Not sure why but some client tasks get disabled when migrating. Looks like it happens when the task has an exception down the system tree

                        • 9. Re: VSE Auto Install ... Run once or Run immediately
                          JoeBidgood
                          If I cannot select "run at every enforcement" should I still set the job to Run immediately?

                           

                           

                          In that case, no, you should set up a normal scheduled task and set it to repeat at regular intervals. A Run Immediately task is effectively a special type of Run Once task - as such it will only run once regardless of whether it succeeds or fails.

                           

                          HTH -

                           

                          Joe

                          1 2 Previous Next