.Loading..Loading.
Readme Rev
Service Updates
When the downloaded patch is run, it will extract to a folder and there will be zip files. Those files should be extracted and then Setup.exe can be run. This table outlines the names of the zip files and where they should be run.
Component | Core/Console | Client |
---|
Installation Instructions
The following outlines instructions for installing this update.
This patch requires that Ivanti Endpoint Manager 2020.1 be installed. For more information about current service packs please see Ivanti Community Doc 1001
Installing on the Core and Rollup Core
Because ADS may block files on Windows systems, it is recommended that you extract the patch on the machine you are going to install it on.
Prior to installing a patch on the Core Server it is recommended to make a backup of the Ivanti database.
Steps
- Disable any services on other machines that interact with the Core Server
- Double-click on the self-extracting executable and extract it
- Extract the files for the Core patch
- From the extracted files, run Setup.exe
- When Setup completes, reboot the machine if a reboot is required
- After applying the patch, you may need to re-activate your Core Server using the Core Server Activation Utility
- Restart any services stopped in Step 1
Note: The installer included with this release writes a detailed log that can be used to help troubleshoot installation problems. After running setup.exe from the patch, the log is located in the \ManagementSuite\log folder.
Installing on Remote Consoles
A Remote Console is any machine that is not the Core Server and has the Ivanti Endpoint Manager Console installed. Console Machines need to be updated to be able to connect to the updated Core Server and Database.
Because ADS may block files on Windows systems, it is recommended that you extract the patch on the machine you are going to install it on.
Steps
- Close the Console
- Double-click on the self-extracting executable and extract it
- Extract the files for the appropriate patch
- From the extracted files, run Setup.exe
- When Setup completes, reboot the machine if a reboot is required
Note: The installer included with this release writes a detailed log that can be used to help troubleshoot installation problems. After running setup.exe from the patch, the log is located in the \ManagementSuite\log folder.
Updating the Agent
The patch should be installed on the Core Server before updating Agents
Use one of the following methods to re-deploy the agent once the patch has been applied to the Core or to apply the patch manually.
Methods of agent deployment
-
Manual: Map a drive to \\Coreserver\ldlogon and run 'wscfg32.exe -f'
This is used for single client installs and testing - Push: Schedule a push of the full agent
- Self-Contained EXE: Create an EXE that can be installed
- Advance Agent: This is a two stage process. The Advance Agent consists of a small MSI and a self-contained EXE. The MSI is deploy to the client and then the MSI downloads and installs the EXE. This allows for bandwidth friendly downloads.
For more information on agent configuration and deployment see Ivanti Community Doc 23482
Manual installation of the client patch
Because ADS may block files on Windows systems, it is recommended that you extract the patch on the machine you are going to install it on.
- Double-click on the self-extracting executable and extract it
- Extract the files for the appropriate patch
- From the extracted files, run Setup.exe
- When Setup completes, reboot the machine if a reboot is required.
Updating the Agent With Patch Manager
Ivanti Patch Manager can also be used to update agent machines with the patch. Content and definitions can be found in Patch Manager as Ivanti Updates and can be used to detect and repair agents that have not been updated. The Core Server must be updated with the Core patch before updating agents.
Not all Component Patches will have Patch Manager Content created. Once it is generally available, this method can be used to update agents. For more information about updating agents using Ivanti Patch Manager see Ivanti Community Doc 24384
Release Information
Please review the following important information about this release BEFORE installing this update.
Feature Changes and Updates
The following features have been changed or updated
Endpoint Security
-
Isolate more than one computer at a time
- -
-
Add specific EPM permission to isolate/recover a device from the network
- -
-
Add auditing support for EPS network isolation
- -
Linux
-
Main Linux Agent config UI changes
- -
-
Add Linux settings to Distribution and Patch Agent settings UI
- -
-
Add Linux settings to Inventory agent settings UI
- -
Mac
-
Enable / Remove activation lock
- -
-
APNS: Create APNS Cert from new console UI
- -
-
VPP Apps now available for Portal Manager
- https://help.ivanti.com/ld/help/en_US/LDMS/10.0/Default.htm#cshid=wn-ios-portal
MDM
-
New iOS MDM Enroller submitted to iOS App Store
- -
-
Create new column sets for MDM as defaults in EPM columnset UI
- -
-
Remove MDM Compliance agent settings
- -
-
MDM Configurations- Create new general direction and content for initial MDM user
- -
Patch Automation
-
Patch Automation Feature Phase 1
- https://help.ivanti.com/ld/help/en_US/LDMS/10.0/Default.htm#cshid=wn-patch-automation
Remote Control
-
Remote Control RCViewer - UI Full Screen and Alt-Tab Support
- https://help.ivanti.com/ld/help/en_US/LDMS/10.0/Default.htm#cshid=wn-remote-fullscreen
Software Distribution
-
Enhanced reboot notification on Windows 10 and Windows Server 2016 and 2019 to use Windows Notifications
- Requires Windows 10 1903, Server 2016, or Server 2019 and later versions. Agents will automatically fall back to legacy reboot prompts if version specs are not met. https://help.ivanti.com/ld/help/en_US/LDMS/10.0/Default.htm#cshid=wn-reboot-ac
Defects Fixed
Agent
-
640822 Remove Unsupported Agent Configuration from EPM Console
- Remove the HP ThinPro Linux configurations from the core as they are no longer supported.
-
645663 Advance agent deletes existing broker certificates
- Modified cba8cleanup.exe to save and restore the broker.csr file. With this file missing on a reinstall, brokerconfig /n thinks the certificate is not present and deletes the existing certificate and gets a new one.
-
664649 fwregister.exe does not add MTFTP Windows Firewall exception for Win10 devices
- Fixed issue related to fwregister not putting firewall exceptions for services like MTFTP that would start, but stop quickly due to no work to do or not being a CSEP elected device.
-
674237 Standalone Agent Install executable does not request to elevate rights when launched
- Fixed the Windows standalone agent install to automatically attempt to run as administrator with elevated rights.
-
688543 NTStaCfg.in# is incorrect leading to missing tasks that lead to connectivity issues on the client
- The EXEC entries in the agent config ini files (e.g. ntstacfg.ini, default windows configuration.ini, etc) must be unique per section, and there was a duplicate exec number (EXEC305 in the [Common Base Agent Post Copy] section) which caused the second entry to be ignored. We modified the file so there were no duplicates.
Alerting
-
678010 Alert service crashing due to blank computer device ID in database
- If by any means a computer device ID would end up being null in the database, the alert service will not crash.
AMT\vPro
-
652728 Intel KVM not working in Windows 10
- Intel KVM is now working with Windows 10 in some environments. For customers who still can’t get KVM working, follow the instructions on https://forums.ivanti.com/s/article/Intel-KVM-not-working-in-Windows-10
AntiVirus
-
572578 AV-100 not detecting Bitdefender Antivirus
- Vulnerability AV-100 fails to detect Bitdefender Endpoint Security Tools as installed on an endpoint.
-
669568 Proxy settings do not come from EPM Management Console to Bitdefender Update server(generalsettings.xml)
- In some cases, the configured proxy server is not used by the Antivirus Update Server.
-
674793 Vulscan shows AVNewBehavior setting showing up twice when updating latest settings
- Vulscan shows AVNewBehavior setting showing up twice when updating latest settings.
Cloud Services Appliance
-
662731 BrokerServiceActivity.log is not getting controlled by MaxSize setting in BrokerServiceConfig.xml as it should.
- Fixed an issue so that the BrokerServiceActivity.log log file is controlled by MaxSize setting in BrokerServiceConfig.xml as it should.
Data Analytics
-
494308 Column Size & Type are specified on the Windows Console(GUI) are not included in an actual database table.
- When using nvarchar data types in the custom data forms the database will reflect the correct column size for the custom field.
-
531874 Archiving Linux devices to Asset Control generates errors
- -
-
644110 Dell Warranty rule is giving 401 error
- Due to the Revamp of the new Dell API, we've updated the Dell Warranty rule to accept a client id and client secret to receive information from dell. To use this, please create a new Dell Warranty rule and supply your Client ID and Client Secret, and apply an appropriate schedule for the rule, in order to use the new features. Currently, this rule does not support the 'Real-Time' functionality of DA so it is recommended that it be scheduled for now.
Endpoint Security
-
662928 USB Volume will be added to the Known Volumes during Vulscan
- -
-
667614 AMHelper.exe is deleting Appsense configuration file "configuration.aamp" then stopping Ivanti Application Management service from Appsense
- Cannot change Application Control configuration using EPM task if appcontrol agent was a stand alone installation.
-
668729 When EPS settings are copied from "All settings" to a users "My settings" the last saved by user changes to the user who copied the setting.
- When EPS settings are copied from "All settings" to a users "My settings", the last saved by user of the original settings changes to the user who copied the setting. It also changes the last save date of of the original settingsto when the setting was copied.
-
669098 With EPS enabled updating Windows 10 from one version to another fails
- Endpoint Security real-time file analysis may cause sharing issues with files located in C:\$WINDOWS.~BT\ preventing the Windows upgrade to complete correctly.
-
692361 Remote Console Unable to Isolate Device
- Unable to Network Isolate an agent from Remote console if the user is not Landesk Administrator
Inventory
-
440405 Inventory data for "Server Roles and Features" is garbled
- Fixed issue where Server Roles and Features data in Inventory was being converted twice to UTF8 for transport. Now gathers it correctly.
-
487440 The primary owner is displayed with dbcs characters on some devices
- Enhanced ldapwhoami.exe with full Unicode compatibility so that primary owner data would be reported correctly for double byte languages.
-
514609 Services (680) - Flush map file new.jfm shows up randomly in the Event Viewer
- Fixed an issue where ESENT events showed up in the event log when the inventory scanner runs on the EPM core server.
-
598980 Corruption on french core servers freezes and the console when it is linked with a rollup core
- Modified the query name and logs columns for tasks so that they aren't part of inventory when tasks are refreshed.
-
639910 Inventory OU output contains invalid characters
- Enhanced ldapwhoami.exe to support Unicode for AD data. For eDirectory use it uses MBCS.
-
676203 Inventory Server Service does not appear to remove orphaned Fileinfo entries at start service start time
- When there are too many orphaned fileinfo records, the inventory service will now clean them out in stages so that the queries do not timeout.
-
694020 Event ID 4100 Errors in Event Viewer - Increase Column Sizes - Database
- Increased some column sizes in the EPM database where we have had customer data that exceeded the current column size. Tables affected:BiosSettings,EnvironSettings,PeripheralAdapters.
Linux
-
650574 Unable to Push Linux Agent with Non-Root User
- The linux agent prevents a two installations from running at the same time by placing a lock file in one of several directories (/var/lock, etc.) The first directory that exists in the list is used, but an unprivileged user may not have permission to write the lock file in the chosen directory causing the script to fail. The lock file is now written into the /tmp directory where an unprivileged user has permission to write.
-
656499 Custom Scripts do not work with Linux clients after 2019 SU3
- A change in a soap message sent from the core to the linux agent exposed a defect where a buffer was overwritten before it was fully read.
-
656500 SWD / Policies fail with 2019 SU3
- A change in a soap message sent from the core to the linux agent exposed a defect where a buffer was overwritten before it was fully read.
-
659767 Ubuntu Workstation /UI does not run scheduled inventory, vulscan, etc from the expected crontab
- The script to configure the crontab was run with a flag to terminate the script in the event of an error to protect against writing a bad crontab entry. When reading the current crontab, modifying, and rewriting it, a command returned a non-zero code and terminated the script. The non-zero return code was not a failure, so the command result was modified to allow the script to continue and correctly write the crontab.
-
669074 Vulnerability Scans consuming Excessive CPU on RHEL
- The underlying issue is a handful of security tests which scan the entire harddisk. In this instance the scanned disk was an large nfs mounted disk. The issue will have to be resolved by a change to content to not search nfs mounts; however, customers can disable the security tests on the core to avoid the issue.
-
669251 Linux agents missing Network TCPIP Address
- The missing TCPIP fields were added to the inventory.
-
669282 Pull install appears to complete successfully but the machine never appears on the core: Raspbian 8
- A gcc optimization bug was preventing raspian 8 from completing successful.
-
670920 Pull install appears to complete successfully but the machine never appears on the core: AIX7
- A regression in the sharedtech communication library (cba8) did not allow AIX to properly find the executable path which is used to load the cert file for communication with the core.
-
679013 pds2d runs with elevated privileges under systemd
- When removing the pds2 dependency on xinitd and moving to systemd, debian's version of systemd did not support running as the user nobody. A regression removed the user nobody, but didn't replace it with a new unprivileged user. This repair creates an unprivileged ldnobody user and runs pds2 as that user.
-
690459 PolicyEngine locks pid indefinitely if process is killed prematurely
- An exceptional failure would leave the pid file indefinitely on the agent preventing future policy runs. A stranded pid file is now correctly removed if it is no longer related to an actively running policy.
-
700187 AIX is unable to send inventory to an EPM 2020 Core
- A regression in the sharedtech communication library (cba8) did not allow AIX to properly find the executable path which is used to load the cert file for communication with the core.
Mac
-
639362 Mac Agent not registering with the RC Tunnel
- -
-
661145 Client Data Storage grouping Devices together with NULL Serial Number Value
- The cause of this issue was a defect in the mdm inventory code. The inventory was being reported incorrectly, resulting in inventory records with null deviceIDs. In particular this caused issues when using Client Data Storage for storing FileVault recovery keys and other secured information. The defect in the mdm inventory code has been resolved, and a database script has been made available through technical support to repair databases which were affected by this issue.
-
674249 Create public key button in Add Apple DEP Token window gives missing cert error after EPM core upgrade
- -
-
707189 LDAPM Segment Fault when going through CSA
- ldapm was crashing when running through a CSA, when the device was joined to a domain. Running through the CSA meant that most likely the device would have to use cached domain info when asking the core to resolve group membership for the device. Accessing the cached data was causing an object to be freed when it should not have been. This issue has be fixed
-
707651 Primary Owner field is missing in macOS inventory scans
- -
MDM
-
677727 Co-management behavior for distributing MDM can be catastrophic
- Adjusted wording for the co-management/agent automatic deployment over MDM so it is clear that the agent install process will occur upon next MDM sync for devices without the agent. Before it was worded that the process only would occur upon MDM enrollment.
-
684630 Users granted Modern Device Management rights unable to create/edit Mobility profiles
- -
Patch Manager
-
521986 LDReboot continues to prompt for reboot immediately after being snoozed
- Several logic and timing issues were corrected in LDReboot to make the snooze functionality more reliable.
-
606088 Unable to set up automatic definition download setting to move Office 365 definitions to custom filter during download
- Creating a filter now for Click to Run product found while searching for Office, will properly group up all the office definitions
-
675400 New Patch Task Template now requires you to select repair group in 2019.1 SU3
- An unwanted behavior was added when creating a repair task. We fixed the requirement to select a group of vulnerabilities even if this wasn't supposed to be required.
Remote Control
-
455713 HTML5 RC issue when using long password
- Fixed an issue that would prevent HTML5 RC authentication when trying to use a long password.
-
678285 RC Tunnel increased limits are not applied during CSA boot up
- Fixed an issue that could would cause the tunnel service on Linux not to open more than 2000 connections at any given time.
-
678287 Legacy RC tries to connect to the incorrect CSA when multiple CSAs are in the environment.
- Fixed an issue that caused legacy remote control not to choose the correct CSA if many CSA's were configured.
-
679971 Remote Control WS remote execute cmd/ps Fail to run other than local system
- Fixed an issue that prevented users from running a cmd.exe or powershell.exe remotely in a remote control session.
-
685206 Installation of enurcsetup.exe fails.
- Fixed an issue that was preventing the updated legacy remote control viewer from being updated in the SU patch.
-
692571 RCClient.exe remote control agent for CSA is failing - curllib.dll was not found
- Fixed an issue with standalone legacy rcclient.exe not installing correctly due to missing curllib.dll.
-
695671 LDWebApp pool to crash
- Fixed a remote control issue when multiple remote control tunnels were used. The root cause was a threading issue in the Ivanti RemoteControlAuth web service. The crash of RemoteControlAuth also caused the LDWebApp IIS pool to fail.
-
705536 Tunnel loses connectivity but does not unregister the device
- Fixed an issue that could cause the Remote control tunnel to stop monitoring connected devices in some situations. This would cause routers to potentially think the connection was inactive and kill the connection.
Reporting
-
644413 Can not send report by email using SMTP port 587
- Sending a report via mail by using a SMTP with port 587 was not possible. Support was added and emails can be sent now through 587.
-
661872 "Export as csv" shows a wrong output when the query results are zero
- Export to CSV from a query fixed to write the proper results when a query returns no results.
Software Distribution
-
608808 Open a Software Package is very slow. It takes up to 2 min to open a Package.
- For the case of opening a software distribution package, re-wrote the file location reducing code with a much faster algorithm. Also added a location cache for subsequent location accesses for either the primary package locations or the additional files locations. The location cache is automatically updated when new locations are added.
-
672039 LDAP resolution over the CSA may fail
- Enhancement made to ensure that the user is in trusted by machine domain.
-
686674 Package Bundle shows completed in console, although installation stopped in the middle of processing.
- For Software Distribution, fixed issue ignoring pending reboot for MSI 3010 return code.
-
687545 Unable to download files with special characters "&" in the file name via http
- Software Distribution now properly decodes file names with the '&' character.
Web Console
-
682823 Addressed potential issue around alert logging
- -
-
682836 Addressed potential issue for file uploads
- -
Known Issues
Linux
-
The “Enable debug logging and keep files” doesn’t work at this time but it will work in the future.
- -
-
710499 Change setting tasks hang regardless of result
- This happens with success or failure but success will deploy the requested settings
-
710501 Fresh EPM Core install does not have complete agent settings defaults
- Change settings tasks will fail regardless until you open the settings and click “Save”. No changes are required.
-
710574 Pull install without an INI file does not set up agent settings. The file “agent_settings.status” is set to “null”
- The INI file just needs to either reside in the same directory as nixconfig.sh or the full path specified with a switch. Example: -c [path/to/ini/file] Note: This is a local directory