Do we have any Information on how Symantec Management Agent (Altiris Agent) installs to computers works?

ITMS 8.x

The Symantec Management Agent Install page, located under the tree node "Settings > Agents/Plug-ins > Symantec Management Agent > Settings", is the place where users can trigger the installation of the Altiris Agent onto a computer.
The page is built to be extensible allowing other agents, e.g. Linux/Unix/Mac, to add tabs onto the page. This model provides a single page for all types of agent installations. 

The "Install Agent" tab can be broken into 3 main sections:

• 1. Rollout Agents to computers
• 2. Download page URL
• 3. Scheduled Push to Computers
  A Security section is also added to describe what security permissions are needed in order to trigger an Altiris Agent install.

Altiris Agent installs to computers
This section allows users to perform a push install of the Symantec Management Agent to one or more computers. In order to push the agent to a computer, the computer must first be added to the grid. Then, users can select one or more computers on the grid and click the "Install" button to begin the push install.
Note that adding computers to the grid does not mean adding them as a NS computer resource.

Selecting computers to push
There are 3 ways users can add computers to the push grid:

1. Quick computer name add (via the textbox)

• By computer name
  • Supported format:
    • FQDN (e.g. name.domain.com)
    • name @domain
    • [email protected]
    • name.domain
    • name
  • Invalid characters:
    • Space (" ")
    • Greater than (">")
    • Less than ("<")
    • Comma (",")
  • Extended ASCII characters are supported.
  • Maximum length of computer name is 15 characters. This is a limitation of the NetBIOS protocol.

Things to consider as well:

Windows does not allow characters: apostrophe (‘), (~), exclamation (!), at (@), hash (#), dollar-sign ($), (^), ampersand (&), asterisk (*), brackets (()), equal (=), plus (+), square-brackets ([]), curly-brackets ({}), slash(), (|), semi-colon ((wink) , colon ((smile) , quote ('), double-quote ("), back-slash (/) and question mark (?).

Netbios does not allow characters: space (),slash (), back-slash (/), colon ((smile) , asterisk (*), question-mark (?), double-quote ("), semi-colon ((wink) , (|), and name longer than 15 characters.

Consider removing support for 'name @domain' format as it is not a commonly-used format. 

• By IP address
  • Supported format:
    • IPv4
    • *Decimal only (We may not be able to support this by amending the IP address validation logic inside the method Altiris.NS.Utilities.ClientPushMgr.PushAgentToComputers() to use IpAddress.TryParse() instead.
    • IPv6
    • *Decimal only
    • *Will not work with computers that do not have an IPv4 address. Internally, the push is still done via IPv4 address.
    • The IP address will be displayed under the "Name" column. This will change into the machine's name upon the agent push is triggered.
    • By computer resource GUID

2. CSV file import (via the Import computers from a selected file toolbar button)

• Supported format:
  • Same as "Quick computer name add" above.
• Failed import will be logged, but they do not get displayed on the UI.

3. Select Computers dialog

• Upon button clicked:
  • If not computers are found in the NS database, user will be redirected to the Discover Computers page.
  • If computers are found, the computer selector dialog will be shown.
• Selecting one or more computers from the selector should transfer the selected rows into the push grid.
• Cancelling from the selector will not add more entries to the push grid

Push Grid
The push grid remembers all previously added computers, unless specifically removed by the user. This data is stored in the NS database table "AgentPushData".
Upon adding the selected computers to the push grid, depending on the format entered, the Name and Domain column will be populated accordingly. The rest of the columns will be blank as the discovery of the machines is not done yet.
Below are the expected results in the grid when an entry is added depending on the input format:

If a previously-managed computer is being added to the grid, only the Name and Domain column should be filled.
To remove entries from the push grid, deletion toolbar buttons are available. They are:

• "Delete All" - Simply hides the entries from being shown in the push grid.
• "Delete" - Removes the entry from the grid and the database table "AgentPushData".

A "Refresh" button is located on the right of the grid toolbar. This button provides the ability to refresh the grid's data. As the agent push task is a long-running asynchronies process, user will need to refresh the grid periodically if he would like to keep track of push progress closely. Another alternative is to browse the reports via the "View Installation Status Report" button located below the grid.
The push grid also supports context menus. Right-click on an entry on the push grid will open the context menu depending on if the machine has been discovered or not.
If the machine has yet been discovered or pushed, you will see this context menu item:

• Remove Selected Computers - Same as the "Delete" button.

If the machine has been discovered or pushed, you will see these context menu items:

• Resource Manager - Open up Resource Manager for the selected computer.
• Remove Selected Computers

Install Altiris Agent
Users can trigger the agent push install to one or more computers by selecting them on the push grid, and then click the "Install Altiris Agent" button. The multi-select can be done via Ctrl + Click or Shift + Click.

Upon clicking the "Install Altiris Agent" button, the Option dialog shall be displayed with the following options:

• Show the Altiris Agent icon in the start menu
  • Indicates if the Altiris Agent will add an entry to the Windows start menu.
• Show the Altiris Agent icon in the system tray
  • Indicates if the Altiris Agent will add an entry to the Windows notification area.
  • This setting gets overriden when the Altiris Agent first receives the client configuration (which is around 10 minutes after install). The setting that overrides this is inside the targeted agent settings page > Interaction tab, option to ‘show client tray icon', which by default is set to enabled.
• Use proxy
  • Indicates if proxy settings, found in the target machine's Internet Options, will be used to communicate between the NS and the targeted machine, both during and after the installation. If attempt of connecting via proxy failed, it will attempt to connect directly instead.
• Override the default installation pat
  • Indicates if the agent will be installed on an alternate location.
• Specify different Notification Server
  • Indicates if the target machine shall register itself to another Notification Server upon installation.
  • Http and Https supported.
• Download agent package from closest Package Server
  • Indicates if the target machine shall download the agent package from the closest Package Server instead of from the current NS.
• List the Altiris Agent in the Add/Remove Programs List
  • Indicates if the agent will add an entry to the Windows "Add/Remove Programs" list.
• Use the following admin account instead of application credentials
  • Indicates if another credential shall be used to communicate and install the agent on the target machine.
  • For machine on a workgroup, specify the username in the format "machineName\username".
  • The specified credentials here are used only for installation and initial agent/NS communications before the first client configuration is received. After that, the Agent Connectivity Credential (ACC) specified on the NS inside the Global Agent Settings page > Authentication tab will be used.
  • These credentials are being passed down for both Push and Pull. This is done via command line arguments (-accUserName and -accUserPassword).
• Additional parameters
  • Allows additional command-line parameters to be added during the agent install. These parameters are specified via dash ("-") or forward-slash ("/") and are separated by space (E.g. -diagnostics /logging).

Installation
In order for the agent to be installed successfully, the following conditions must be met:

• The current NS (and the alternate NS if specified) must have a direct connection to target machine.
• The target machine can be on a same or different domain than the NS.
• The target machine must gbe 'hostname pingable'. 
• The credential used, either the application credential or the specified admin one, must be in the target machine's Windows "Administrators" group.
• The credential used, either the application credential or the specified admin one, must be valid on the domain (or domains for cross-domain push).
• The target machine is x86 or x64 based computer.
• The target machine's Operating System (OS) must be supported by the Altiris Agent.
• The target machine's firewall is either turned off or configured properly for NS-Agent push install communication. From the Altiris KB article #31920, the ports that are used for push install are:
  • File and Print Services ports:
    • TCP 139
    • TCP 445
    • UDP 137
    • UDP 138
• Enabling of ports TCP 139 and TCP 445 is usually enough to allow the push install.

Upon install failure, the push grid should displays and updates the push status according to the following failed scenarios:

• If the target machine is non-existent:
  • The Status column will display "The network path was not found".
• If the NS does not have a direct connection to the target machine:
  • The Status column will display "The network path was not found".
• If the target machine's firewall is turned on and it is not configured properly for the agent-push:
  • The Status column will display "The network path was not found".
• If the target machine's OS is not supported:
  • Windows 95/98/NT, etc
  • The variable Altiris.NS.Utilities.ClientPushMgr.MinimumOS determines the minium supported version of the OS Altiris agent supports.

Other supported scenarios:

• If the agent push failed, for whatever reason previously, but then succeed, the push grid will display the success messages accordingly.
• If the agent pushes to multiple machines with some succeed and some failed, the appropriate succeed or failure messages will be displayed on the push grid accordingly.
• If a machine was formerly a client (i.e. The Altiris Agent was installed) and has since been re-imaged, pushing the agent to it will not result in errors.
• If a machine sydc001.testdom01.lab exists and a machine sydc001.syd-lab.altiris.com does not. If sydc001.syd-lab.altiris.com (the non-existing one) is entered to the push page grid, the push will try to do a DNS look-up on the FQDN and failed. It will then try to resolve it using WINS and push the agent to the testdom01 machine.

The database tables used to store the agent push data are:

• Evt_AeX_Client_LogOn
• Evt_AeX_Push_Status

These are created during NS configuration time.

URL of download page (Pull Install)
This section is for "Pull Install". Pull install provides another method to install the Altiris Agent to a target machine. Instead of remotely pushing the install onto the target machine, pull install works in opposite where the target machine will download the agent installation package and install it manually.
In order to do this, users need to follow the steps below:

1. Log in to the target machine as an Administrator of the machine.
2. Browse to the URL found in this section. By default, the URL is http://[NS_SERVER_FQDN]/Altiris/NS/Agent/AltirisAgentDownload.aspx. The URL should be in FQDN if accessed from another domain.
3. Follow the instruction on the page to download and install the agent.

It is important to note that the proxy settings inside the agent push "Installation Settings" is also being used by the pull install.

Scheduled Push to Computers
Schedule Push automates the agent push process utilizing the NS Resource Target infrastructure. Users can select the computers that wish to push install the Altiris Agent onto and choose the schedule.
If the membership of the resource target has changed, the scheduled push will ensure that all computers that belong to the resource target have the Altiris Agent installed via push install. If any of the scheduled agent push failed, users can view these in the "Altiris Installation Status" report.

Security
The Altiris Agent install is secured via NS item's permissions. In order to push agent to machines, the current user must have at least the following NS security permissions:

• Read permission on the "Altiris Agent Install" page.
• Write permission on the "Altiris Agent Install" page.
• Read permission on the "AeX AC Discovery" data class, a basic inventory data class.

Minor changes may have occurred between releases but the general behavior should be consistent.

"Symantec Management Agent Communication overview" (KB 256573)
"Symantec Management Agent (Altiris Agent) Download Logic" (KB 181098)