Dears,
can we change the flexera agent registry level configuration through a policy update as follows.
Example Scenario : Set CheckServerCertificate=false for all agents from policy change at DB or at server, so that it'll reflect on clients during the next policy update.
Example Execution : At DB , insert or update a the table with CheckServerCertificate=false, then beacon (or app server) pick up this value and request agent to update the same in relevant registry,
Dec 26, 2023 03:35 AM
The short answer is that there is no supported or documented way of setting agent preferences like this through policy.
However the longer answer is that there is an undocumented/unsupported approach that may work for you. You could explore this if you are comfortable in testing and supporting the configuration yourself.
An example of doing this is in the following post: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite
In particular, look at item 3 in this post under the heading "Configuring agents to gather details of files with a specified name". This provides a SQL script that can be used to configure a setting value in the compliance database which will be deployed to agents through policy. The example given in that post is for the setting named "CTrackerIncludeFile", but in your situation you would want to use the setting name "CCommonCheckServerCertificate" and value "False".
For example:
[... Other parts of the script from the post referenced above ...]
EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
@KeyName = 'CCommonCheckServerCertificate',
@BeaconTargetID = @btid,
@Value = 'false'
[... Other parts of the script from the post referenced above ...]
Note that while I'm hopeful this would work for you, you should test it to make sure - not all agent preferences can be set in this way.
Of course, be aware that any agents which are currently unable to download policy from a beacon because they cannot verify the server certificate will not receive an update through this approach.
The other thing to consider is that setting CheckServerCertificate to "false" to mean you lose any security benefit of having the agents having confidence about the server's identity which you would normally get when using the HTTPS communications protocol.
Dec 27, 2023 06:11 PM
Once the agent is installed, this setting is established in the Windows registry, or in the case of Linux, in the pseudo-registry config.ini.
There doesn't appear to be a way to change it through a Flexera policy setting.
For Windows, you can change it through a change to the registry which you could push out through SCCM. The change can be made for every aspect of the agent or for specific agent components.
[Registry]\ManageSoft\Common or [Registry]\ManageSoft\<Component>\CurrentVersion where <Component> is the registry key for an individual component.
In the registry, the value name would be CheckServerCertificate and the value data would be false.
For Linux, you would need to push out a script that makes a change to the config.ini file. This script should do that:
#!/bin/sh
# This file contains a customization to the FlexNet Inventory Agent which
# turns off SSL certificate checking. If you want to turn it back on,
# set CheckServerCertificate=true.
cat <<EOF >/tmp/mgsconfig.ini
[ManageSoft\Common]
CheckServerCertificate=false
EOF
/opt/managesoft/bin/mgsconfig -i /tmp/mgsconfig.ini
rm /tmp/mgsconfig.ini
Info on CheckServerCertificate.
Hope this helps.
--Mark
Dec 27, 2023 11:11 AM
The short answer is that there is no supported or documented way of setting agent preferences like this through policy.
However the longer answer is that there is an undocumented/unsupported approach that may work for you. You could explore this if you are comfortable in testing and supporting the configuration yourself.
An example of doing this is in the following post: Finding installations of Apache Log4j (or other) files on computers with FlexNet Manager Suite
In particular, look at item 3 in this post under the heading "Configuring agents to gather details of files with a specified name". This provides a SQL script that can be used to configure a setting value in the compliance database which will be deployed to agents through policy. The example given in that post is for the setting named "CTrackerIncludeFile", but in your situation you would want to use the setting name "CCommonCheckServerCertificate" and value "False".
For example:
[... Other parts of the script from the post referenced above ...]
EXEC dbo.BeaconTargetPropertyValuePutByKeyNameBeaconTargetID
@KeyName = 'CCommonCheckServerCertificate',
@BeaconTargetID = @btid,
@Value = 'false'
[... Other parts of the script from the post referenced above ...]
Note that while I'm hopeful this would work for you, you should test it to make sure - not all agent preferences can be set in this way.
Of course, be aware that any agents which are currently unable to download policy from a beacon because they cannot verify the server certificate will not receive an update through this approach.
The other thing to consider is that setting CheckServerCertificate to "false" to mean you lose any security benefit of having the agents having confidence about the server's identity which you would normally get when using the HTTPS communications protocol.
Dec 27, 2023 06:11 PM
@mfeinman thanks for the reply , but i could recall that i did something like this few years before, where i needed to to change the reg settings of connected devices via policy.
@ChrisG thanks a lot for the comments, the step i was expecting is the same you described.
i need more information about the keyName, will check at support ticket.
Dec 29, 2023 08:47 AM - edited Dec 29, 2023 08:48 AM