Can policy pull of .exe files from Flexera be disabled?

Techbpn8771 · ‎Mar 13, 2024

Hello,

We are attempting to roll out the Flexera agent to items in our high-security area. There is a child beacon in the secure environment which calls to a parent beacon in our normal LRD. The high security area team was curious as to whether the policy pull which is used to update the agent can be disabled. Specifically, the concern is the child beacon can pull .exe files into the secure environment which poses potential risk.

Is there a way we can disable the policy update process the agent uses to prevent this, and still receive inventory? Thanks!

tjohnson1 · ‎Mar 13, 2024

You could use the inventory scanner (https://docs.flexera.com/fnms/EN/GatherFNInv/index.html#SysRef/FlexNetInventoryAgent/topics/FIS-ChapIntro.html) instead of installing the agent. The scanner does not download policy from a beacon.

For the full agent, if you delete the DownloadSetting records (https://docs.flexera.com/fnms/EN/GatherFNInv/index.html#SysRef/FlexNetInventoryAgent/topics/PMD-DownloadSettings.html) in the agent config (https://docs.flexera.com/fnms/EN/GatherFNInv/index.html#SysRef/FlexNetInventoryAgent/topics/Gloss-Registry.html) it will no longer be able to download policy. You can then set the agent preferences (https://docs.flexera.com/fnms/EN/GatherFNInv/index.html#SysRef/FlexNetInventoryAgent/topics/PMD-ChIntro.html) to whatever you want and they will not be overwritten via policy.

Techbpn8771 · ‎Mar 19, 2024

Thanks for the info; we think the inventory scanner will be too sparse for what our needs in that space are.

For the agent, we would be rolling it out to many devices. Are there any values in the config files that are of special importance to prevent receiving the .exe upgrade files from the beacon other than DownloadSetting? Or any other config values which would be important to include/exclude for accomplishing this goal?

As far as I'm aware, the policy is what helps the agent report inventory on a schedule. I guess I am a little confused as to how inventory would keep being reported in the second scenario you described. Would the policy still be on the device, but we can modify entries in the agent config file which prevent the download of these .exe files from the beacon?

tjohnson1 · ‎Mar 19, 2024

You are correct that the policy download includes the schedule. There are no settings do only download a schedule and nothing else.

You would want to clear the DownloadSettings after the agent is installed and has downloaded policy. You could also leave the bootstrap download beacon empty and deploy a custom schedule (step 6: https://docs.flexera.com/fnms/EN/InvAdapConn/index.html#adapters/AWS/tasks/ScheduleShortLifeInstance.html). More information on schedules can be found in the following doc: https://docs.flexera.com/fnms/EN/GatherFNInv/index.html#SysRef/FlexNetInventoryAgent/topics/FIA-NDSFormat.html

With that said, the only time the agent will download an EXE is if you have enabled automatic upgrades of the agent for Windows in the Flexera One UI (https://docs.flexera.com/flexera/EN/ITAssets/InvSet-AgentInvAutoDeploy.htm).

Techbpn8771 · ‎Apr 08, 2024

This is great clarification, thank you.... I was also wondering if any .exe files are ever downloaded on the beacon from Flexera when communicating with the server? Since the beacon is on a server in this high security environment we also want to limit the ability to pull in executables there. If there are, what options are there toward disabling this capability?

We looked into it a little and noticed that one of our beacons in our normal environment had automatically acquired the packages for the latest versions of the agent on each OS (screenshot below). Is there a way to disable the Beacon's ability to acquire things like this which may contain executables, even if in a compressed format or default package such as that?