KACE Newbie’s FAQs

You may be wondering how easy it is to use the UltraVNC Wizard configuration policy. Well, I have spent the past few days messing with it so that it’s configurable for my environment.

In a nutshell, the wizard will rarely be enough to deploy as is from the KACE wizard result. At the end of my testing, I ended replacing absolutely every component in UltraVNC to get it to work correctly.

A word of warning though, as popular as UltraVNC is, and as large a community it has… it still is lacking the consistency in operation. I have gotten 90% of it to work fairly consistently with PCs as well as Macs, and have it all working fairly well with KACE.

For my purposes, I decided that if I were to be creating the MSIs and everything customized, then I might as well use Dameware for remote control, (which we already own), and do away with the challenges of UltraVNC.

If you are in the UltraVNC crowd, and are really wanting to deploy that, please check out the UltraVNC deployment guide that I created. It will have all the steps as well as all the scripts that I have written to accomplish the task.

Since I invested the time in research, even though I haven’t used it; perhaps someone would find it useful.

Posted in: KACE Frequently Asked Questions

Deploying the agent to a workstation will only push that agent once, and will not reinstall it if repushed again. This is good to know, because if agent installs partially fail within an agent deployment, restarting the job will actually restart it on 100% of the workstations, regardless of whether they had succeeded before. Do not worry, as the agent installer has a mechanism to check for an existing agent. Note, however, that the same does not apply to other scripts. see the question about that in this FAQ.

For agent updates, you would have to use the KACE Agent Update section under Settings/KBOX Agents.

Posted in: KACE Frequently Asked Questions

The short answer to this is YES.

I call the KACE appliance a WYSIWIG appliance. The scripting section is actually as a flexible as you make it to be. If you wrote a script that does not perform any checks before installing, then the script will run and perform whatever the script is written to do, every time it is run.

so, when writing scripts, always make sure to populate your “Verify” section before the “On Success” section.

A quick example for the the UltraVNC installer would probably explain it well. The packaged wizard driven script package within the KACE box does a good job creating the installer and the dependencies for UltraVNC. What it does not do, however, is create a check before installing. That means that if the installer is pushed to 20 machine, and 10 succeeded, then you run the script again, the installer is going to run again, even on the machines that did succeed.

To fix this problem this in this case, there are many solutions, but, the one I decided to use was to verify that the version of the file is less than <version ###> . This served double duty: as long as the file is less than that version, then VNC will not install; the second reason is that it would be very easy now to trigger an update on VNC by changing that version to the next one up, and re-running it, thereby, detecting the need for an upgrade and performing it.

Posted in: KACE Frequently Asked Questions

On this one, there’s some good news, and there’s some bad news.

The bad news is that, so far, I have not been able to successfully create a smart label with a REGEX query. Even after talking with support, their answer was mostly directing me to tweak the SQL queries. Since the GUI is completely inadequate for writing anything remotely complex, REGEX would’ve been the next best choice to minimize the verbosity of the query.

At this point, I am resorting to 2 methods: wild cards with the “LIKE” operator (that is the same as using the “contain” operator in the GUI)

To create a query that is a little bit more flexible than a static query, we can do the following to create a smart label for a subnet (in the GUI):

MACHINE.IP contains 192.168.1.%

You can add up to 4 of these statements in the GUI. Unfortunately, to add more, you have to jump to the query itself.
This is where my challenge was initially. You see the internal query wizard seem to add quite a bit of information and complexity to a query that doesn’t really need to be that complex.

Note: before continuing, I want to mention that the following applied in my environment as I have only one Organization setup in my case (which I suspect is most people’s case anyway); so if you have more than one organization, this query may not work as expected.

If you take a Smart Label as is, it will look something like this:

SELECT *, UNIX_TIMESTAMP(now()) - UNIX_TIMESTAMP(LAST_SYNC) as LAST_SYNC_TIME,
  UNIX_TIMESTAMP(MACHINE.LAST_SYNC) as LAST_SYNC_SECONDS
FROM ORG1.MACHINE>
  LEFT JOIN KBSYS.KUID_ORGANIZATION ON KUID_ORGANIZATION.KUID=MACHINE.KUID
  LEFT JOIN KBSYS.SMMP_CONNECTION ON SMMP_CONNECTION.KUID = MACHINE.KUID

  AND KUID_ORGANIZATION.ORGANIZATION_ID = 1
WHERE ((  (1 in (select 1 from ORG1.MACHINE M2 where M2.ID = MACHINE.ID
  and M2.IP like '%10.40.55.%%'
  union select 1 from ORG1.MACHINE_NICS where MACHINE.ID = MACHINE_NICS.ID
  and MACHINE_NICS.IP like '%10.40.55.%%')) ))

This is quite a convoluted SQL query, and for some reason go back into the KBSYS database, which, as far as I can tell, doesn’t really do anything for the purposes of the smart label. So, the syntax that I used seemed so much simpler, yet produced the same exact results as the complex query. Here’s the same query with the simple syntax:

SELECT *, UNIX_TIMESTAMP(now()) - UNIX_TIMESTAMP(LAST_SYNC) as LAST_SYNC_TIME,
    UNIX_TIMESTAMP(MACHINE.LAST_SYNC) as LAST_SYNC_SECONDS
FROM ORG1.MACHINE
WHERE     (MACHINE.IP LIKE '10.40.55.%')

from here one out, you can add or remove whatever arguments to the query, while being fairly confident of the results.

Posted in: KACE Frequently Asked Questions

I’ll try to keep this short and to the point. VNC on Macs will only work –almost– out of the box from KACE on 10.5.x and up. 10.4.x does not have  (AFAIK) a VNC server built in, and therefore, the commands being run will not enable VNC, but will fail.

That said, you need to also make sure that the Agent was somehow installed on your Macs. In order to do this remotely, you would have manually turn on Remote Login, or turn on SSH, so that the agent be pushed. Some would argue, that if we’re going to have to touch the workstation anyway, we might as well install VNC while we’re at it. that’s a personal choice. For me, it’s faster to just enable remote login, and then push as many packages as I want to a bulk number of machines as opposed wasting a couple extra minutes on each workstation to install VNC on it.

So, assuming that the agent is installed, from my experience, I found out that the original steps that are in the Enable VNC Mac Setting in the KACE box will not always work, and will return a “Version Incompatible”  error when attempting to connect, even though all the visuals for setting up access are there.  (i.e: Remote Management is Enabled, and the VNC Viewer password is populated.)

In researching this, I found out that when changing the VNC password in the GUI, the Mac Keychain admin password is required, which would partly explain why the command lines within the KACE script, as written, don’t work.

Now, the next step, I can’t fully explain, but I proved it to work correctly, and that is, to enabled Remote Login. It sounds a bit ironic to remotely enable Remote Login; However, the advantage in having the KACE Agent on the Mac already, will allow you to run this command from within the workstation, and therefore bypassing a remote login.

To enable this, you would essentially need to turn on the SSH server using the launctl command, like so:

/bin/launchctl load -w /System/Library/LaunchDaemons/ssh.plist

You can just add this line as a “Launch Program…” action in the KACE “Enable VNC Settings” Script.

For your convenience, here’s the link to the KACE kpkg of that script and the XML version (you might want to right click and save that one) , so that you can import it to your KACE box

Posted in: KACE Frequently Asked Questions

The problem with the limited KACE storage that I was seeing has led me to do some more investigation to use the Alternate Download Location to install 3rd party packages.

Anyone may even want to do that for any packages that exceed a couple hundred megabytes.

As I was trying to get this setup, I have ran into problems trying to get the configurations right. After about 5 hours on the phone with L3 support, we got it squared away, and got the alternate download locations to work correctly.  The following is information that either only exists in random KBs on the KACE support website, or simply does not exist at all, and needs to be learned with trial and error. I will try to keep the explanations at a minimum, and rather point out the correct formatting of the fields which seem to be minimally documented.

In this article, I will go through the instructions of installing the Windows Live Movie Maker,  just because this is what I was working on at the time of troubleshooting. So here goes.

Note that the items that are in italic are the gotchas. So pay close attention to those.

• The first thing you need to do for a package is to install it on a workstation that has the KACE agent on it, and then run an inventory, so that this software package shows up in the Software Inventory on your KBOX
• If you were creating a normal package with an associated file, you would do this, but it probably won’t occur to you  that you would still need to associate a file with the inventory, even though it is of a 0 byte size. After all, I’m assuming you’re doing the Alternate Location Download method, specifically to avoid having to upload a full file up to the KBOX.
  The file that you need to associate has to match exactly the name of the file that you are calling in your Alternate Download Location. So, in this case, our EXE file is called wlsetup-all.exe
  KACE has a KB article on this: http://www.kace.com/support/kb/index.php?action=artikel&cat=4&id=694&artlang=en
  You can do this in multiple ways. I usually just open up a command prompt, and type: 

  copy /y NUL wlsetup-all.exe

  Or you can simply open up notepad with a new file, and save it without anything in there.
  

• Next, go to Inventory -> Software and search for that software package, then click on it.
• Now go ahead and associate that 0 byte file with the software inventory item
  At this point, you are ready to create the software distribution package. Below is a screenshot of the Managed Installation, followed by an explanation of the fields
• Now we’ll go through these settings:
• Software: Pick the software package from the Inventory, which you want to install. In this case, “Windows Live Movie Maker 15.4″
• Upload & Associate New File: Leave that blank, because we’re installing from an Alternate Download Location.
• Installation Command:This one was confusing for me. The only time where you would use the “Configure Manually” option, is if you are uploading a zip file to the KBOX. (the KBOX can automatically recognize zip files, and extract them). In this case, you would run the command that you would want to run after the zip file has been extracted. i.e: wlsetup-all.exe /q .
  In our case, however, we just need the default line, because we’re running an exe. Since this is an Alternate Download Location scenario, you do not need to enter the path to the exe, but rather, just the arguments of the command. In this case, it would be only: /q /NoLaunch /NoToolbarCEIP /NoHomepage /NoSearch /AppSelect:MovieMaker
• Delete Downloaded Files: This option will delete the source installation file after the task has been done. I usually check this.
• Use Alternate Download Location: In this field you need the full path to the application executable. If you had chosen to configure manually, this would be the full path to the zip file. Those will include the executable or the zip file. i.e: \\servername\install$\wlsetup-all.exe or \\servername\\install$\wlsetup-all.zip
• Alternate Checksum: Now this one could be confusing, because you may not be sure which checksum to get. what you need is the full file’s checksum, the one on your network share, and not the one that was 0 bytes.
  To get the checksum there are tons of utilities, but if you are using the kbox, you can easily run: C:\Program Files\KACE\KBOX\kboxclient.exe -hash=\\path\to\file.exe
  Checksum comparison IS case sensitive, so if your checksum utility returns the MD5 hash in all caps, make sure to convert it to lower case, or the checksum will fail.
  
• Alternate Download User: If you are on an AD domain, the user should include the domain prefix i.e: DOMAIN\user. If you don’t include it, the authentication will fail.
• Alternate Download Password: The password for the share. Remember, that this password is using the unix smbclient to connect to a Windows Samba share, so some of the limitations would apply regarding special characters in passwords, etc… KACE has a KB article on this: http://www.kace.com/support/kb/index.php?action=artikel&cat=5&id=987&artlang=en
  In my opinion, the article states all special characters disallowed from the password, though, I tend to be convinced that only certain special characters would not be allowed, more specifically the “@” and the “:” , as these are contained within the SMBclient string, and would conflict with that command line. My password had a “$” in it, and authenticated without a problem. So, take that article with a grain of salt, and make sure you experiment with a very simple password first, to make sure that the credentials aren’t the very variable that are causing your file copy to fail.

The rest of the settings are fairly self explanatory.

Some additional items that may be helpful as you’re troubleshooting the issue:

• You can enable debugging on the agent:
  Add: 

  debug=true
  Agent 5.1: C:\Program Files\KACE\KBOX\SMMP.conf
  OR
  Agent 5.1: C:\ProgramData\Dell\KACE\amp.conf

• and restart the agent

  sc stop kboxsmmp
  sc start kboxsmmp
  or on the 5.2 agent
  sc stop ampagent
  sc start ampagent

• When you restart you can examine the logs:
  On the 5.1 agent:
  C:\Program Files\KACE\KBOX\debug.log
  On the 5.2 agent:
  C:\ProgramData\Dell\KACE\kdeploy.log

Posted in: KACE Frequently Asked Questions

The GUI for creating smart labels is clumsy at best.

 It is good for a couple of fields, but if a lot of query parameters are required, then you are forced to go into very intricate SQL syntax to edit additional fields. To add insult to injury, the REGEX function is very hard to get working correctly, which means, that the once could’ve been the saving grace of this limitation is now out the window.

Posted in: KACE (KBOX 1000) Feature Requests

The Smart Labels are great, but they are currently either geared towards the complete noob, where you would use a drop down to select the field, and put in the exact value, or towards the complete expert, which would require the knowledge REGEX, or complex SQL queries.

What would be really nice to have, is something in between, where a simple wild card is leveraged in the GUI, so, in order to find all machine OSs that are a server OS, you could add: Server* , or *Server* , or Server 200?. And have an internal KACE function translate those wildcards into MySQL REGEX that the user doesn’t necessarily need to master in order to get a wild card statement.

Posted in: KACE (KBOX 1000) Feature Requests

This is a really annoying problem with smart labels. When a smart label is in the process of being created, there is a button that says: “Test Smart Label”

Posted in: KACE (KBOX 1000) Feature Requests

After a Smart Label is created, there is no way to re-edit it in the GUI. Unfortunately, the SQL code it is also very complex for the regular user, which means that everytime you would want to make a change to a smart label, you have to remember the GUI paremeters that you had initially entered, or go back into the SQL code, and reverse engineer it, to figure out what the GUI fields should be filled with.

Posted in: KACE (KBOX 1000) Feature Requests

REGEX expressions are a beautiful thing, and would probably even allow me to overlook some of the other feature requests…. wait for it… IF they work as expected.

If you take a regular expression that you know works outside of KACE, and put it in the REGEX field, it simply won’t work. If there is a REGEX functionality in case, it needs to work with regular REGEX without any additional tweaking. Enough said!

Posted in: KACE (KBOX 1000) Feature Requests