Agent based Scanning for Fresh SDP installations

With the ServiceDesk Plus 11300 release, agent-based scanning for Windows, Linux, and Mac machines is introduced. This feature is provided by ManageEngine Endpoint Central (formerly Desktop Central). So, all customers from builds above SDP 11300 must deploy ME Endpoint Central (formerly Desktop Central) for scanning Windows, Linux, and Mac machines in their environment. They will also need Endpoint Central agents installed in a remote machine.

Note for customers already using any other UEMS products other than ME Endpoint Central
 

If any of the following ME products are installed and used in your environment, we recommend you contact our support before proceeding with this installation for configuring changes in asset inventory.

 

  1. Patch Manager Plus On-Premise/Cloud

  2. Remote Access Plus On-Premise/Cloud

  3. Device Control Plus

  4. Vulnerability Manager Plus

  5. Patch Manager Plus Cloud

  6. Endpoint Central (formerly Desktop Central) Cloud

 

About Endpoint Central

Endpoint Central (formerly Desktop Central) is a robust unified endpoint management system. It comprises features like Patch Management, Software Deployment, Endpoint security, OS imaging, and deployment, etc. Agents from Endpoint Central improve ServiceDesk Plus' asset scanning functionality by fetching complete hardware details during the scan as well as maintaining the uniformity of data fetched across Windows, Linux, and Mac machines. Endpoint Central agent integration also avoids the need to have two agents for users who already have integration between ServiceDesk Plus and Endpoint Central.

Features from Endpoint Central for fresh customers of SDP

i. Agent-based inventory of Windows, Mac, and Linux machines

ii. Warranty information for devices

iii. Auto upgrade of agents to newer versions

Other features from Endpoint Central for fresh customers of SDP with UEM Remote Access Plus Add on

i). Chat *

ii). Remote control Windows, Mac, and Linix machines.

iii). Wake-on-LAN *

iv). Announcement (supported in ServiceDesk Plus and not supported in AssetExplorer) *

v). System manager *

 


Prerequisites for Endpoint Central (formerly Desktop Central) installation

Endpoint Central (formerly Desktop Central) can only be installed on a Windows machine. If SDP is installed on a Linux machine, then Endpoint Central (formerly Desktop Central) has to be installed manually on another Windows machine and integrated with SDP under Admin >> Integrations >> Endpoint Central (formerly Desktop Central). As Endpoint Central (formerly Desktop Central) is installed within the SDP folder, a minimum of 1 GB of free space is required.
If Endpoint Central (formerly Desktop Central) is purchased separately, please refer here for detailed hardware requirements based on the number of assets purchased. 


Ports used in Endpoint Central (formerly Desktop Central)

Server

Port

Purpose

Type

Connection

8383

For communication between the agent and the Endpoint Central (formerly Desktop Central) server

 

Source: Agent

 

Destination: Endpoint Central (formerly Desktop Central) server

 

HTTPS

In bound to server

8027

The notification server port is responsible for communicating on-demand operations from the server to the agent.

Source: Agent

Destination: Endpoint Central (formerly Desktop Central) server
TCP

In bound to server

Tools and Remote Control

Port

Purpose

Type

Connection

8444

For Sharing remote desktops, System Manager, Chat, and transferring files

Source: Agent

Destination: Endpoint Central (formerly Desktop Central) server

HTTP

In bound to server

8443

For Sharing Remote Desktops, System Manager, Chat, and transferring files

Source: Agent

Destination: Endpoint Central (formerly Desktop Central) server

HTTPS/UDP (for voice & video chat)

In bound to server

Database supported by Endpoint Central (formerly Desktop Central)

By default, Endpoint Central (formerly Desktop Central) gets installed with bundled PGSQL. Endpoint Central (formerly Desktop Central) also supports MSSQL. Please check here for MSSQL versions supported by Endpoint Central (formerly Desktop Central).
Click here for detailed steps for moving Endpoint Central (formerly Desktop Central) to MSSQL.


OS supported by Endpoint Central (formerly Desktop Central) agents

Endpoint Central (formerly Desktop Central) agents can be installed on machines with the following OS

Windows OS
  • Windows 11
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows Vista
  • Windows XP
     
Windows Server OS
 
  • Windows server 2019
  • Windows server 2016
  • Windows server 2012 R2
  • Windows server 2012
  • Windows server 2008 R2
  • Windows server 2008
  • Windows server 2003 R2
  • Windows server 2003
     
Mac
 
  • 10.7 Lion
  • 10.8 Mountain Lion
  • 10.9 Mavericks
  • 10.10 Yosemite
  • 10.11 El Capitan
  • 10.12 Sierra
  • 10.13 High Sierra
  • 10.14 Mojave
  • 10.15 Catalina
  • 11.0 Big Sur
     
Linux
 
  • Ubuntu 10.04 and later versions
  • RedHat Enterprise Linux 6 and later versions
  • CentOS 6 and later versions
  • Fedora  19 and later versions
  • Mandriva 2010  and later versions
  • Debian 7 and later versions
  • Linux Mint 13 and later versions
  • Open SuSe 11 and later versions
  • Suse Enterprise Linux 11 and later versions
  • Pardus 17, and 19
  • Oracle Linux Server 6, 7, and 8

Agent - Server communication in Endpoint Central (formerly Desktop Central)

Operations such as scanning a device, taking remote control of a device or tools action from AE is performed in the remote machines through Endpoint Central (formerly Desktop Central) server and Desktop Central agents.

The Endpoint Central (formerly Desktop Central) agent communicates with the Endpoint Central (formerly Desktop Central) server immediately after its installation in the remote machine and posts the inventory data. The Endpoint Central (formerly Desktop Central) agent communicates with the Endpoint Central (formerly Desktop Central) server through HTTPS during system startup and every 90 minutes thereafter till the system is shut down, gets the actions to be performed in the remote machine, and executes it. This 90 minutes policy is majorly used for any asynchronous operations like schedule scan, any agent configuration changes, etc.

Endpoint Central (formerly Desktop Central) agents also establish a session with the Endpoint Central (formerly Desktop Central) server through TCP for getting notified for actions that have to be executed on demand like Scan Now or remote control.

Is agent server communication secure?

By default, the Agent-Server communication will happen through HTTPS (Encrypted) communication. These steps enforce trusted HTTPS communication between agent and server. These configurations can be enabled under Agent security settings

Enable certificate-based authentication for agent-server communication

Enabling this option would have the agent-server communication with client certificate authentication. Enabling this option in AE would in turn enable this setting in Endpoint Central (formerly Desktop Central) too. Click here for more details on the procedure.

Enable agent-server trusted communication

Before enabling this setting, it is required that a valid third-party SSL certificate is applied in Endpoint Central (formerly Desktop Central). Click here for steps to configure SSL certificate in Endpoint Central (formerly Desktop Central), this has to be done only from the Endpoint Central (formerly Desktop Central) console.

Note: Once this setting is enabled it cannot be disabled again as the agents will fail to communicate with the server again.

Enabling this setting would enable it in Endpoint Central (formerly Desktop Central) too and have the agent-server communication to be trusted. Click here for a detailed procedure.

Agent resource utilization

All the below data are predicted from a single agent machine. Disk space will be consumed up to 1GB (approximately) from the agent installed drive.

 

Agent Process

Running application name

Bandwidth consumption(approximately)

CPU consumption(approximately)

Memory (RAM) consumption (approximately)

At Agent Idle state

dcagentservice.exedcondemand.exedcagenttrayicon.exe(Running separateapplication for eachlogged on user)(For windows andMac)[ Above 3 are everrunning processes ]

1 Kbps

0-2%

11 MB

Refresh policy(90 mins once -without any deployment)

dcconfig.exe

4KB

0-2%

6MB

Inventory scan(At Scheduled time in server)

dcinventory.exe

2MB

17-20%

14MB

Agent Upgrade(Applying PPMand If agentversionchanges)

dcconfig.exe

AgentUpgrader.exe

20MB

2-5%

3MB

 

 

 

 

 

 

Steps for Deploying the DC agents

Step 1: Downloading and installation of Endpoint Central (formerly Desktop Central)

ManageEngine Endpoint Central (formerly Desktop Central), as discussed above, requires a separate installation. Endpoint Central (formerly Desktop Central) gets installed in the same folder where SDP is installed. Endpoint Central (formerly Desktop Central) gets started and stopped as and when SDP is started or stopped. Pre-requisites for installation of Endpoint Central (formerly Desktop Central) and ports used by Endpoint Central (formerly Desktop Central) are mentioned above in this document.
Endpoint Central (formerly Desktop Central) gets installed with PGSQL as the default database. Click here for detailed steps for moving Endpoint Central (formerly Desktop Central) to MSSQL.

Silent Installation


Endpoint Central (formerly Desktop Central) can be silently downloaded and installed with a click of a button from Admin > Agent Configuration. For downloading DC, access to the internet would be required from the server machine. When Endpoint Central (formerly Desktop Central) gets installed successfully, SDP is informed about the successful installation and agents will be available for download with SDP.

Manual Installation


If internet connectivity is not available from the server machine or if it takes more than 90 minutes for the Endpoint Central (formerly Desktop Central) to get successfully installed, then the process will be timed out accordingly and a prompt for manual installation of Endpoint Central (formerly Desktop Central) will be shown. In the case of manual installation, the product can be downloaded (in EXE format) and installed.

  2021_12_29_08_43_142

Installing Endpoint Central (formerly Desktop Central) if the SDP server runs on Linux OS


Endpoint Central (formerly Desktop Central) can only be installed on a Windows machine. So, if the AE server runs on Linux, clicking on "Download and Install" from the Agent Configuration page will prompt a download link. Endpoint Central (formerly Desktop Central) can be downloaded (in EXE format) and installed on a separate Windows machine. Here, auto integration of SDP and Endpoint Central (formerly Desktop Central) would not happen and so integrating Endpoint Central (formerly Desktop Central) into SDP has to be done from under Admin > Endpoint Central (formerly Desktop Central) Settings.

2021_12_29_08_43_143


Step 2: Configuring the Agent settings

Before downloading the agents and deploying them on the machines, it would be appropriate to configure certain agent settings so that these configurations are bundled into the agents. These settings can be configured from under Admin > Agent configurations.

 

NAT configuration for scanning roaming user devices

 

Certain users in the organization will be traveling periodically and their laptops may not be available in the corporate network for scanning. In order to scan such laptops which have the agent installed, public IP has to be configured for agents in these devices to reach the Desktop Central server. Click here for more details on how to configure public IP for scanning.
Click here for more details on how to configure public IP for scanning.


Endpoint Central (formerly Desktop Central) Agent - Endpoint Central (formerly Desktop Central) Server secure communication

 

By default, the Agent-Server communication will happen through HTTPS (Encrypted) communication. These steps enforce trusted HTTPS communication between agent and server. These configurations can be enabled under Agent security settings.

 

Enable certificate-based authentication for agent-server communication

Enabling this option would have the agent-server communication with client certificate authentication. Enabling this option in AE would in turn enable this setting in Endpoint Central (formerly Desktop Central) too. Click here for more details on the procedure.

Enable agent-server trusted communication

Before enabling this setting, it is required that a valid third-party SSL certificate is applied in Endpoint Central (formerly Desktop Central). Click here for steps to configure SSL certificate in Endpoint Central (formerly Desktop Central), this has to be done only from the Endpoint Central (formerly Desktop Central) console.

 

Note: Once this setting is enabled, it cannot be disabled again as the agents will fail to communicate with the server again.

Enabling this setting would enable it in Endpoint Central (formerly Desktop Central) too and have the agent-server communication to be trusted. Click here for the detailed procedure.


Step 3: Ensure ports used by Endpoint Central (formerly Desktop Central) are open

The ports used by Endpoint Central (formerly Desktop Central) are mentioned above in the document. All the ports are inbound to the server and would be used by the agents residing in the remote client machines to reach the server. These ports have to be opened up in the firewall where ever required.


Step 4: Downloading Endpoint Central (formerly Desktop Central) agents for Windows, Linux, and Mac machines

Once Endpoint Central (formerly Desktop Central) is successfully installed and integrated with SDP/AE, then Endpoint Central (formerly Desktop Central) agents for Windows, Linux, and Mac will be available for download from Admin > Agent configuration page.


Step 5 : Methods for deploying Endpoint Central (formerly Desktop Central) agents in Windows

Below are the other methods to deploy Windows agents through the Active directory and for machines in a workgroup. To be followed if Step 4 is not performed.

Installing Windows agents using GPO Scheduler (Note: This step will be helpful in WFH environments where the agents get deployed after the users get their laptops connected through VPN in a corporate network.

Installing Windows agents using startup script in ActiveDirectory

Installing Windows agents through GPO lightweight tool

Installing Windows agents for workgroup machines.

Installing Windows agents manually


Step 6: Imaging a Windows computer with a Endpoint Central (formerly Desktop Central) agent

Endpoint Central (formerly Desktop Central) Agent has a unique ID that represents the machine with its name and system details. If more than one Endpoint Central (formerly Desktop Central) Agent is identified with the same ID, the details listed in ServiceDesk Plus will be overwritten. This will end up listing details of only one computer though there are several computers with the same ID. So in order to avoid this issue, follow the steps mentioned below to image a computer with Endpoint Central (formerly Desktop Central) Agent on it.

a). Install Endpoint Central (formerly Desktop Central) Agent on the computer which is to be used for imaging.

b). Download Agent by accessing the Assets module and selecting Download Windows Agent (or) go to Admin > Agent Configuration > Download Windows Agent.

c). Save and Download this script and store it in the system that is supposed to be imaged.
(running this script will block the Endpoint Central (formerly Desktop Central) Agent from communicating with the Endpoint Central (formerly Desktop Central) Server)

d). Rename the .txt file as .vbs file

i. Open the command prompt as administrator and navigate to the folder where the above script is stored.

ii. Execute the script as: cscript.exe dcagentPreImage.vbs
(example : E:Downloads>cscript.exe dcagentPreImage.vbs)

Now your computer is ready to be imaged with Endpoint Central (formerly Desktop Central) Agent, for deployment.
Endpoint Central (formerly Desktop Central) Agent in the newly imaged computers will contact the Endpoint Central (formerly Desktop Central) Server only if they are renamed.


Step 7: Deploying Endpoint Central (formerly Desktop Central) agents in Linux

Below are methods of agent deployment in Linux machines and for imaging a Linux machine

Installing Linux agent using Linux agent installation tool

Installing Linux agent manually

How to image a Linux computer with DC agent


Step 8: Deploying Endpoint Central (formerly Desktop Central) agents in Mac

Below are methods of agent deployment in Mac machines and for imaging a Mac machine

Installing Mac agents using Mac agent installation script

Installing Mac agent manually

How to image a Mac computer with DC agent


Step 9: What if Remote SDP servers are used?

Remote SDP servers are used in WAN environments wherein all the remote machines are not reachable from the central SDP server. From SDP 11.3 version, Endpoint Central (formerly Desktop Central) has to be downloaded and installed in the SDP remote servers for scanning Windows, Linux, and Mac machines. A separate Endpoint Central (formerly Desktop Central) installation would not be required if the Endpoint Central (formerly Desktop Central) agents deployed in the remote sites are reachable with the central SDP server. It is highly recommended not to install Endpoint Central (formerly Desktop Central) in SDP remote servers as remote control and other tools will not work for machines managed in remote servers from the central server, only inventory of these machines would be pushed from the remote server to central servers. Please check here for the ports that need to be configured in the firewall for agent-server communication.


Step 10: Procedure for SDP running with Fail Over Service(FOS) enabled

If FOS is configured for SDP, it will work for Endpoint Central (formerly Desktop Central) too but only if it's installed in the same folder as SDP and that SDP is installed on a Windows machine.

Click here for more details on FOS with Endpoint Central (formerly Desktop Central) installation.