apm policy agent endpoint-check-software¶

apm policy agent endpoint-check-software(1) BIG-IP TMSH Manual apm policy agent endpoint-check-software(1)

NAME
endpoint-check-software - Manages an Endpoint Software Check agent.

MODULE
apm policy agent

SYNTAX
Configure the endpoint-check-software component within the apm policy agent module using the following syntax.

edit endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties

DISPLAY
list endpoint-check-software
list endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
show running-config endpoint-check-software
show running-config endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
options:
all
all-properties
app-service
current-module
non-default-properties
one-line
partition

DELETE
delete endpoint-check-software ([name] | all)

DESCRIPTION
Endpoint security is a centrally-managed method of monitoring and maintaining client-system security. You can use the
endpoint-check-software component to create and manage an agent that enforces monitoring of various client-system security
third party software. Different types of third party software supported are described below in options.

The configuration attributes in the items option are generic and therefore for a given software type only certain items
attributes are useful, rest of the attributes are ignored even if they are configured. For example: for type=peer-to-peer
only vendor_id, product_id, state and version are considered and rest of the items like db-age, db-version etc are ignored.
Following is the list of useful attributes corresponding to the software type:

Common to all software type:
vendor_id, product_id, version, platform, state

antivirus & antispyware:
db-age, db-version, last-scan

patch-management:
missing-updates

EXAMPLES
create endpoint-check-software MyEndpointWCagent items state enabled add
Creates the Endpoint Check Software agent named MyEndpointWCagent, which verifies that the specified third party
software on the client is compliant with system administrators configuration, which my just check for the installation
or monitor the state of the software

list endpoint-check-software
Displays a list of Endpoint Software Check agents.

delete endpoint-check-software MyEndpointWCagent
Deletes the Endpoint Software Check agent named MyEndpointWCagent.

OPTIONS
items
Adds items to or deletes items from an Endpoint Software Check agent. You can specify the following attributes for
the software:

check-list-type Specifies how the list of software should be checked
required:
Client is required to have at least one of the software configured in the list in order to pass the access
policy. And that software should satisfy all the configuration fields e.g. state, version etc.

allow: Client is allowed to have any of the software configured in the list but NOT any other than that, in order
to pass the access policy. List is treated as whitelist. A given client software will not match unless it
satisfies all the configuration fields (e.g. state, version etc). NOTE: The check will also be successful if
client has no software installed at all. List of software is treated as whitelist.

deny: Client should NOT have any software configured in the list in order to pass the access policy. And that
software should satisfy all the configuration fields (e.g. state, version etc). NOTE: The check will also be
successful if client has no software installed at all. List of software is treated as blacklist.

db-age
Specifies the maximum age of the anti-virus/anti-spyware database that you want an Endpoint Software Check agent
to verify the presence of on the client in order to allow the access policy to pass.

db-version
Specifies the version of the anti-virus/anti-spyware database that you want an Endpoint Software Check agent to
verify the presence of on the client in order to allow the access policy to pass.

product_id
Specifies the product ID of the software that you want an Endpoint Software Check agent to verify the presence of
on the client in order to allow the access policy to pass.

vendor_id
Specifies the vendor ID of the software that you want an Endpoint Software Check agent to verify the presence of
on the client in order to allow the access policy to pass.

NOTE: If none of the vendor id or product id is defined then check is performed for any of the software of given
type If both vendor id and product id are configured then, product id is ignored and only vendor id is
considered. Vendor ID always takes precedence. A vendor can have many products. Each product (of every vendor)
has unique ID assigned to them. Similarly, every vendor is assigned a unique ID too which is separate from
product ID. If you want to check every software from a vendor then specify vendor_id only.

state
State means different things to different software type. The state can be enabled, disabled or unspecified. The
default is unspecified.

antivirus and antispyware:
When the state is set to enabled or disabled, agent verifies that the specified antivirus/antispyware
software has real time protection enabled or disabled on the client that is attempting to connect. When state is
unspecified, it ignores the state.

patch-management:
When the state is set to enabled, agent verifies that the specified PM software is running on the client
that is attempting to connect. When its set to unspecified, state of the software is ignored.

firewall:
When the state is enabled or disabled, agent verifies that the specified firewall software has real
time protection enabled or disabled on the client that is attempting to connect. When state is unspecified, the
software state is ignored.

peer-to-peer:
When the state is set to enabled agent verifies that the peer-to-peer software is running on the client
that is attempting to connect. When state is unspecified, the agent only verifies that the software is installed
or not.

hard-disk-encryption:
When the state is set to enabled agent verifies that all disk volumes are encrypted on the client that
is attempting to connect. When the state is set to disabled agent verifies that system disk volume is encrypted
on the client that is attempting to connect. When state is unspecified, the agent only verifies that the software
is installed or not.

health-agent:
When the state is set to enabled agent verifies that endpoint client is compliant with the health policy
set out by the site administrator.

version
Specifies the version of the software that you want an Endpoint Software Check agent to verify the presence of on
the client in order to allow the access policy to pass.

last-scan
Specifies the maximum allowed duration without the full system scan of endpoint client that software agent can
accept in order to allow the access policy to pass. It is specified in number of days.

missingupdates
Specifies the maximum number of allowed missing critical updates of the PM software at the endpoint client in
order to allow the access policy to pass. Leave blank to ignore number of missing critical updates. Specify 0 to
make sure endpoint client is up-to-date

platform
Specifies the platform. It could be any of the following: windows, linux, mac or any. The default is any.

type Its the type of the third party software to be monitored on the client system. It could be any of the following:
antivirus, firewall, patch-management, antispyware, peer-to-peer, hard-disk-encryption, health-agent

collect
This setting is ignored.

continuous-check
Continuously check the items, and end the session if the result changes. The default is false.

[name]
Specifies the name of an Endpoint Software Check agent. This option is required.

partition
Displays the partition within which the component resides.

SEE ALSO
apm policy agent endpoint-linux-check-file, apm policy agent endpoint-linux-check-process, apm policy agent endpoint-mac-
check-file, apm policy agent endpoint-mac-check-process, apm policy agent endpoint-windows-browser-cache-cleaner, apm
policy agent endpoint-windows-check-file, apm policy agent endpoint-check-machine-cert, apm policy agent endpoint-windows-
check-process, apm policy agent endpoint-windows-check-registry, apm policy agent endpoint-windows-group-policy, apm policy
agent endpoint-windows-info-os, apm policy agent endpoint-machine-info, apm policy agent endpoint-windows-protected-
workspace

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.

BIG-IP 2015-07-22 apm policy agent endpoint-check-software(1)