apm policy agent endpoint-check-software
apm policy agent endpoint-checBIG-IapmMpolicyuagent endpoint-check-software(1)
NAME
endpoint-check-software - Manages an Endpoint Software Check agent.
MODULE
apm policy agent
SYNTAX
Configure the endpoint-check-software component within the apm policy
agent module using the following syntax.
CREATE/MODIFY
create endpoint-check-software [name]
modify endpoint-check-software [name]
options:
collect [ true | false ]
continuous-check [ true | false ]
type [ antivirus | firewall | patch-management | antispyware | peer-to-peer | hard-disk-encryption | health-agent ]
check-list-type [ required | allow | deny ]
items [ vendor_id | product_id | state | version | db-age | db-version | last-scan | missing-updates | platform ]
edit endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list endpoint-check-software
list endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
show running-config endpoint-check-software
show running-config endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
options:
all
all-properties
app-service
current-module
non-default-properties
one-line
partition
DELETE
delete endpoint-check-software ([name] | all)
DESCRIPTION
Endpoint security is a centrally-managed method of monitoring and
maintaining client-system security. You can use the endpoint-check-
software component to create and manage an agent that enforces
monitoring of various client-system security third party software.
Different types of third party software supported are described below
in options.
The configuration attributes in the items option are generic and
therefore for a given software type only certain items attributes are
useful, rest of the attributes are ignored even if they are configured.
For example: for type=peer-to-peer only vendor_id, product_id, state
and version are considered and rest of the items like db-age, db-
version etc are ignored. Following is the list of useful attributes
corresponding to the software type:
Common to all software type:
vendor_id, product_id, version, platform, state
antivirus & antispyware:
db-age, db-version, last-scan
patch-management:
missing-updates
EXAMPLES
create endpoint-check-software MyEndpointWCagent items state enabled
add
Creates the Endpoint Check Software agent named MyEndpointWCagent,
which verifies that the specified third party software on the
client is compliant with system administrators configuration,
which my just check for the installation or monitor the state of
the software
list endpoint-check-software
Displays a list of Endpoint Software Check agents.
delete endpoint-check-software MyEndpointWCagent
Deletes the Endpoint Software Check agent named MyEndpointWCagent.
OPTIONS
items
Adds items to or deletes items from an Endpoint Software Check
agent. You can specify the following attributes for the software:
check-list-type Specifies how the list of software should be
checked
required:
Client is required to have at least one of the software
configured in the list in order to pass the access policy.
And that software should satisfy all the configuration fields
e.g. state, version etc.
allow: Client is allowed to have any of the software
configured in the list but NOT any other than that, in order
to pass the access policy. List is treated as whitelist. A
given client software will not match unless it satisfies all
the configuration fields (e.g. state, version etc). NOTE: The
check will also be successful if client has no software
installed at all. List of software is treated as whitelist.
deny: Client should NOT have any software configured in the
list in order to pass the access policy. And that software
should satisfy all the configuration fields (e.g. state,
version etc). NOTE: The check will also be successful if
client has no software installed at all. List of software is
treated as blacklist.
db-age
Specifies the maximum age of the anti-virus/anti-spyware
database that you want an Endpoint Software Check agent to
verify the presence of on the client in order to allow the
access policy to pass.
db-version
Specifies the version of the anti-virus/anti-spyware database
that you want an Endpoint Software Check agent to verify the
presence of on the client in order to allow the access policy
to pass.
product_id
Specifies the product ID of the software that you want an
Endpoint Software Check agent to verify the presence of on
the client in order to allow the access policy to pass.
vendor_id
Specifies the vendor ID of the software that you want an
Endpoint Software Check agent to verify the presence of on
the client in order to allow the access policy to pass.
NOTE: If none of the vendor id or product id is defined then
check is performed for any of the software of given type If
both vendor id and product id are configured then, product id
is ignored and only vendor id is considered. Vendor ID always
takes precedence. A vendor can have many products. Each
product (of every vendor) has unique ID assigned to them.
Similarly, every vendor is assigned a unique ID too which is
separate from product ID. If you want to check every software
from a vendor then specify vendor_id only.
state
State means different things to different software type. The
state can be enabled, disabled or unspecified. The default is
unspecified.
antivirus and antispyware:
When the state is set to enabled or disabled, agent
verifies that the specified antivirus/antispyware software
has real time protection enabled or disabled on the client
that is attempting to connect. When state is unspecified, it
ignores the state.
patch-management:
When the state is set to enabled, agent verifies
that the specified PM software is running on the client that
is attempting to connect. When its set to unspecified, state
of the software is ignored.
firewall:
When the state is enabled or disabled, agent
verifies that the specified firewall software has real time
protection enabled or disabled on the client that is
attempting to connect. When state is unspecified, the
software state is ignored.
peer-to-peer:
When the state is set to enabled agent verifies that
the peer-to-peer software is running on the client that is
attempting to connect. When state is unspecified, the agent
only verifies that the software is installed or not.
hard-disk-encryption:
When the state is set to enabled agent verifies that
all disk volumes are encrypted on the client that is
attempting to connect. When the state is set to disabled
agent verifies that system disk volume is encrypted on the
client that is attempting to connect. When state is
unspecified, the agent only verifies that the software is
installed or not.
health-agent:
When the state is set to enabled agent verifies that
endpoint client is compliant with the health policy set out
by the site administrator.
version
Specifies the version of the software that you want an
Endpoint Software Check agent to verify the presence of on
the client in order to allow the access policy to pass.
last-scan
Specifies the maximum allowed duration without the full
system scan of endpoint client that software agent can accept
in order to allow the access policy to pass. It is specified
in number of days.
missingupdates
Specifies the maximum number of allowed missing critical
updates of the PM software at the endpoint client in order to
allow the access policy to pass. Leave blank to ignore number
of missing critical updates. Specify 0 to make sure endpoint
client is up-to-date
platform
Specifies the platform. It could be any of the following:
windows, linux, mac or any. The default is any.
type Its the type of the third party software to be monitored on the
client system. It could be any of the following: antivirus,
firewall, patch-management, antispyware, peer-to-peer, hard-disk-
encryption, health-agent
collect
This setting is ignored.
continuous-check
Continuously check the items, and end the session if the result
changes. The default is false.
[name]
Specifies the name of an Endpoint Software Check agent. This
option is required.
partition
Displays the partition within which the component resides.
SEE ALSO
apm policy agent endpoint-linux-check-file, apm policy agent endpoint-
linux-check-process, apm policy agent endpoint-mac-check-file, apm
policy agent endpoint-mac-check-process, apm policy agent endpoint-
windows-browser-cache-cleaner, apm policy agent endpoint-windows-check-
file, apm policy agent endpoint-check-machine-cert, apm policy agent
endpoint-windows-check-process, apm policy agent endpoint-windows-
check-registry, apm policy agent endpoint-windows-group-policy, apm
policy agent endpoint-windows-info-os, apm policy agent endpoint-
machine-info, apm policy agent endpoint-windows-protected-workspace
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2015. All rights
reserved.
BIG-IP 2apm-policy agent endpoint-check-software(1)