apm policy agent endpoint-check-software
apm policy agent endpoint-check-software(1) BIG-IP TMSH Manual apm policy agent endpoint-check-software(1)
NAME
endpoint-check-software - Manages an Endpoint Software Check agent.
MODULE
apm policy agent
SYNTAX
Configure the endpoint-check-software component within the apm policy agent module using the following syntax.
CREATE/MODIFY
create endpoint-check-software [name]
modify endpoint-check-software [name]
options:
collect [ true | false ]
continuous-check [ true | false ]
type [ antivirus | firewall | patch-management | antispyware | peer-to-peer | hard-disk-encryption | health-agent ]
check-list-type [ required | allow | deny ]
items [ vendor_id | product_id | state | version | db-age | db-version | last-scan | missing-updates | platform ]
edit endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list endpoint-check-software
list endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
show running-config endpoint-check-software
show running-config endpoint-check-software [ [ [name] | [glob] | [regex] ] ... ]
options:
all
all-properties
app-service
current-module
non-default-properties
one-line
partition
DELETE
delete endpoint-check-software ([name] | all)
DESCRIPTION
Endpoint security is a centrally-managed method of monitoring and maintaining client-system security. You can
use the endpoint-check-software component to create and manage an agent that enforces monitoring of various
client-system security third party software. Different types of third party software supported are described
below in options.
The configuration attributes in the items option are generic and therefore for a given software type only
certain items attributes are useful, rest of the attributes are ignored even if they are configured. For
example: for type=peer-to-peer only vendor_id, product_id, state and version are considered and rest of the
items like db-age, db-version etc are ignored. Following is the list of useful attributes corresponding to the
software type:
Common to all software type:
vendor_id, product_id, version, platform, state
antivirus & antispyware:
db-age, db-version, last-scan
patch-management:
missing-updates
EXAMPLES
create endpoint-check-software MyEndpointWCagent items state enabled add
Creates the Endpoint Check Software agent named MyEndpointWCagent, which verifies that the specified
third party software on the client is compliant with system administrators configuration, which my just
check for the installation or monitor the state of the software
list endpoint-check-software
Displays a list of Endpoint Software Check agents.
delete endpoint-check-software MyEndpointWCagent
Deletes the Endpoint Software Check agent named MyEndpointWCagent.
OPTIONS
items
Adds items to or deletes items from an Endpoint Software Check agent. You can specify the following
attributes for the software:
check-list-type Specifies how the list of software should be checked
required:
Client is required to have at least one of the software configured in the list in order to pass the
access policy. And that software should satisfy all the configuration fields e.g. state, version
etc.
allow: Client is allowed to have any of the software configured in the list but NOT any other than
that, in order to pass the access policy. List is treated as whitelist. A given client software will
not match unless it satisfies all the configuration fields (e.g. state, version etc). NOTE: The
check will also be successful if client has no software installed at all. List of software is
treated as whitelist.
deny: Client should NOT have any software configured in the list in order to pass the access policy.
And that software should satisfy all the configuration fields (e.g. state, version etc). NOTE: The
check will also be successful if client has no software installed at all. List of software is
treated as blacklist.
db-age
Specifies the maximum age of the anti-virus/anti-spyware database that you want an Endpoint Software
Check agent to verify the presence of on the client in order to allow the access policy to pass.
db-version
Specifies the version of the anti-virus/anti-spyware database that you want an Endpoint Software
Check agent to verify the presence of on the client in order to allow the access policy to pass.
product_id
Specifies the product ID of the software that you want an Endpoint Software Check agent to verify
the presence of on the client in order to allow the access policy to pass.
vendor_id
Specifies the vendor ID of the software that you want an Endpoint Software Check agent to verify the
presence of on the client in order to allow the access policy to pass.
NOTE: If none of the vendor id or product id is defined then check is performed for any of the
software of given type If both vendor id and product id are configured then, product id is ignored
and only vendor id is considered. Vendor ID always takes precedence. A vendor can have many
products. Each product (of every vendor) has unique ID assigned to them. Similarly, every vendor is
assigned a unique ID too which is separate from product ID. If you want to check every software from
a vendor then specify vendor_id only.
state
State means different things to different software type. The state can be enabled, disabled or
unspecified. The default is unspecified.
antivirus and antispyware:
When the state is set to enabled or disabled, agent verifies that the specified
antivirus/antispyware software has real time protection enabled or disabled on the client that is
attempting to connect. When state is unspecified, it ignores the state.
patch-management:
When the state is set to enabled, agent verifies that the specified PM software is running
on the client that is attempting to connect. When its set to unspecified, state of the software is
ignored.
firewall:
When the state is enabled or disabled, agent verifies that the specified firewall software
has real time protection enabled or disabled on the client that is attempting to connect. When state
is unspecified, the software state is ignored.
peer-to-peer:
When the state is set to enabled agent verifies that the peer-to-peer software is running
on the client that is attempting to connect. When state is unspecified, the agent only verifies that
the software is installed or not.
hard-disk-encryption:
When the state is set to enabled agent verifies that all disk volumes are encrypted on the
client that is attempting to connect. When the state is set to disabled agent verifies that system
disk volume is encrypted on the client that is attempting to connect. When state is unspecified, the
agent only verifies that the software is installed or not.
health-agent:
When the state is set to enabled agent verifies that endpoint client is compliant with the
health policy set out by the site administrator.
version
Specifies the version of the software that you want an Endpoint Software Check agent to verify the
presence of on the client in order to allow the access policy to pass.
last-scan
Specifies the maximum allowed duration without the full system scan of endpoint client that software
agent can accept in order to allow the access policy to pass. It is specified in number of days.
missingupdates
Specifies the maximum number of allowed missing critical updates of the PM software at the endpoint
client in order to allow the access policy to pass. Leave blank to ignore number of missing critical
updates. Specify 0 to make sure endpoint client is up-to-date
platform
Specifies the platform. It could be any of the following: windows, linux, mac or any. The default is
any.
type Its the type of the third party software to be monitored on the client system. It could be any of the
following: antivirus, firewall, patch-management, antispyware, peer-to-peer, hard-disk-encryption,
health-agent
collect
This setting is ignored.
continuous-check
Continuously check the items, and end the session if the result changes. The default is false.
[name]
Specifies the name of an Endpoint Software Check agent. This option is required.
partition
Displays the partition within which the component resides.
SEE ALSO
apm policy agent endpoint-linux-check-file, apm policy agent endpoint-linux-check-process, apm policy agent
endpoint-mac-check-file, apm policy agent endpoint-mac-check-process, apm policy agent endpoint-windows-
browser-cache-cleaner, apm policy agent endpoint-windows-check-file, apm policy agent endpoint-check-machine-
cert, apm policy agent endpoint-windows-check-process, apm policy agent endpoint-windows-check-registry, apm
policy agent endpoint-windows-group-policy, apm policy agent endpoint-windows-info-os, apm policy agent
endpoint-machine-info, apm policy agent endpoint-windows-protected-workspace
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2012-2013, 2015. All rights reserved.
BIG-IP 2015-07-22 apm policy agent endpoint-check-software(1)