Dynamic group for outdated Agents in ESMC?

[PuterCare 3]

Hi all, I am trying to solve a problem I have. On the dashboard of ESMC I can see that there are some outdated agents, if I click the bar chart and select Update Installed Eset Products it says "No ESET products that can be updated automatically have been found". I can generate a report and filter by the outdated status but I can't then run a task based on the report and to do this manually would take too long.

I tried to create a new dynamic group using Application Name filter but then it does not list the Version Check Status filter so I can't then only add devices which are outdated. 

Has anyone got a workaround for this or is there another method I am missing? Is there also a way to use filters to show when a product is less than i.e. < 7.3.* ?

Thanks

 

[INDUS_MH 1]

You currently cannot Update agents via the dashboard, only the Security Software.

To update the agents you have to create a upgrade security management center components task and run that on the outdated machines.

[PuterCare 3]

Just now, INDUS_MH said:

You currently cannot Update agents via the dashboard, only the Security Software.

To update the agents you have to create a upgrade security management center components task and run that on the outdated machines.

Thanks, this is what I do already but my issue is I can't find a way to create a dynamic group so I can apply the task to only computers running outdated agents. Do you know how to create a dynamic group that only lists outdated agents?

[INDUS_MH 1]

I don't know how to create that group, but if you send the task to all machines it will skip the ones with the current agent installed.

[Marcos 5,070]

1 minute ago, PuterCare said:

Thanks, this is what I do already but my issue is I can't find a way to create a dynamic group so I can apply the task to only computers running outdated agents. Do you know how to create a dynamic group that only lists outdated agents?

Without thinking how to accomplish that, what about sending an ESMC component upgrade task to all machines? If the machines have the latest version of agent, nothing will be done. On machines where agent is not up to date, it will be updated.

[PuterCare 3]

1 minute ago, Marcos said:

Without thinking how to accomplish that, what about sending an ESMC component upgrade task to all machines? If the machines have the latest version of agent, nothing will be done. On machines where agent is not up to date, it will be updated.

Thanks, that is what I do already but I just wondered if there was a way to use a dynamic group so I can set up an automatic task just like I do for when an unactivated client joins to auto-activate it. I wasn't sure if running this task to all clients would use resources on the ESMC server or clients unnecessarily. 

It seems if we were able to filter the Computers section like we are able to in the reports section then this is easily achievable and also I could use the "does not contain" filter on the software version with a value of "7.3." to list devices that need the urgent update. At the moment I sort my computers list by version and then manually select any that need an update. I know I can filter using specific versions but at the moment my priority is reaching at least 7.3 so we are ready for the various issues on the horizon.

[Miami 4]

12 minutes ago, PuterCare said:

Thanks, that is what I do already but I just wondered if there was a way to use a dynamic group so I can set up an automatic task just like I do for when an unactivated client joins to auto-activate it. I wasn't sure if running this task to all clients would use resources on the ESMC server or clients unnecessarily. 

It seems if we were able to filter the Computers section like we are able to in the reports section then this is easily achievable and also I could use the "does not contain" filter on the software version with a value of "7.3." to list devices that need the urgent update. At the moment I sort my computers list by version and then manually select any that need an update. I know I can filter using specific versions but at the moment my priority is reaching at least 7.3 so we are ready for the various issues on the horizon.

Hello, 

we use dynamic group with following template configuration to show us all V6 Agents. I am sure you can adjust that to ver 7.

Of course the group is populated on next connection of the client (agent).

[Miami 4]

Using "not regex (7.3).*"  could work.

[PuterCare 3]

3 hours ago, Miami said:

Using "not regex (7.3).*"  could work.

This seems to work, thanks.

EDIT: Actually, it just shows macOS clients as they are on pre v7, when I get some more time will look into this and see if I need to alter my filters or it might just be only showing non-v7 clients.

Edited November 12, 2020 by PuterCare

[GregA 3]

This is my Dynamic Group rule.

[PuterCare 3]

48 minutes ago, GregA said:

This is my Dynamic Group rule.

Thanks, I was trying to avoid having to set specific versions but if that's my only option then so be it. I think I will use "does not contain" and then use the latest package version and for the OS name I will use "contains" "Windows" and I will set the software name to EES as I only use EES (Mac/Windows) and EFS for servers.

[Shell 0]

I've done this using the following created template. However, you will need to edit the version each time a new one is released. It goes something like this but you can edit it to fit your needs and the current version number.

 

AND (All conditions have to be true)

Installed software.Application name - is one of - ESET Management Agent, ESET Remote Administrator Agent

And

Installed softwware.Application version - Not equal - "Version number"

And

OS edition.OS type - Equal - Microsoft Windows

 

 

[Miami 4]

Why not use the regex? With regex you can match versions the way you wish. If you need to care only about Agents version 7.2 versions use following regex  (7\.2).* 

When you use it with application filter (to show only Eset Agents), it should match all 7.2 agent versions.

OR, you can try to use following filter for outdated product. Its just my guess that it could work, I have not tested it, yet.

 

 

[MichalJ 434]

Hello @Miami This particular example as shown above, would not work. As the source of this particular problem is actually "Security product". It also states about the Endpoint Security / Antivirus, not about the management agent. 

 

[elkatarro 0]

On 11/12/2020 at 10:24 AM, Marcos said:

Without thinking how to accomplish that, what about sending an ESMC component upgrade task to all machines? If the machines have the latest version of agent, nothing will be done. On machines where agent is not up to date, it will be updated.

Assuming above suggestion is it a good practice to issue a cyclic task of updating agents, say, once a month? From my observations so far it is quite lightweight bandwith-wise and works well over VPN too. But is it a safe and good practice?

Edited January 23, 2021 by elkatarro

[Marcos 5,070]

29 minutes ago, elkatarro said:

But is it a safe and good practice?

Why not? Sending an ESET PROTECT components upgrade task to update agent on clients is a standard and recommended way how to upgrade agent.

[MartinK 378]

On 1/23/2021 at 9:53 PM, elkatarro said:

Assuming above suggestion is it a good practice to issue a cyclic task of updating agents, say, once a month? From my observations so far it is quite lightweight bandwith-wise and works well over VPN too. But is it a safe and good practice?

It should be fairly safe, but be aware that as of now, each upgrade of ESET PROTECT actually requires modification of component upgrade task, so that latest target version is used -> this means that periodic execution won't be automatically updating AGENTs as it might be expected.

 

On 11/12/2020 at 10:00 AM, PuterCare said:

Hi all, I am trying to solve a problem I have. On the dashboard of ESMC I can see that there are some outdated agents, if I click the bar chart and select Update Installed Eset Products it says "No ESET products that can be updated automatically have been found". I can generate a report and filter by the outdated status but I can't then run a task based on the report and to do this manually would take too long.

As of ESET PROTECT 8.0, upgrade initiated via dashboard should be working, as with other ESET products. It helps to automate processes that are required on the background, i.e. components upgrade task is created and scheduled to be executed on selected clients.