Tags
autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard itarian unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse Subscriptions service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos Rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection virtual desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring script procedure custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to configure client updates in a Windows profile

Release Time
07/11/2019
Views
none
Category
Endpoint Manager features
Tags

  • The updates section of a Windows profile lets you configure how and when managed devices should check for client updates.

  • You can configure update settings for:

    • The communication client (CC)

    • The security client (CCS)

    • The virus database

  • You can set a wide range of options, including update frequency, schedule, distribution method, and download servers.

Add an update section

  • Click ‘Configuration Templates’ > ‘Profiles’

  • Click the name of the profile you want to work on:

 

  • Click 'Add Profile Section' > 'Updates'

There are three tabs you can configure. Click the following links to find out more about each:

Please also see the note on global update settings at the end of this article.

Communication Client

The communication client tab lets you enable auto-updates, configure a schedule, set the distribution method, and more.

 


 

  • Enable auto-updating Communication Client - Forces the endpoint to check for and install CC program updates at the frequency you choose. Deselect this option to disable auto-updates.

    • If you disable auto-updates, you can manually update clients by clicking 'Devices' > 'Device List' > select your target devices > Click 'Install or Update Packages' button.

    • See this help page if you want more assistance with manual updates.
       

  • Update Frequency - Choose how often CC should check for updates. The options are:

    • Daily (Default) - The client checks for updates every day at 6:00 am

    • Daily (custom) - The client checks for updates every day at the time you specify

    • Weekly - Select the days and times that you want the client to check for updates

    • On selected days - Choose one or more days in a month to check for updates. For example, you might want to update on the first and third Wednesdays of every month.

    • Monthly - Select the date and time in a month to check for updates
       

  • Use default Communication Client version - Choose whether to always update to the ‘default’ version. You can choose the default version at ‘Settings’ > ‘Portal Setup’ > ‘Client Settings’ > ‘Windows’ > CC tab

    • Enabled = The client always updates to the default version.

    • Disabled = You can specify the version to which the client updates. Make sure you choose a higher version than already installed.

Note. You will only see this option if 'Change of version while updating' is enabled in 'Settings' > 'Portal Set-up' > 'Client Settings' > 'Windows' > 'Comodo Client'. If it is not enabled, then the default version is automatically deployed.

  • Enable Communication Client to distribute update packages - Download updates to a managed endpoint, then use that endpoint as the source from which other endpoints collect their updates. This is a peer-to-peer system which uses torrents to distribute the updates.

You can choose the type of updates which use this mechanism:

  • Communication Client updates

  • Comodo Client Security updates

  • Virus database updates

Once enabled, your endpoints will follow this process at update time:

  • Endpoints first check other endpoints to see if the update is installed on them

  • If available, the client fetches the update from the local endpoint

  • If not available, the client fetches the update from the server set in the 'Download Servers' tab

  • This endpoint then becomes a source from which other endpoints collect their updates
     

  • Select specific devices to be proxy for distributing packages – Nominate endpoints from which other endpoints should collect their updates.

    • Enter the names of the target devices in the field provided. You can add multiple source devices. Endpoints will collect from the first-named source that has the update.

    • If you do not specify sources, then Endpoint Manager will push the updates to the first endpoints that request it. Update requests are staggered across your endpoints to ensure enough machines have the update for the others to collect

  • Enable Network traffic limitation - The maximum % of network bandwidth that can be used to share updates. Default = 30%

  • Enable device count limitation - The maximum number of devices with which an individual source can simultaneously share updates.

    • Choose a figure appropriate for the number of endpoints in your network

    • If you do not enable this setting, then the torrent default of 200 connections is used. This may cause slow-downs in large networks.

  • Use download servers directly in case of any communication issue - If the endpoint cannot contact other endpoints it will instead collect the update from the server in the Download Servers tab.

Comodo Client – Security

The client security tab lets you configure updates for the CCS software and for the virus database. Some of the settings in this area are similar to those in the CCC tab.

 

 

  • Enable auto-updating Communication Client - Forces the endpoint to check for and install CCS program updates at the frequency you choose. Deselect this option to disable auto-updates.

    Please see the description in the CCC section of this setting.

  • Update Frequency - Choose how often CCS should check for auto-updates.

    Please see the description in the CCC section of this setting.

  • Use Default Client Security version - Choose whether to always update to the ‘default’ version.

           Please see the description in the CCC section of this setting.

  • Skip updates if the device is offline - Updates will not be installed if the endpoint is not connected to Endpoint Manager.

  • Reboot options - Configure how the endpoint should restart after the update is installed:

    • Force the reboot in – Restart the end-point a certain period after installation.
      Choice of 5, 10, 15 or 30 minutes.

    • Suppress the reboot - Do not restart the machine after the update. All protection technologies remain active, but fixes, improvements, and new features will only be available after the restart.

    • Warn about the reboot and let users postpone it - Show an on-screen alert to the user which advises them their computer needs to restart. The alert has options which let them restart the endpoint immediately or postpone the restart.

                     You can enter custom text for the alert in the space provided.

  • Virus database updates - Configure update frequency, power options, and Windows maintenance settings.

    • Check for database update every - Specify how often CCS should check for, and install virus updates. Default = 1 hour.

    • Do not check for updates if running on battery - Only check for updates if the computer is connected to the mains supply. Useful for laptops or other battery-driven devices.
       
    • Check for updates during Windows Automatic Maintenance - CCS will also check for virus updates when Windows enters maintenance mode. The check will run at maintenance time in addition to the regular checks. Only applies to Windows 8 and later.

    Download Servers

  • The 'Download Servers' tab lets you add and select the servers from which endpoints should collect updates
     

 

  • The default is to collect updates direct from Comodo servers at https://download.comodo.com. This is used if you do not specify any proxies here.

  • Alternatively, you can download updates to a proxy server and have endpoints collect updates from there. This helps to save bandwidth and accelerate updates in large networks.

  • You can configure different proxy servers for Comodo Client Security and Comodo Client Communication if required.

  • Use the ‘Move Up’ and ‘Move Down’ buttons to change the priority of a server. Endpoints will first consult the proxy at the top of the list then move downwards as necessary. It will download from the first server that has the required update.

Add a proxy server

  • Click ‘Configuration Templates’ > ‘Profiles’

  • Click the name of the profile you want to work on

  • Click the 'Updates' tab (or ‘Add Profile Section’ > ‘Updates’ if you don’t have one)

  • Click the ‘Add’ button to open the configuration screen:

 

  • Transfer Protocol - Select HTTP or HTTPS. We advise HTTPS in all circumstances. HTTP may be acceptable if the server and endpoints are all in the same local network.

  • Host - Enter the IP address or host-name of your proxy server.

  • Client - Select the type of updates that are provisioned by the proxy:

    • Communication Client

    • Client Security

    • Communication Client + Client Security

  • Click 'Add'. Repeat the process to add more servers.

Note: You need to install the ‘ESM update mirror’ utility on the proxy to collect the updates from Comodo servers in the first place. Download the setup file from https://drive.google.com/file/d/0B4qKr5xfENWBS0FOUHM2VDFQMnc/view

  • Run the setup file on a Windows server and follow the installation wizard

  • Check that the service is running:

    • ‘Run’ > Enter ‘services.msc’ > locate ‘Apache 2.2’

    • Click the ‘Start’ link on the left if the service is not running

Contact your Comodo account manager or Comodo support if you run into issues with this.

Note on Global Update Settings

  • This article explains client update settings in a profile which is applied to target devices.

  • However, you can also configure some ‘global’ client update settings at 'Settings' > 'Portal Set-up' > 'Client Settings' > 'Windows':

 

 

  • The global settings are mainly about communication intervals between Endpoint Manager and the device, but there is one overlapping item – ‘Enable the communication client to distribute packages to other clients in the network’:




     

  • Endpoint Manager prioritizes this setting as follows:

    • If you do not add an update section to the profile, then the global settings apply

    • If you do add an update section, then the settings in the profile take priority over the global settings

Global Setting (portal set-up)

Update section of a profile

Decision

Enabled

Update section not added

Apply portal set-up

Disabled

Disabled

Disabled

Enabled

Disabled

Apply profile set-up *

Enabled

Enabled

Apply profile set-up *

Disabled

Enabled

Apply profile set-up *

 

*  For the sake of clarity, Endpoint Manager will completely ignore the global settings if you have added an ‘Update’ section to a profile. For example, if ‘Comodo Client – Security packages’ is enabled in global settings, but not enabled in the profile, then it is disabled. Same for all other sub-settings like ‘Enable traffic limitation’ etc.