Xcitium Client Security (XCS) what test Remote Control by ITarian RDS Server RDS EDR AEP csv access scope Comodo dialog box Windows UAC user access rights verification phone number password reset security code forgot password Android threat history generates alert lock device Android devices Mac OS devices mobile devices passcode Lock log SIEM log forwarding log storage log storage settings scan profile Parental control FLS file-lookup server internet access rights Real-time scan default profiles pre-configured profiles pre-defined profiles customize profile clone profile Clone unknown MAC profile Linux profile cloud-based service Maintenance Window maintenance analysis tool UFH check policy test policy Virtual Appliances DNS Resolver register invite graphs Dynamic IP Dome shield Integration O365 Comodo Office 365 removal tool CCS removal tool Comodo Secure Email Gateway subscriptions service Dome Antispam Valkyrie report info web Comodo SWG tutorial policy DLP PAC file iboss Bluecoat Websense Comodo Dome ICAP Dome Agent traffic URL C1 account SWG portal SSL Encrypted Traffic Dome Cloud enable widget chart endpoint dashboard file groups Rules exceptions Wi-Fi networks Wi-Fi setup security restrictions iCloud auto containment containment settings virtual file system sandbox environment client access control local configuration Comodo Client Security Rebranding Communication Client Rebranding security client re-brand Comodo Clients application rules global rules Portsets port sets Firewall ruleset rule set rulesets global proxy server global proxy antivirus settings Client Proxy remote control tool Firewall protection firewall settings configuration file export profile PowerShell VBS script Windows Standard Account Endpoint Manager Client Communication (EMCC) server security clients updates vulnerable security patches installed Client Communication Communication Client (CC) submission Communication Client tray icon script OS Patch Third Party Patch Installation Uninstallation Discovery additional package External Device Control external ITarian remote Windows device apps signed-in logged-in identify License wizard on-boarding local Comodo Client Security Mac devices Linux devices MSP customers EM profile Mac OS profile MAC OS X device user device configuration profile copy invoice enrollment Logging Settings SIEM tool external server Account Security mobile console EM device owners ownership remove MAC third party application remote uninstallation software inventory duplicate Name Master Image Golden Image Bulk Installation Package Windows Operating Systems summary information local time External IP address OS summary Devices list MDM profile iOS push certificate create APNs Apple account portal APN Apple Push Notification search bar filter options customer device group group membership managed device trust rating old duplicates removal device name MAC address MSP (Managed Service Provider) Versions Marketing & Sales Customer Relationship Management (CRM) Enroll New Device New Ticket quick actions bar release notes security status activity status profile status Sales funnel Secure Internet Gateway application launch Two factor Time zone Language Lockout time Change Password tokens device enrollment User Groups Manage Profiles User List Management customer report customer assessment customers End-User forms auto response attachments time entry address support User Directory scripts Knowledgebase canned Banlist announcements Hostname mail delivery CommandLine Power Shell PowerShell interface File Explorer Commands Interface Remote devices Remote Tools Paranoid Mode Training Mode Custom Ruleset Safe Mode The charging flow edit contracts Charging Flowchart Global Asset Rates Charging Plans Contracts charges calculated Remove role Edit a role staff interface Exclusions data loss prevention (DLP) network discoveries ITarian Remote Access Tool Tarian Remote Access Tool inactive devices Device removal settings Portal Set-up Malware File Name Security Sub-System communication client UI settings Communication Client Tray remove a department ticket submission configure department synchronize department submit ticket distributing Bandwidths client updates device management Bandwidth conservation malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection Virtual Desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets

How to deploy ITarian clients on VDI environment

This article explains how to configure the master (golden) image so that each clone spawned from this image is auto-enrolled to Endpoint Manager.

Step 1 - Create a device group in EM for the clone machines

Open Endpoint Manager > Create a device group for the clone machines > Associate a profile with the device group:

  • Open Endpoint Manager

  • Click ‘Applications’ > ‘Devices’ > ‘Device List’

    • Choose a target company if you are using the MSP version

  • Click the ‘Group Management’ tab

  • Click the ‘Create Group’ button:

  • Enter a label for the new group

  • Click 'Add'. The new group is created.

Next, associate the profile you want to use on the clones with your new group:

  • Click ‘Devices’ > ‘Device List’

  • Click the ‘Group Management’ tab

  • Click on the name of the group you just created. In our example, ‘TestVDI’

  • Click the ‘Manage Profiles’ button then ‘Add Profiles’


Step 2 - Create the Client Communication (CC) Installation Package

  • The ITarian communication client (CC) auto-enrolls the instant clones to your new device group.
  • This means the clones will receive the configuration profile you associated with the group in step 1.

  • Each installer package is uniquely generated for your environment. Do not change the filename of the package as it is vital for enrolling the clone devices to the correct group.

Create a CCC installation package:

  • Click ‘Devices’ > ‘Device List’ > ‘Bulk Installation Package’

  • This opens the installer config Screen:

  • Complete the details as follows:

  • Customer - MSPs only. Choose the company on whose behalf you want to create the installer.
  • Device Group - Type the name of the group you created in step 1. In our example this is ‘InstantClone’.
  • User - The user with whom the package is associated. By default, this is the admin who is currently logged-in.
  • Package options - Leave only ‘Communication client selected’. Don’t select ‘Xcitium Client – Security’
  • Operating system - Choose the OS of the target endpoint
  • Choose platform - Select Window OS version. 64 bit, 32 bit, or hybrid.The hybrid package will auto-detect and install the correct version. 
  • Choose client - Use default Communication Client version

  • Additional options - AV Database - Choose whether to include the latest virus database with the installation package. This increases the size of the package.

    If disabled, the client will download the latest database anyway when you run the first virus scan.

  • Restart / UI options - Leave at defaults
  • Scroll down and click the ‘Download Installer’ button.

  • Save the file to your local machine

Reminder: Do NOT rename the .msi in any way. Doing so will mean the clones won’t get added to the correct group. You may ignore/close the ‘Auto Discovery and Deployment Tool’ pop-up

Creating the .msi also creates a user token which binds the installer to the chosen user (Default – the currently logged-in admin). This ensures new clones get enrolled to the correct user. Please make a note of this token as we will need it later in the process.

Get the user token

  • Click ‘Users’ > ‘User List’

  • Click the name of the user you entered in the package configuration step earlier

    • Click the funnel icon on the right if you need to search for a user

  • Click the ‘User Tokens’ tab:

  • The most recently created token is listed in the top-row. Make a note of the token string as you will need it later.

Step 3 - Get the hostname of EM

Next, you need to obtain the host name of your Endpoint Manager instance. You will need this in step 5 later.

  • Click ‘Devices’ > ‘Device List’ > ‘Device Management’ tab

  • Click the ‘Enroll Device’ button above the table:

This starts the device enrollment wizard:

Step 1 – Device options

              Select Device – Choose 'Other device'

              Specify User – Start typing the username of the user you chose in step 2 and select the user from the suggestions.

              Click 'Next'

Step 2 - Enrollment options – Leave all default options and click 'Next'

Step 3 - Installation Instructions - The enrollment link is shown:

  • Make a note of the full hostname for later use.

Step 4 - Install the communication client and the security client (XCS) on the master image

  • Copy the communication client installer package you downloaded in step 2, to your master image VM and install it.
  • This will add your master image as a device to your new (in our example, ‘TestVDI’) device group.

  • Confirm the operation was a success in Endpoint Manager as follows:

    • Click ‘Devices’ > ‘Device List’ > ‘Group Management’ tab

    • Click on the name of the group (‘TestVDI’ in our example)

    • Click the ‘Device Management’ tab

    • Your master image should be listed as a device there

Install Xcitium Client – Security (XCS)

  • Stay on the ‘Device Management’ screen.

  • Use the checkbox on the left to select your master image device

  • Click the ‘Install or update packages’ button > ‘Install Additional Xcititum Packages’:

This will open the XCS install config. Screen:

  • Make sure ‘Install XcitiumClient – Security’ is selected and select the version of XCS to be installed (if enabled).

  • 'Install xcitium client-EDR' is selected and able to buy new license (if enabled)

  • XCS requires the master image to be started for the installation to take effect. Choose reboot options as per your preference.

  • Click ‘Install’ to deploy XCS to your master image.

After the restart, you will have installed both CC and XCS on your master image. The image is listed as a device in your device group and has the correct profile associated with it.

Step 5 – Configure the master image to automatically enroll and unenroll during every startup / shutdown

  • Your master image needs to enroll itself to the device group in EM, every time you start it up and de-enroll every time you shut-down it.

  • The enrollment process requires an enrollment configuration file placed in the installation folder of communication client, every time.

  • EM places an enrollment configuration file during the initial enrollment of the image, but file is consumed during the first enrollment process.

  • In order to enroll the image every time the image is started, you can create a configuration file and save it in a backup folder created the installation folder of the communication client

  • You can download a sample configuration file, enter the host name, port and user token parameters to create the configuration file

  • You can also configure a .bat file to load the enrollment configuration file from the backup to the installation folder of the client every time the image is shutdown, so the image will be ready for enrollment during its next startup

  • If you are using a proxy, you should also place a proxy configuration file in the backup folder

Enroll and proxy requirements:

  • Download the sample 'enrollment_config.ini' from the location:


The file contains the following:


host = companydomain.cmdm.Itarian.com

port = 443

remove_third_party = false

suite = 4

token = xxxxxxxxxxxxxxxxxxxxxxxxxxxxx


  • Edit the file to add the host and user token parameters and save the file.

If you have configured your profile with a 'Clients Proxy' section that instructs the master image to use a proxy to connect to EM, then you need a proxy configuration file loaded, during each enrollment.

  • Download the sample proxy configuration file 'proxy_settings.ini' from the following location


The file contains the following:


proxy_use = "true"

proxy_host =

proxy_port =

proxy_use_auth = "false"

proxy_user =

proxy_password =


  • Edit the file to specify the hostname and connection port of the proxy server

  • If the proxy requires authentication, change the 'proxy_use_auth' to “true” and enter the username and password to access the proxy

  • Save the file.

Save the configuration file(s) in a backup folder

  • Create a backup folder in the following path:

32 bit OS - C:\Program Files\ITARIAN\Endpoint Manager\Backup

64 bit OS - C:\Program Files (x86)\ITARIAN\Endpoint Manager\Backup

  • Save the 'enrollment_config.ini' and 'proxy_settings.ini' (if you have created one) to the backup folder.

Unenroll requirements:

  • The device needs to be unenrolled from Endpoint Manager every time you shut down the master image.

  • Every time you shutdown the image, the 'enrollment_configuration.ini' (and 'proxy_settings.ini' if used) need to be loaded to the Endpoint Manager folder from the backup. This ensures the machine will be correctly enrolled, next time you start the machine

  • You can automate both these processes by creating a .bat file and running it during every shutdown, using a local group policy.

  • Make sure you have created a backup folder as explained above then follow these steps:

Create the batch file:

  • Download a sample batch file ‘UnEnrolmentITSM_ITarian.bat'  from the following location:


The file contains the following:


REM Please create a folder in the "Endpoint Manager" folder

REM In this folder please copy "enrollment_config.ini" and "proxy_settings.ini" files

REM This script will copy this two files on the "Endpoint Manager" folder after the enrollment command is run

SET backupfolder=Backup

REM If you are using proxy, please use Proxy = "yes"

SET proxy=no


IF EXIST "%SystemDrive%\Program Files (x86)" (

cd "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager"

ITSMService.exe -c 2

timeout 10

IF EXIST "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager\enrollment_config.ini" (

del "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager\enrollment_config.ini" >nul 2>&1


IF "%proxy%" == "yes" (

IF EXIST "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager\proxy_settings.ini" (

del "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager\proxy_settings.ini" >nul 2>&1



IF NOT EXIST "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager\enrollment_config.ini" (

xcopy "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager\%backupfolder%\enrollment_config.ini" "%ProgramFiles(x86)%\ITARIAN\Endpoint manager\" /Y >nul 2>&1


IF "%proxy%" == "yes" (

IF NOT EXIST "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager\proxy_settings.ini" (

xcopy "%ProgramFiles(x86)%\ITARIAN\Endpoint Manager\%backupfolder%\proxy_settings.ini" "%ProgramFiles(x86)%\ITARIAN\Endpoint manager\" /Y >nul 2>&1



) ELSE (

cd "%ProgramFiles%\ITARIAN\Endpoint Manager"

ITSMService.exe -c 2

timeout 10

IF EXIST "%ProgramFiles%\ITARIAN\Endpoint Manager\enrollment_config.ini" (

del "%ProgramFiles%\ITARIAN\Endpoint Manager\enrollment_config.ini" >nul 2>&1


IF "%proxy%" == "yes" (

IF EXIST "%ProgramFiles%\ITARIAN\Endpoint Manager\proxy_settings.ini" (

del "%ProgramFiles%\ITARIAN\Endpoint manager\proxy_settings.ini" >nul 2>&1



IF NOT EXIST "%ProgramFiles%\ITARIAN\Endpoint Manager\enrollment_config.ini" (

xcopy "%ProgramFiles%\ITARIAN\Endpoint Manager\%backupfolder%\enrollment_config.ini" "%ProgramFiles%\ITARIAN\Endpoint Manager\" /Y >nul 2>&1


IF "%proxy%" == "yes" (

IF NOT EXIST "%ProgramFiles%\ITARIAN\Endpoint Manager\proxy_settings.ini" (

xcopy "%ProgramFiles%\ITARIAN\Endpoint Manager\%backupfolder%\proxy_settings.ini" "%ProgramFiles%\ITARIAN\Endpoint Manager\" /Y >nul 2>&1





  • Edit the file to add the following parameters:

    • SET backupfolder= <the location of the backup folder, in which the configuration files are saved>

    • SET proxy=<whether or not the image uses a proxy to connect to EM server>

  • Place the 'UnEnrolmentITSM_ITarian.bat' file in a location that is not restricted by Windows.

    • For example, create a folder on the %SystemDrive% with the name temp and place the .bat file inside.

Create a local group policy to run the batch file during shutdown

  • Run gpedit.msc

  • Navigate to 'Computer Configuration' > 'Windows Settings' > 'Scripts (Startup/Shutdown)' > 'Shutdown'

  • Click 'Properties'

  • Click 'Add' in the 'Shutdown Properties' dialog

  • Click 'Browse' in the 'Add a script' dialog, navigate to and select the 'UnEnrolmentITSM_ITarian.bat' file

  • Click OK to add the file

  • Click 'OK' in the 'Shutdown Properties' dialog for your settings to take effect.


Step 6: Rate the .bat file as ‘Trusted’ on the master image machine

We want the 'UnEnrolmentITSM_ITarian.bat' file to run unimpeded, so we need to give it a ‘Trusted’ file rating in XcitiumClient Security (XCS). Doing so means XCS will not block the file regardless of the security level you are using.

1) Enable the file list

  • Open Endpoint Manager

  • Click ‘Configuration Templates’ > ‘Profiles’

  • Click on the name of the profile you applied to the master image

  • Open the ‘UI Settings’ tab

    • Click ‘Add Profile Section’ > ‘UI Settings’ if you have not yet added this section

  • Open the 'General Settings' tab (if it is not already open)

  • Enable ‘Show File List’ and save the profile

  • This will command XCS on the master image to make the file list available to you

2) Give the .bat file a trusted rating

  • Open Xcitium Client Security on your master image

  • Click ‘Settings’ > ‘File Rating’ > ‘File List’

  • Click the ‘Add’ button > ‘Files’

  • Browse to the .bat file and click ‘Ok’.

  • Select ‘Trusted’ as the rating:

  • Click ‘OK’

  • Click ‘OK’ in the 'Advanced Settings' interface to apply the new rating.

The batch file is now trusted and will not be blocked by XCS.

Step 7: Confirm that XCS doesn’t need a reboot


At this step you should confirm that Xcitium Client Security doesn’t require a restart. For example, a restart is required If you add or remove AV, FW or Containment from a profile.

Step 8: Restart the master image

  • Restart the master image device to confirm the following:

    • The device is removed from Endpoint Manager when you shut it down

    • The device is re-enrolled when the reboot is complete

    • The device is correctly added to the correct device group (‘TestVDI’ in our example)

You can check the success or failure of all these steps in the Endpoint Manager interface:

  • Open Endpoint Manager > Click ‘Devices’ > ‘Device List’ > ‘Group Management’ tab > open the device group




Step 9: Confirm that the clones are enrolled to Endpoint Manager

  • Update the machine catalog after confirming that the Golden Image is working correctly

    • See the screenshot below, for Citrix, as an example:

After the update, please test whether the clones are enrolled/removed from Endpoint Manager.