uberAgent 7.1 Preview: Central Config File Management
While we’re working on version 7.1 of our digital employee experience monitoring & endpoint security analytics products uberAgent UXM and uberAgent ESA, let’s take a look at a new feature that promises to make life even easier for our customers: automatic deployment of agent configurations from a central origin.
Before we look at this new feature, let’s take a step back and examine the existing configuration options.
When you install the uberAgent endpoint agent, it comes fully configured and immediately starts collecting useful data. This is possible because the installer places a set of local config files on the endpoint along with the agent binaries.
Local config files can optionally be maintained independent of the installation directory in
%ProgramData% (docs). This enables our customers to maintain their uberAgent configuration with the tools of their choice. However, it requires customers to use a deployment tool to distribute uberAgent configuration changes.
Active Directory Group Policy has deployment capabilities built-in. Customers can leverage that by adding the uberAgent Group Policy template to their Group Policy Management Console (GPMC) and by importing the Group Policy settings backup that is part of the uberAgent download (docs). The settings backup provides the recommended default configuration quickly and easily without having to click through every Group Policy setting and configuring items manually.
Group Policy is well-established in almost any organization, but it’s showing signs of age and has built-in limitations. One such limitation is that Group Policy was built to distribute individual settings, not sets of files. Configuration files, however, are required to store the large numbers of detection rules and security tests that ship with uberAgent ESA.
Central Config File Management (CCFM) brings together the benefits of local config files with the advantages of Group Policy. It obviates the need for a deployment tool while supporting even large numbers of configuration files and frequent updates with ease.
CCFM does this through an agent-based pull mechanism. This mechanism has been cleverly designed to offer the flexibility and scalability expected by our enterprise customers.
CCFM configurations are hosted on SMB file shares. This design choice has multiple advantages:
- The technology is established in enterprise IT.
- Scalability and performance aspects are well-understood.
- Excellent interoperability with existing tools and processes.
Different types of machines may need different uberAgent configurations. With CCFM, endpoints can be pointed to the most appropriate configuration file share depending on location, department, or other properties.
CCFM also supports configuration assignment by agent version. Each endpoint checks for version-specific subdirectories in the CCFM file share and selects the best-matching configuration. Gone are the days when you could only deploy a single configuration to all endpoints. With CCFM, each endpoint retrieves the configuration it needs automatically.
CCFM has been designed for high performance and minimal resource usage. In other words: for maximum scalability.
Each endpoint keeps a local copy of the currently applied configuration. The agent does not depend on the CCFM file share for its regular operation.
The CCFM file share is only accessed during configuration refresh checks. These checks occur at randomized intervals in order to evenly distribute the load on the file share. Configurations are kept in archives so that only a single file needs to be downloaded to the endpoint if an updated configuration is detected. No handles to the CCFM share are kept open in between configuration refresh checks.
With great flexibility comes the need for great visibility. In other words, you need to know which agents use which configuration option (CCFM, local, Group Policy), which version of a configuration is in use on which endpoints, and from which CCFM file shares agents are pulling their configuration.
All that is available as part of uberAgent’s regular dataset. The configuration version information is visualized on the uberAgent Versions Splunk dashboard.
The uberAgent product family offers innovative digital employee experience monitoring and endpoint security analytics for Windows and macOS.
uberAgent UXM highlights include detailed information about boot and logon duration, application unresponsiveness detection, network reliability drill-downs, process startup duration, application usage metering, browser performance, web app metrics, and Citrix insights. All these varied aspects of system performance and reliability are smartly brought together in the Experience Score dashboard.
uberAgent ESA excels with a sophisticated Threat Detection Engine, endpoint security & compliance rating, the uAQL query language, detection of risky activity, DNS query monitoring, hash calculation, registry monitoring, and Authenticode signature verification. uberAgent ESA comes with Sysmon and Sigma rule converters, a graphical rule editor, and uses a simple yet powerful query language instead of XML.
About vast limits
vast limits GmbH is the company behind uberAgent, the innovative digital employee experience monitoring and endpoint security analytics product. vast limits’ customer list includes organizations from industries like finance, healthcare, professional services, and education, ranging from medium-sized businesses to global enterprises. vast limits’ network of qualified solution partners ensures best-in-class service and support anywhere in the world.