Hello all, I've been working with/leanring our KACE system for the last few months and I'm getting ready to throw the agent on all our systems throughout the company.  It's primarily a windows environment, but we have a good number of Macs as well.  I was hoping to get some thoughts on what is the best, or preferred method for deploying the Agent through an organization (Windows only for now)?

I ask this because I am not the network administrator, but I am the only one who works on our KACE systems and I'll have to coordinate with our admin for any domain policies we need to create.  I have an IP range that will reach all of our machines, but many have the firewall enabled and/or do not have any users or groups other than the default added to the Administrators group (Only domain admins, administrator and the machines user are administrators for the most part and I am not in the domain admin group).  My first though was to have a GPO made to open ports 139 and 445 on the domain portion of Windows Firewall, and then have a domain account made with limited permissions added to the domain admin group to run the provisioning configuration.

Our organization is only about 250 machines, and I've already got my K2000 setup to add the agent to any new deployment (which makes about 75 that have it running now) so moving forward it shouldn't be an issue.  My main concern (or rather that of our network admin) is security and before I make a proposal to him I wanted to see if anyone had any thoughts or advice on the best way deploy the agent.  Thank you for your insights.

Answer Summary:
2 Comments   [ - ] Hide Comments


  • If there is an issue with using the KBOX to push agents out. Your best bet is to use a GPO policy to push the KBOX agent out as a software package since it is just an MSI package. Your network admin should be able to do this fairly quickly and target the entire domain or specific OU/CN

    Another option could be to add it to your login script for installation.

    either method shouldn't require you to open any of the firewall ports for installation.
  • Also if you push via a GP you do not need to open ports 139 and 445 first; I am fairly certain.

    Other suggestions:
    * psexec it out
    * sneakernet

    Can you email your employees and ask them to help you better manage and protect their stations by installing the Kace Agent (which would be preconfigured for your kbox) and hosted somewhere they could retrieve it. You could make it a game and tell everyone that once they have completed the install they will be entered into a raffle to win some silly prize. I suspect you will not get everyone, but even if you get 25% that is still less you would have to do via sneakernet.

    For your MACs, if you have Apple Remote desktop you can push it out that way. However, note that Kace cannot install the agent on Macs if ssh is disabled.

    Good luck!
Please log in to comment

Answer this question or Comment on this question for clarity



We are going to test a group policy deployment on one of our departments today.  After reading a few more guides after your suggestions it sounds like the best way to ensure all our domain users get it.  Now the only trick is to make them ever turn their machines off to get a policy update.  thank you both very much for the tips.

Answered 05/09/2014 by: Eray
Yellow Belt

Please log in to comment