Software Removal Based on AD Group Membership Change
Hi,
I'm working on a strategy to deploy software based on AD Group Membership. I've got the logic worked out with an LDAP Smart Label so that the software deploys via script.
I think i've reasoned out how to get the software to REMOVE via AD group change using smart labels. What i'm now curious about is whether i can script the removal of a label. I don't want to leave things lying around.
for example:
Label: SoftwareInstall-PKG-X is an LDAP smart label.
I can create another smart label showing that a system has a software title and isn't in that group, and trigger the removal, but then the system still has the smart label applied to it.
how can i trigger the removal of a label?
Thanks,
Chris.
-
created with the proper logic the smart label will remove itself ... duh. - cdmead 5 years ago
-
Maybe I'm reading too much into your request. So the software already exists, you just need to have it removed if they no longer exist in the AD group? Then, yes, simply test for existence of software + AD group. - worzie 5 years ago
-
you're exactly right - that's what i was doing. - cdmead 5 years ago
-
I'm going to follow this one. I have had a need for this in the past and unfortunately was unable to get over the fact that KACE is more device targeted, not user target. I want to believe it can be AD group targeted, but then you need to consider if that software needs to be removed every time a non AD member logs into that. Does it also remove it if an administrator logs in as well? Again, I'm more interested to see this get answered. - worzie 5 years ago
-
our use case is essentially more device based - i work at a college. we'd be deploying to public lab machines, so per device, and then to faculty/staff, and they don't share machines, so again, to device. we have group policies applied for user experience but i have a difficult time understanding why software would need to be removed from a machine if a non-ad user or administrator logs in. what is your use case for this? what are the machine roles? i've essentially solved my problem but am very curious about yours! - cdmead 5 years ago
-
Ok, yes, so if a local user logs in, the KACE agent will see this as a member not in the AD group and perhaps remove your software. - worzie 5 years ago
-
why would you remove the software? - cdmead 5 years ago
Answers (2)
Use AD groups for the machines that should have that software and Kace will read those via ldap. For each software AD group create 2 smart labels.
One for machines with that AD group.
One for machines that do not have that AD group and that software exists on the machine.
Create MI install and use the label for machines that are in that AD group.
Create un-install MI and use the label for machines that are not in that AD group and have the software installed
Then as you add or remove machines from the AD group the 2 SMA smart labels will update via ldap. The machines will update and have only one smart smart label for each software to whether they are in the AD group or not and the appropriate install or uninstall MI's will run
Comments:
-
Actually, what i've done is use an LDAP Smart Label for the deployment, and a device smart label for the removal. The Device smart label logic is this: If software is present and device is not part of ldap smart label, get placed in removal smart label. since the logic is designed that way, the system will self-remove from the removal smart label after its next check-in. - cdmead 5 years ago
Create a Device Smart Label. Criteria for the Device Smart Label should be to identify that the software is present on the device, and that the device does not have the LDAP SmartLabel used for installation applied to it. In this way, the removal of the AD security group will trigger the LDAP Smart label to self update, drop the machine into the Removal Smart Label, and because of the structure of the Removal Smart Label criteria, the machine will self-remove from the Removal Smart Label at next checkin.
This appears to work without issue (as long as i don't screw up my scripting :P )
I'm using a combination of scripts and MIs to drop software on ... just depends on the software. I work for a business school and there are several open source stat utilities and mathematical notation utilities which we use.