With these settings:
- The agent will attempt to retrieve all data (content, patches, threat) files from the Distribution Server assigned to it by your IP Range setup.
- The agent will failover to downloading from the vendor (internet) if it is unable to connect to the Distribution Server or if the files have not been updated on the Distribution Server.
"so if I uncheck this setting does that mean when that when my laptops are offsite they will not update since they will not have access to the distribution servers?"
That would be correct, they would attempt to connect to the Distribution Server and fail.
In our upcoming release of Protect 9.2, we have something we are calling Predictive Patch and Predictive Sync, these new features should help those distribution Servers to stay up to dare.
If enabled, patches that are likely to be deployed in the near future are automatically downloaded to the patch download directory. The patches will be downloaded immediately following the scheduled download of the core engines and definitions. Downloading patches in advance of their anticipated deployment will help speed the deployment process. This feature is beneficial for agentless deployments and for agents that deploy patches using the services of a distribution server.
Here are some additional details about Predictive Patch:
- The following patches will be downloaded to the console's download directory:
- Missing patches that were detected by recent scans but that have not yet been downloaded. A recent scan is defined as a patch scan that was performed within the last 45 days.
- Missing patches for products that Shavlik Protect can deduce are on your target machines
- New patches that were recently added to the XML patch data file and that apply to products on your target machines.
- New or missing service packs will be downloaded
- The patches and service packs will be downloaded according to age (the most recent will be downloaded first)
- The process will download up to 5GBs of patches and service packs during a scheduled download session
- Patches that already exist in the download directory will not be downloaded.
- You can synchronize Predictive Patch with your distribution servers so that they receive copies of the downloaded patches
- An entry is recorded in Event History every time patches are downloaded to the console by Predictive Patch
- The patch download is triggered by either a scheduled download of the core engines and definitions or by clicking Run now when Core engines/definitions is selected
If enabled, those patches that have been downloaded to the console by the Predictive Patch feature will be synchronized with (copied to) this distribution server. Service packs are not included in this synchronization. The Patch Sync column in the top pane of the Distribution Servers tab will indicate if Predictive Patch is enabled for a distribution server.
Let me know if you have any other questions.
thanks Charles that confirms what I was thinking would be the case . Upon further investigations what we are seeing is that not only are Laptop that have the agent policy as in the print screen (desktops have the user vendor unchecked) we are seeing all the computers that have agents also downloading some of the none patch files in particular pd5.xml and hf7B.xml and these we can see as pulling from shavlik xml server IPs ( IPs listed IP Addresses for Ivanti (Shavlik) content servers (xml.shavlik.com and content.ivanti.com)
Some of these locations get their connections saturated by these . I have also confirmed the specific files are in the local distribution server shares. Should these computers not be downloading from the local distribution server or if not from the console server why are these going out to download the files? Attached is a partial example of some of the machines downloading externally the two files mentioned above. The console is showing these machines as fully patched
anyone else seeing this issue or have a suggestion as to how to resolve the issue?
My apologies, technical issues have been preventing me from replying to this post.
The agent will attempt to download files every time it perform a scan no matter if the machine is patched or not. If configured to do so, it will attempt to download from the Distribution Server then failover to download from xml.shavlik.com. Per the screenshot above, you do have your agents setup to failover to the vendor xml.shavlik.com in this case. I can only assume the agents are not able to download the files from the Distribution Server.
Failures would include:
Configuration issues with your Distribution Servers.
The agents do not fall into the IP Ranges to are using.
The files the agent require are not located on the Distribution Servers.
Some unknown environmental issue.
We need logs from one or more of these agents that are downloading from the vendor instead of the Distribution Servers.
Gathering Agents Logs: Logs - Gathering Console, Client Side (agentless), and Agent log files for Protect Look for the Protect 9.x agent logging section.
Create a case using https://support.shavlik.com/CaseLogging.aspx and attach the logs.
Please reference this post in the case.