Onboarding SCCM

This topic describes a process for onboarding a connector for Microsoft System Center Configuration Manager (SCCM). The process requires you to download and run a small program on your premises. Running as a service, the on-premise program is the connector that enables communication between SecOps Response and the SCCM server. 

In addition to running the program for the SCCM connector, you must also run a configuration script to set up the correct environmental parameters.

This topic also describes how to use the application.properties file to set additional configuration parameters. Those parameters are optional, and many organizations may not need to modify the settings in the application.properties file.

This topic includes the following sections: 

Before you onboard

Some configuration must be performed on both the SCCM server and the on-premise host where the connector is running. To make that configuration process simpler, you must download and run a configuration script.

If the parameters set in the configuration script are not appropriate for your site, you can edit the values set in the script or pass in different parameter values when executing the script.

Minimum configuration

Confirm that the server running the connector meets the minimum requirements:

    Page not found for multiexcerpt macro.
The page: Minimum hardware and software requirements was not found. Please check/update the page name used in the 'multiexcerpt-include macro.

Note

When onboarding connectors, a single machine cannot host more than one connector of the same type. For example, if you have onboarded a connector for SCCM on a host, you cannot successfully onboard another SCCM connector on the same machine.


Configuring the connector host

On the connector host, perform the following procedure:

  1. Download the wmi_config_param.zip file, which is attached to this page.
  2. Extract the contents of the wmi_config_param.zip file using any standard compression tool.
  3. Open a Powershell.
  4. Navigate to the location of the extracted contents of the ZIP file.
  5. If the Active Directory server is not located on the SCCM server, enter the following commands to install an Active Directory module:
    import-module servermanager
    Add-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

  6. Enter the following commands:
    Set-ExecutionPolicy Unrestricted
    .\wmi_config_param.ps1

Configuring the SCCM server

You must perform the same configuration procedure on the SCCM server:

  1. Copy the wmi_config_param.ps1 file from the connector host to the SCCM server. 
    Alternatively, you can download wmi_config_param.zip file, which is attached to this page, to the SCCM server. Then, you can extract the contents of the file, as described for the previous procedure.
  2. From a Powershell, enter the following command:
    Set-ExecutionPolicy Unrestricted
    .\wmi_config_param.ps1


Note

If the Active Directory server is remote from the SCCM server, additional configuration is necessary for both the Active Directory server and the SCCM Server.

Java requirement

To set up a connector, you must have the Java Runtime Environment (JRE) 1.8 installed on the host machine where you are running the connector.

To onboard an SCCM connector

  1. Log on to SecOps Response as a SecOps Response administrator with your registered credentials. 
  2. Take one of the following actions:
    • If you have already onboarded a connector, click Add Connector. The Choose Connectors page opens. Skip to step 4
    • If you have not previously downloaded any connectors, an introductory page appears.

  3. Click Get Started.
    The Choose Connectors page appears. It lets you choose the system connectors that will interact with SecOps Response.  



  4. On the Choose Connectors page, select Microsoft System Center Configuration Manager (SCCM).
  5. Click Download.
  6. The Download page opens. It presents the set of the connectors you have chosen.


     
  7. Download the connector for SCCM by clicking on next to Microsoft System Center Configuration Manager (SCCM).zip.
    The connector is downloaded locally.
  8. Before starting the connector, ensure that Java 1.8 or later is running on the local environment.

    Tip

    To check which version of Java is installed, use a command line and enter the following: java -version

  9. Using any standard compression tool, extract the Microsoft System Center Configuration Manager (SCCM).zip file to the location where you want to install the connector.
  10. If necessary, configure parameters in the application.properties file. For details on that process see the instructions below.
    Note that you can always choose to modify the properties in the application.properties file at a later time and then re-run the connector program (as described in the next step).
  11. Run the connector in the target environment by performing the following steps:
    1. Using a command line, cd to the location of the extracted ZIP file contents.
    2. Install the connector by entering the command: sccm-connector.exe install
    3. Start the connector by entering the command: sccm-connector.exe start
      To stop the connector, enter the command: sccm-connector.exe stop
  12. Using the onboarding interface, click Configure.
    The Configure page asks for information needed to set up a connection to a connector. The information requested depends on which connector you are configuring.
     
  13. Provide the following information for the SCCM system connector.

    OptionDescription
    SCCM HostFully qualified name or IP address of the SCCM server.
    SCCM Admin RoleThe Active Directory group in SCCM that is mapped to administrative permissions in SCCM. This group should be associated with SCCM security roles such as Full Administrator. Users belonging to this Active Directory group will be able to perform administrative actions in SecOps Response.
    SCCM Parent Shared Folderfolder on the SCCM server that all SCCM clients can access. Software updates are downloaded to this shared folder during remediation. The location is identified using the Universal Naming Convention (UNC).
    SCCM Site CodeThe Site Code that uniquely identifies the Configuration Manager site.
  14. Click Finish
     

Configuring the SCCM connector

You can configure some of the behavior of the SCCM connector using the application.properties file. The file resides at the location on the host where you downloaded the connector: <extracted_zip_file>\connector\config\application.properties. If you modify any of the settings in this file, you must restart the connector program, as described above

All communication between the SCCM connector and the SCCM server occurs by means of Powershell processes. Each new request from SecOps Response creates a Powershell process. When the response is received from the SCCM server, the Powershell process is terminated. 

Configuring Powershell sessions on the SCCM connector

The number of concurrent Powershell sessions is limited, but those limits are configurable. There are two types of limits: priority and normal. You can configure the limits on priority and normal sessions by configuring the application.properties file on the SCCM connector, as described in the following table:

PropertyDescription
powershell.priority.max.sessionThe maximum number of concurrent Powershell sessions that can be created for priority requests (such as logins). The default value is 20. If the maximum is exceeded, new requests must wait until a session becomes available.
powershell.priority.wait.timeThe maximum time in seconds to wait for a priority Powershell session to be created if the maximum number of priority sessions has reached its limit. For example, if the maximum 20 priority Powershell sessions have been created, the system waits this amount of time for next priority session. The default wait time is 1 second. If a priority session is not available after the wait time elapses, an error occurs.
powershell.normal.max.sessionThe maximum number of concurrent Powershell sessions that can be created for anything other than priority requests. The default value is 50. If the maximum is exceeded, new requests must wait until a session becomes available.
powershell.normal.wait.timeThe maximum time in seconds to wait for a normal Powershell session to be created if the maximum number of normal sessions has reached its limit. For example, if the maximum 50 normal Powershell sessions have been created, the system waits this amount of time for the next normal session The default wait time is 10 seconds. If a normal session is not available after the wait time elapses, an error occurs.

Configuring user session settings

You can also use the application.properties file to configure the behavior of user sessions on the SCCM connector. Most of these options let you configure how SecOps Response interacts with distribution points.

PropertyDefault valueDescription
sccm.adgroup.cache.refresh.interval=6060

Sets the interval in minutes after which the connector refreshes the Active Directory group cache. The SCCM connector caches the Active Directory group of the logged in user so it can be used for subsequent logins. The minimum value is 5 minutes.

sccm.distribution.clearance.percentage=100100

Specifies a percentage of distribution points to which the deployment package should be delivered before a deployment operation begins. For example:

  • 100 indicates the deployment package must be deployed to all distribution points before the operation begins.
  • 50 indicates the deployment package must be deployed to half of all distribution points before the operation begins.
  • 0 indicates no confirmations are necessary that the deployment package has been deployed before the operation begins.
sccm.fetch.distribution.status.max.retry.count=22Specifies a maximum number of polling attempts to determine if a deployment package has been deployed to a distribution point.
sccm.fetch.distribution.status.retry.wait.time=55

Specifies how to long wait in minutes between polling attempts to determine if a deployment package has been deployed to a distribution point.

Note

Even when a deployment operation times out because it has waited the specified amount of time for each retry, the operation will still start because a client can obtain the deployment package from a backup distribution point or from the SCCM server itself. The job only fails when SCCM cannot find a deployment package for a targeted client.

sccm.user.token.validity=6060Sets the maximum idle time in minutes before a user session on the SCCM connector is terminated.


Configuring Powershell sessions on the SCCM server

Communication between the SCCM server and the SCCM connector is based on Powershell sessions. To enable correct functioning, some configuration of Powershell on the SCCM server is necessary.

Establishing the recommended configuration for Powershell

To set up Powershell on the SCCM server, BMC recommends the following procedure:

  1. Allow remote shells to access Powershell on the SCCM server by running the following command:
    set winrm/config/winrs '@{AllowRemoteShellAccess=true}' 
  2. Set the maximum number of shells per user by running the following command:
    winrm set winrm/config/winrs '@{MaxShellsPerUser="100"}'
  3. Restart the SCCM server:
    Restart-Service winrm

Setting the maximum number of concurrent sessions

The total number of priority and normal Powershell sessions should not exceed the value of the MaxConcurrentUsers attribute on the SCCM server. By default, the SCCM server sets MaxConcurrentUsers to 50. This value should be set to at least 70 because the default configuration for SecOps Response is 50 normal sessions plus 20 priority sessions.

To determine the current maximum number of concurrent sessions and to modify it if necessary, use the following procedure:

  1. Determine the existing configuration by running the following command:
    winrm get winrm/config/winrs 
  2. Set the MaxConcurrentUsers attribute by running the following command:
    winrm set winrm/config/winrs '@{MaxConcurrentUsers="70"}'
  3. Restart the SCCM server:
    Restart-Service winrm

Setting the maximum number of shells per user

If you are expecting to generate thousands of actionable vulnerabilities, set the MaxShellsPerUser attribute higher than its default value of 100. BMC recommends setting this value to 250. 

  1. Determine the existing configuration by running the following command:
    winrm get winrm/config/winrs 
  2. Set the MaxShellsPerUser attribute by running the following command:
    winrm set winrm/config/winrs '@{MaxShellsPerUser="250"}'
  3. Restart the SCCM server:
    Restart-Service winrm


Where to go from here

To learn more about the SecOps Response process, see Demonstrating the SecOps Response process.



Was this page helpful? Yes No Submitting... Thank you

Comments