KACE Systems Management Appliance (SMA)
Please tell us how you’d like to see the KACE Systems Management Appliance product improved!
51 results found
-
System level LDAP Authentication
System level LDAP Authentication, and Roles.
Allow the same mechanism used at the Org level for Authentication and Role assignment at the System level9 votes -
The System Performance page (MUNIN) is visible to the public!
The System Performance page or MUNIN must be secured and locked down to allow viewing only by system administrators. We cannot have this System Performance graph (https://<K1000_HOSTNAME>/munin/) visible to the public!
8 votes -
Allow other roles to add and/or manage credentials
Currently, the 'Credentials' section of Settings is only "editable" for users in the Administrator role. It would be much more flexible to allow users in other roles to edit (or at least add new) credentials.
If someone is given rights to add new scripts, we would commonly want to also give them rights to use custom credentials for that script.
7 votes -
Ability to disable weak TLS Ciphers
KACE currently does not support disabling weak ciphers that are part of TLS 1.2. You can go to this site https://www.ssllabs.com/ssltest/ and enter the DNS name for your appliance and find many weak ciphers in use by KACE. This caused our company to have a medium security risk finding that we can't fix. As a government contractor this can become critical to the point of switching to another product if this can't be resolved. I manage other products that let us easily choose which ciphers we want to enable/disable.
7 votes -
Support Additional LSA Protection
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
LSA can be configured to run as a protected process, to make attacks such as pass-the-hash more difficult. For more information on running enabling additional LSA protection:
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protectionKACE looks to implement an LSA plug-in (KaceCredentialProvider.dll), which would need to support running LSA in this way.
Support case SR4837981 confirmed this isn't something Quest currently supports.
6 votes -
User settable 2FA Settings, Fine-grained 2FA Settings
The current 2FA implementation is extremely lacking. I only seem to be able to find the prompt to scan a 2FA code after first toggling it on, and then from the administrator panel when lookup up users. Virtually every other 2FA I've configured gives an option in user settings to manage their 2FA codes. Without letting users do that you are asking for lockout issues if a user has to get a new phone, this should not be hidden in the User administration area, unless admins want to hide that from users.
Furthermore, we should have more fine-grained settings to…
6 votes -
The K1000 about page is visible to the public!
The about page located at http://<K1000_HOSTNAME>/common/about.php contains contains summary information of the system and should be locked down.
5 votes -
Specific Script Permissions and Availability based on Role or Label Membership
We have a situation where we would like to have a user be able to run a task that requires elevated permissions. We would be able to do this through KACE, because we can give the user a login, and access to the scripts. The only issue is we don't want the user to have access to all of the scripts. If there could be a way to configure within the Role or by Membership to a label, we could control what scripts a particular user might have the ability to run.
5 votes -
Provide support for Microsoft Authenticator
We have enabled MFA for the user and admin portals. Users are told to complete MFA with Google Authenticator. However we are a Microsoft customer and all of our users utilize Microsoft Authenticator to complete MFA requests. Please allow the ability for users to complete MFA requests using the Microsoft Authenticator app.
5 votes -
Allow more granularity between helpdesk queues with regards to roles and permissions
I have a "Helpdesk" queue and a "Compliance" queue. I need a user to have admin role in his own queue, however I not be able to have the same rights in the "Helpdesk" queue. I need him only to be able to view his tickets in helpdesk queue and to be able transfer them to the Compliance queue when needed.
We have a few users who need different roles based on the queue they are using while still using the same user ID. Currently as it stands some of the users have access to more function then they should…
4 votes -
Allow accounts in the Active Directory Protected Users group to login
When we upgraded Active Directory to a newer version, we were able to use the Protected Users built in group to enhance the security of our privileged accounts. Unfortunately, members of this AD group are denied login to the Kace admin console. Our only recourse is to remove our privileged user account from that Protected User group and lower the security in other applications.
4 votes -
Service Desk - Security for Choose Action Options
Allow the ability through roles to lock down the Choose Action options for users. This will keep users from making mass changes to tickets (priority, status, etc.) which can have adverse effects on other users, report statistics, etc.
4 votes -
Manually re-enable user accounts after brute force lockout
Brute Force Prevention is enabled in the security settings. As an example, you can have the system "disable" a user account for up to 999 minutes after x number of failed attempts.
If a user's account is "disabled", there is no way for an admin to simply login and re-enable the account. They will receive the message "Login Failed: Exceeded failed login attempts".
According to chat support, if we are synced with LDAP, the user's AD account should be locked out as well. That is not the case for our scenario.
To work around this issue, I have to change…
4 votes -
Ability to change the webui port
With agent communication going over 443 and the webui port being 443 as well the device cannot securely sit behind a radius firewall that requires dual factor authentication.
4 votes -
Disable "Updated Patches Available" and "New Dell Updates Available"
Disable the "Updated Patches Available" and "New Dell Updates Available" report that KSMA sends automatically.
It should be great to set it as an option (enable\disable, sender\recipient address, etc) in the "Patch and Feature Update Download Settings" or "Dell Update Download Settings".
Thank you
Marco3 votes -
Allow scheduling icon to appear even if LDAP login/password are not provided
The KBOX seems to require the specification of an LDAP login name and password in order for the scheduling icon to show up. Since our LDAP server does not require a LDAP login/password (all of the relevant user data is visible via anonymous bind), we left those fields blank. When I created a dummy LDAP account just for the purpose of binding, and specified this account for the LDAP login/password, the scheduling icon showed up again.
Ideally it would be good if this limitation could be removed (so that an LDAP login/password is not required to get the scheduling icon…
3 votes -
Increase node quarantine details
Is there a way to increase the quarantine detail for nodes that are in quarantine? It would be helpful to get other items like our Custom inventory fields. Currently, it's limited and without more data, we cant ascertain if this is a computer that should be allowed.
3 votes -
Add option for "Max Concurrent Devices to Receive Patches"
Currently we are using the K1000 to do all of our Windows patching. We have ran into the problem where we have some users who are on our VPN and never receive patches. Our bandwidth for our VPN is rather limited, so adding something in to say "only 2 people can receive patches at a time" for a specific schedule would be fantastic as it would reduce bandwidth consumption and allow us to patch our remote users consistently.
3 votes -
Auto-retry failed patch detect and deploys
Occasionally patch detection or deployment fails usually due to machines going offline. The failure is reported back in the stats but nothing is done about it and this can result in a machine remaining insecure for an extended period.
I suggest detects and deploys auto-retry in a similar manner to Managed Installs do, say by default three times, next time the machine is online. This should ensure a higher success rate overall and I imagine would be easy to implement.
Now that users have more control over reboots the resulting delay in the patch deployment (pushing it outside of the…
3 votes -
Admin Portal Not Accessible Externally
Stop the enforcement of the Admin Portal being available for external use.
To clarify - In order for Agents to check in to the appliance, the appliance must be externally facing. This causes a massive security risk as when the appliance is externally facing, the Admin portal is also external.
While default passwords can be changed and security can be increased as much as possible, the ability to have agents check in externally, without an admin portal being accessible is a necessity with regards to security.
3 votes
- Don't see your idea?