KACE Systems Management Appliance (SMA)
Please tell us how you’d like to see the KACE Systems Management Appliance product improved!
49 results found
-
Service desk ticket number info in Antivirus Quarantine page, clamav
Service desk attachments are scanned by antivirus since v13, however the antivirus quarantine page does not show many details. Destination column shows Service Desk only, would be helpful if there will be a column with Service Desk Ticket number to which the email is related from where the attachment is scanned and virus found.
10 votesAt this time, we're already considering how we'd want to approach this. We knew you'd ask!
Part of the story we need to consider is that an attachment can be linked to many tickets, so imagine a compromised graphic file [logo] in every email signature that's opening tickets.
We're thinking through it too, but please let us know in the comments what you'd like!
-
Manually re-enable user accounts after brute force lockout
Brute Force Prevention is enabled in the security settings. As an example, you can have the system "disable" a user account for up to 999 minutes after x number of failed attempts.
If a user's account is "disabled", there is no way for an admin to simply login and re-enable the account. They will receive the message "Login Failed: Exceeded failed login attempts".
According to chat support, if we are synced with LDAP, the user's AD account should be locked out as well. That is not the case for our scenario.
To work around this issue, I have to change…
3 votes -
Add support for 'Forward Secrecy' to the KACE SMA
Add support for 'Forward Secrecy' to the KACE SMA
https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#25-use-forward-secrecyThis will allow the KACE SMA to pass the SSL Labs testing with a grade higher than a B:
https://www.ssllabs.com/ssltest/analyze.html3 votes -
Splunk
Add Splunk to subscription services so it can update during patching.
1 vote -
Change "Session Expired: Please log in again." Screen to "Ok" button.
When I login after my session has expired I am redirected to the login screen where I have to login a second time. Support says this is because the page was cached.
I would like the "Session Expired" screen to have an "Ok" button that redirects you to the login screen to avoid having to login twice if the page is cached.
3 votes -
Add HTTP Headers
Either have the appliance implement all secure headers or allow users to add and/or change additional HTTP headers so all headers can be considered secure. Currently, there is no option to add or edit the content-security policy header.
10 votes -
Increase node quarantine details
Is there a way to increase the quarantine detail for nodes that are in quarantine? It would be helpful to get other items like our Custom inventory fields. Currently, it's limited and without more data, we cant ascertain if this is a computer that should be allowed.
3 votes -
Disable "Updated Patches Available" and "New Dell Updates Available"
Disable the "Updated Patches Available" and "New Dell Updates Available" report that KSMA sends automatically.
It should be great to set it as an option (enable\disable, sender\recipient address, etc) in the "Patch and Feature Update Download Settings" or "Dell Update Download Settings".
Thank you
Marco3 votes -
Please add support for Duo 2FA
Please add support for Duo 2FA
22 votes -
Splunk TA/App for SMA
After being promised splunk connectivity during our sales process, we found that the data exported through syslog is very limited. I have Spoken with Joshua Herrera and Stacy Pickering regarding this and was politely told that nothing can be done to increase syslog verbosity or install a Splunk UF on our tenant. This sounds like the only option is for Kace to produce a Splunk TA/App that would allow secure API based connectivity and near real-time log collection via the Kace API.
For the sake of maintaining us as your customer, I implore you to please author a Splunk TA/APP…12 votes -
Admin Portal Not Accessible Externally
Stop the enforcement of the Admin Portal being available for external use.
To clarify - In order for Agents to check in to the appliance, the appliance must be externally facing. This causes a massive security risk as when the appliance is externally facing, the Admin portal is also external.
While default passwords can be changed and security can be increased as much as possible, the ability to have agents check in externally, without an admin portal being accessible is a necessity with regards to security.
3 votes -
root
It would be nice to be able to use p7b certificates on Kace SMA appliance so we don't have to make an exception rule on the firewall's decryption to allow traffic. Unless we install the cert on the appliance, traffic to the appliance won't decrypt at the firewall which seems to prevent updates from downloading to the appliance. For security reasons, we'd prefer to implement the decryption cert rather than make an exception rule to allow the traffic. Appreciate if this feature could be considered in future releases.
1 vote -
Allow accounts in the Active Directory Protected Users group to login
When we upgraded Active Directory to a newer version, we were able to use the Protected Users built in group to enhance the security of our privileged accounts. Unfortunately, members of this AD group are denied login to the Kace admin console. Our only recourse is to remove our privileged user account from that Protected User group and lower the security in other applications.
4 votes -
Require ability to whitelist MFA
Currently we have MFA turned on for the SMA. Users are prompted to perform MFA when they login each day. We ask that we have the ability to define an IP exclusion or whitelist where users located on the internal network would be exempt from MFA. Currently, OKTA & Microsoft & Citrix provide whitelist capabilities. We would expect the same feature from KACE
10 votes -
Ability to disable weak TLS Ciphers
KACE currently does not support disabling weak ciphers that are part of TLS 1.2. You can go to this site https://www.ssllabs.com/ssltest/ and enter the DNS name for your appliance and find many weak ciphers in use by KACE. This caused our company to have a medium security risk finding that we can't fix. As a government contractor this can become critical to the point of switching to another product if this can't be resolved. I manage other products that let us easily choose which ciphers we want to enable/disable.
7 votes -
Support Additional LSA Protection
The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.
LSA can be configured to run as a protected process, to make attacks such as pass-the-hash more difficult. For more information on running enabling additional LSA protection:
https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protectionKACE looks to implement an LSA plug-in (KaceCredentialProvider.dll), which would need to support running LSA in this way.
Support case SR4837981 confirmed this isn't something Quest currently supports.
6 votes -
Provide support for Microsoft Authenticator
We have enabled MFA for the user and admin portals. Users are told to complete MFA with Google Authenticator. However we are a Microsoft customer and all of our users utilize Microsoft Authenticator to complete MFA requests. Please allow the ability for users to complete MFA requests using the Microsoft Authenticator app.
5 votes -
Ubuntu Encryption Reporting
Drive Encryption reports no data available on Ubuntu systems. Reporting needs to be added similar to how Kace reports BitLocker and/or FileVault.
50 votes -
Disable server-status page
Currently if you go to the SMA site page /server-status (kbox.domain.com/server-status) it will tell you that access is denied due to a lack of permissions. There should be an option to completely disable this page from visibility. This is most important to customers like us who host the appliance externally. Attackers could scan our domain and see that there is an Apache server active at the address and could plan a more focused attack against it.
We only host our appliance externally so that workers with endpoints at home and abroad are able to still be managed by the SMA.…
1 vote -
Allow more granularity between helpdesk queues with regards to roles and permissions
I have a "Helpdesk" queue and a "Compliance" queue. I need a user to have admin role in his own queue, however I not be able to have the same rights in the "Helpdesk" queue. I need him only to be able to view his tickets in helpdesk queue and to be able transfer them to the Compliance queue when needed.
We have a few users who need different roles based on the queue they are using while still using the same user ID. Currently as it stands some of the users have access to more function then they should…
4 votes
- Don't see your idea?