SMA (K1000)

Please tell us how you’d like to see the Systems Management Appliance product improved!

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow other roles to add and/or manage credentials

    Currently, the 'Credentials' section of Settings is only "editable" for users in the Administrator role. It would be much more flexible to allow users in other roles to edit (or at least add new) credentials.

    If someone is given rights to add new scripts, we would commonly want to also give them rights to use custom credentials for that script.

    7 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support Additional LSA Protection

    The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies.

    LSA can be configured to run as a protected process, to make attacks such as pass-the-hash more difficult. For more information on running enabling additional LSA protection:
    https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection

    KACE looks to implement an LSA plug-in (KaceCredentialProvider.dll), which would need to support running LSA in this way.

    Support case SR4837981 confirmed this isn't something Quest currently supports.

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. User settable 2FA Settings, Fine-grained 2FA Settings

    The current 2FA implementation is extremely lacking. I only seem to be able to find the prompt to scan a 2FA code after first toggling it on, and then from the administrator panel when lookup up users. Virtually every other 2FA I've configured gives an option in user settings to manage their 2FA codes. Without letting users do that you are asking for lockout issues if a user has to get a new phone, this should not be hidden in the User administration area, unless admins want to hide that from users.

    Furthermore, we should have more fine-grained settings to…

    6 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. The K1000 about page is visible to the public!

    The about page located at http://<K1000_HOSTNAME>/common/about.php contains contains summary information of the system and should be locked down.

    5 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Specific Script Permissions and Availability based on Role or Label Membership

    We have a situation where we would like to have a user be able to run a task that requires elevated permissions. We would be able to do this through KACE, because we can give the user a login, and access to the scripts. The only issue is we don't want the user to have access to all of the scripts. If there could be a way to configure within the Role or by Membership to a label, we could control what scripts a particular user might have the ability to run.

    5 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. Provide support for Microsoft Authenticator

    We have enabled MFA for the user and admin portals. Users are told to complete MFA with Google Authenticator. However we are a Microsoft customer and all of our users utilize Microsoft Authenticator to complete MFA requests. Please allow the ability for users to complete MFA requests using the Microsoft Authenticator app.

    5 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. Ability to change the webui port

    With agent communication going over 443 and the webui port being 443 as well the device cannot securely sit behind a radius firewall that requires dual factor authentication.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  8. Service Desk - Security for Choose Action Options

    Allow the ability through roles to lock down the Choose Action options for users. This will keep users from making mass changes to tickets (priority, status, etc.) which can have adverse effects on other users, report statistics, etc.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. Automate changing local admin passwords on large Organizations

    We are required by Policy to change local admin passwords quarterly and upon staff departure. This results in over 600 manual password changes.

    Does Quest have a way to automate this, or could a Tool/KBin be created so we can input a password and apply it to our servers?

    d

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. Allow more granularity between helpdesk queues with regards to roles and permissions

    I have a "Helpdesk" queue and a "Compliance" queue. I need a user to have admin role in his own queue, however I not be able to have the same rights in the "Helpdesk" queue. I need him only to be able to view his tickets in helpdesk queue and to be able transfer them to the Compliance queue when needed.

    We have a few users who need different roles based on the queue they are using while still using the same user ID. Currently as it stands some of the users have access to more function then they should…

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. Ability to disable weak TLS Ciphers

    KACE currently does not support disabling weak ciphers that are part of TLS 1.2. You can go to this site https://www.ssllabs.com/ssltest/ and enter the DNS name for your appliance and find many weak ciphers in use by KACE. This caused our company to have a medium security risk finding that we can't fix. As a government contractor this can become critical to the point of switching to another product if this can't be resolved. I manage other products that let us easily choose which ciphers we want to enable/disable.

    4 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. Admin Portal Not Accessible Externally

    Stop the enforcement of the Admin Portal being available for external use.

    To clarify - In order for Agents to check in to the appliance, the appliance must be externally facing. This causes a massive security risk as when the appliance is externally facing, the Admin portal is also external.

    While default passwords can be changed and security can be increased as much as possible, the ability to have agents check in externally, without an admin portal being accessible is a necessity with regards to security.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. Allow scheduling icon to appear even if LDAP login/password are not provided

    The KBOX seems to require the specification of an LDAP login name and password in order for the scheduling icon to show up. Since our LDAP server does not require a LDAP login/password (all of the relevant user data is visible via anonymous bind), we left those fields blank. When I created a dummy LDAP account just for the purpose of binding, and specified this account for the LDAP login/password, the scheduling icon showed up again.

    Ideally it would be good if this limitation could be removed (so that an LDAP login/password is not required to get the scheduling icon…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. Disable "Updated Patches Available" and "New Dell Updates Available"

    Disable the "Updated Patches Available" and "New Dell Updates Available" report that KSMA sends automatically.

    It should be great to set it as an option (enable\disable, sender\recipient address, etc) in the "Patch and Feature Update Download Settings" or "Dell Update Download Settings".

    Thank you
    Marco

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add option for "Max Concurrent Devices to Receive Patches"

    Currently we are using the K1000 to do all of our Windows patching. We have ran into the problem where we have some users who are on our VPN and never receive patches. Our bandwidth for our VPN is rather limited, so adding something in to say "only 2 people can receive patches at a time" for a specific schedule would be fantastic as it would reduce bandwidth consumption and allow us to patch our remote users consistently.

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. Auto-retry failed patch detect and deploys

    Occasionally patch detection or deployment fails usually due to machines going offline. The failure is reported back in the stats but nothing is done about it and this can result in a machine remaining insecure for an extended period.

    I suggest detects and deploys auto-retry in a similar manner to Managed Installs do, say by default three times, next time the machine is online. This should ensure a higher success rate overall and I imagine would be easy to implement.

    Now that users have more control over reboots the resulting delay in the patch deployment (pushing it outside of the…

    3 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  17. Firewall for all traffic, not just httpd

    Even with ssh disabled from the web gui, I get a lot of messages re: sshd login attempts. I'd rather have all traffic outside my subnets dropped except for connection to Kace update servers.

    2 votes
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  18. Disable server-status page

    Currently if you go to the SMA site page /server-status (kbox.domain.com/server-status) it will tell you that access is denied due to a lack of permissions. There should be an option to completely disable this page from visibility. This is most important to customers like us who host the appliance externally. Attackers could scan our domain and see that there is an Apache server active at the address and could plan a more focused attack against it.

    We only host our appliance externally so that workers with endpoints at home and abroad are able to still be managed by the SMA.…

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  19. Retrieve Windows defender signature version from server/workstations

    add the ability to retrieve windows defender signature version. The inventory already gathers the version information but not the signature version.

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  20. Add Dell Update support for Dell Embedded Box PC

    Please add dell update support for Dell Embedded PCs (5000 and 7000).

    1 vote
    Vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base