.. Reminder for header structure: Parts (H1) : #################### with overline Chapters (H2) : ******************** with overline Sections (H3) : ==================== Subsections (H4) : -------------------- Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^ Paragraphs (H6) : """""""""""""""""""" .. meta:: :description: Using the WAPT Console advanced features :keywords: WAPT, advanced, features, documentation. .. |enterprise_feature| image:: wapt-resources/icon_wapt_enterprise.png :scale: 3% :alt: WAPT Enterprise feature only .. |ok| image:: wapt-resources/icon-ok.png :scale: 5% :alt: Feature available .. |nok| image:: wapt-resources/icon-nok.png :scale: 5% :alt: Feature not available .. _wapt_console_advanced: ######################################## Using the WAPT Console advanced features ######################################## This page details the advanced use of the WAPT Console. .. _wapt_profile_bundles: ************************************************** Using profile bundles in WAPT |enterprise_feature| ************************************************** Working principle ================= WAPT Enterprise offers an Active Directory *profile* bundle functionality. The *profile* bundle automates the installation of WAPT packages and configuration packages on hosts based on their membership to Active Directory Computer Security Groups. The WAPT Agent will report to the WAPT Server the Active Directory groups to which the host belongs. If a *profile* package has the same name as an Active Directory group, then the WAPT agent will install automatically the *profile* package for the Active Directory group of which the host is a member. If the host is no longer a member of its Active Directory group, then the matching *profile* package will be uninstalled. *Profile* packages are stored in the web directory https://srvwapt.mydomain.lan/wapt/. *Profile* packages are not explicitly assigned to the host (i.e. as dependencies in the *host* package) but are implicitly taken into account by the WAPT Agent dependency engine during WAPT upgrades. .. note:: For performance reasons, this feature is enabled only if the :code:`use_ad_groups` option is enabled in the :file:`wapt-get.ini` configuration file of the WAPT Agent. .. important:: **The Active Directory Computers security groups and sub-groups contain Computers, not Users**. .. figure:: wapt-resources/windows_rsat_computer-groups_container-window.png :align: center :alt: Window showing the Computers group in Active Directory Window showing the Computers group in Active Directory .. warning:: Automatically installing software and configurations based on user and user group membership is not implemented with WAPT and such implementation is not desirable. The use case of installing software based on user profile is better served with the differentiated :ref:`self-service ` feature that is also available with WAPT Enterprise. The name of the group **MUST** be lower case in Active Directory and in the WAPT Console. Creating WAPT *profile* bundles in the WAPT Console =================================================== You can create *profile* bundle WAPT packages by clicking on :menuselection:`Make package template from setup file --> AD profile`. .. image:: wapt-resources/wapt_console_package-type_menu-list.png :align: center :alt: Creating a WAPT *profile* bundle .. important:: Requirements: * The *profile* AD group name and the *profile* package **MUST** be all lower case. Example: * AD Security group: **hw_laptops**; * WAPT profile bundle: **hw_laptops**. A window opens and you are prompted to choose which WAPT packages are to be included in the newly created **profile** bundle. .. figure:: wapt-resources/wapt_console_profile-bundle-create-group_container-window.png :align: center :alt: Adding WAPT packages to a *profile* bundle in the WAPT Console Adding WAPT packages to a *profile* bundle in the WAPT Console Save the *profile* bundle and it will be uploaded to the WAPT Server. .. _wapt_unit_package: *************************************************************** Using Organizational Unit packages in WAPT |enterprise_feature| *************************************************************** Working principle ================= WAPT Enterprise offers Organizational Unit package functionality. **unit packages automate software and configuration installations based on the Active Directory tree**. It is a very powerful feature when used properly. *Unit* packages are not explicitly assigned to the host (i.e. as dependencies in the host package) but are implicitly taken into account by the WAPT agent dependency engine during the WAPT upgrade. .. note:: If the computer is removed from an Organizational Unit, obsolete *unit* packages are removed. The WAPT Agent is aware of its position in the Active Directory tree structure, therefore it knows the hierarchy of Organizational Units that concerns it, for example: .. code-block:: bash DC=ad,DC=mydomain,DC=lan OU=Paris,DC=ad,DC=mydomain,DC=lan OU=computers,OU=Paris,DC=ad,DC=mydomain,DC=lan OU=service1,OU=computers,OU=Paris,DC=ad,DC=mydomain,DC=lan If a *unit* package is defined on each Organisational Unit level, the WAPT Agent will automatically download WAPT packages and configurations that are attached to each level. Using inheritance, WAPT will apply WAPT packages and dependencies that are attached to each Organizational Unit. .. _create_edit_ou_packages: Creating Organizational Unit packages ===================================== You can create *unit* packages by :menuselection:`Right-clicking on an OU --> Create or Edit Organizational Unit package`. .. image:: wapt-resources/wapt_console_organizational-unit_menu-list.png :align: center :alt: Menu options applicable to *unit* WAPT packages A window opens and you are prompted to choose which packages to include in the *unit* bundle. .. GIF .. figure:: wapt-resources/wapt_console_unit-create-package_container-window.png :align: center :alt: Adding WAPT packages to a unit bundle Adding WAPT packages to a unit bundle Save the WAPT package and it will be deployed to all hosts belonging to the selected :abbr:`OU (Organizational Unit)`. When you have a **unit** bundle, you will see a cube before the OU name in the WAPT Console. .. image:: wapt-resources/wapt_console_organizational-unit_create-rule.png :align: center :alt: Organizational Unit with a rule set .. _update_host_ou: Actions available with Organizational Units =========================================== .. image:: wapt-resources/wapt_console_organizational-unit_menu-list.png :align: center :alt: Menu options applicable to Organizational Units .. list-table:: Menu items for creating or editing Organizational Unit package :header-rows: 1 :widths: auto :align: center * - Menu item - Description * - The :guilabel:`Create or Edit Organizational Unit package` menu item - :ref:`Visit this documentation for more details on creating or editing OU packages `. * - The :guilabel:`Check updates on all hosts of this OU` menu item - Allows to upload the current state of the host to the WAPT Server and force the WAPT Server to display whether the hosts in the selected :abbr:`OU (Organizational Unit)` have pending updates. * - The :guilabel:`Apply upgrades on all hosts of the OU` menu item - Allows to apply waiting WAPT :ref:`updates ` and :ref:`upgrades ` on the all hosts in the :abbr:`OU (Organizational Unit)`. .. hint:: You may filter how hosts are displayed based on the Active Directory :abbr:`OU (Organizational Units)` they belong to. .. image:: wapt-resources/wapt_console_include-subfolders-in-search_menu_item.png :align: center :alt: Menu option to include hosts in subfolders The checkbox :guilabel:`Include hosts in subfolders` allows to display hosts in subfolders. .. _fake_ou: Faking Organizational Units for WORKGROUP hosts =============================================== It can happen that some specific hosts cannot be joined to an Active Directory domain. Therefore, these hosts do not show up in the Active Directory Organizational Units in the WAPT Console. To make all hosts show up in the WAPT Console under the right Organizational Unit, whether they are joined to an AD domain or not, WAPT allows to specify a *fake* Organizational Unit in the WAPT Agent configuration file. The benefits of this very useful trick are: * You can manage these hosts with WAPT as if they where joined to the Active Directory. * Out-of-domain and workgroup hosts are now showing up in the Active Directory tree view in the WAPT Console. * *Unit* packages become usable on these hosts. To setup a *fake* Organizational Unit on hosts, create an :ref:`empty WAPT package `, then use the following code: .. code-block:: python # -*- coding: utf-8 -*- from setuphelpers import * uninstallkey = [] def install(): print('Setting Fake Organizational Unit') fake_ou = "OU=REAL_AD_SUB_OU,OU=REAL_AD_OU,DC=MYDOMAIN,DC=LAN" inifile_writestring(WAPT.config_filename,'global','host_organizational_unit_dn',fake_ou) print('Reload WAPT configuration') WAPT.reload_config_if_updated() def update_package(): pass The :code:`host_organizational_unit_dn` will be like below in :file:`wapt-get.ini`: .. code-block:: ini [global] host_organizational_unit_dn=OU=REAL_AD_SUB_OU,OU=REAL_AD_OU,DC=MYDOMAIN,DC=LAN .. note:: * Stick to a specific case with your :code:`host_organizational_unit_dn` (do not mix "dc"s and "DC"s, "ou"s and "OU"s ...). * Follow the letter case used in the *DN/computer_ad_dn* fields in the hosts inventory grid. .. _add_plugins_console: ********************************** Adding plugins in the WAPT Console ********************************** To add custom plugins, go to the :menuselection:`Tools --> Preference --> Plugins` Tab. .. figure:: wapt-resources/wapt_console_plugins-empty_container-window.png :align: center :alt: Creating a custom plugin in the WAPT Console Creating a custom plugin in the WAPT Console Click :guilabel:`Add` to add a plugin, then edit the corresponding columns. .. list-table:: :header-rows: 1 :align: center * - Column - Description * - Name - Name that will appear in the menu. * - Executable - Path of the executable that will be executed. * - Arguments - Arguments passed to the executable. All the parameters that are diplayed in the grid can be used, like {ip}, {uuid} or {computer_fqdn}. To get the parameter name, you may right-click on the colum header, and the name will be displayed in paranthesis beside the column name. Plugins will then appear in the menu: .. figure:: wapt-resources/wapt_console_plugins-full_container-window.png :align: center :alt: Creating a custom plugin in the WAPT Console Creating a custom plugin in the WAPT Console .. _re_sign_package_gui: ********************************************** Re-signing WAPT packages from the WAPT Console ********************************************** This method for re-signing all host packages is useful when the underlying cryptographic method or library changes, as this is the case when upgrading from WAPT 1.8.2 (Python 2.7 based) to WAPT >= 2.0 (Python 3.x based). .. _re_sign_host_package: .. include:: wapt-resign-packages.rst ***************************************************************************************** Displaying the Certificates trusted by the hosts in the WAPT Console |enterprise_feature| ***************************************************************************************** In this tab, you can see the certificates that the host accepts to trust. .. figure:: wapt-resources/wapt_console_certificate-tab.png :align: center :alt: Window showing the certificates trusted by the selected host Window showing the certificates trusted by the selected host ******************************************************************* Displaying host audit data in the WAPT Console |enterprise_feature| ******************************************************************* You can manage audit output and display the audit result if you activate the option in the :menuselection:`View --> Display Preferences` Tab. Check the :guilabel:`Show host audit data tab` to see the tab :guilabel:`Audit Data` on each client. .. figure:: wapt-resources/wapt_console_advanced-display-preferences.png :align: center :alt: Window showing the advanced preferences Window showing the advanced preferences To use audits in WAPT packages, visit :ref:`this page to manage audit_data `. Displaying encrypted data with a certificate in the audit data tab ================================================================== With audit function, it is possible to encrypt sensitive data coming from remote hosts; it will be possible to read the encrypted sensitive with a certificate installed on the WAPT Administrator's host. This way, the WAPT Server may store sensitive inventory data without the WAPT Server becoming a sensitive asset. This method is particularly useful for example for securely managing :abbr:`LAPS (Local Administrator Password Service)` random passwords in WAPT. In :file:`setup.py`, you can use a function to encrypt data with a certificate. If you have the private key matching the certificate that was used to encrypt the data, the data will be decrypted and it will appear in a readable form. Here is an example of code: .. code-block:: python # -*- coding: utf-8 -*- from setuphelpers import * from waptcrypto import print_encrypted_data def audit(): randompassword = '1234' print_encrypted_data(randompassword, glob.glob('*.crt')) This code will encrypt the password *1234* with all certificates present on the host that is used to manage WAPT. From the WAPT Console, you will see in the :guilabel:`audit_data` tab the crypted version and you can decipher the data with your private key associated to the public certificate that was used to encrypt the data. .. figure:: wapt-resources/wapt_console_advanced-decrypted-audit-data.png :align: center :alt: Audit data result showing crypted and decrypted version ****************************************************************************** Managing several WAPT Server profiles in the WAPT Console |enterprise_feature| ****************************************************************************** You can connect the WAPT Console to several WAPT Servers. To do so, go to :file:`%localappdata%\waptconsole`, copy the :file:`waptconsole.ini` file and rename it, for example :file:`waptconsole2.ini`. Modify the new file with the second WAPT Server parameters (ex: IP / DNS, prefix, etc). Then, when you re-open the WAPT Console, you can select one WAPT Server or the other. .. figure:: wapt-resources/wapt_console_several_profiles.png :align: center :alt: Window showing connections with several WAPT Server profiles .. hint:: You can have several WAPT Server connection profiles but the WAPT Servers do not communicate among them.