How to use WAPT?

This section of the documentation covers the daily use of WAPT.

All WAPT functionalities are explained in detail for the Administrators, the Users and the Package Deployers.

Using the WAPT console

Installing the WAPT agent on the devices in your Organization

If you have not done so already, install the WAPT agent on a computer.

The installation of the WAPT agent on computers will register them on the WAPT inventory server.

The hosts will then appear in the WAPT console.

To install the WAPT agent manually on a computer, check the documentation for installing the WAPT agents.

Note

If you have skipped the step for creating the WAPT agent, return to the documentation on building the WAPT agent installer.

On your management computer, hosts are displayed in the WAPT console.

Inventory of hosts registered with WAPT

Inventory of hosts registered with WAPT

Note

If a host does not appear in the console after having installed the WAPT agent, open the Windows command line utility cmd.exe on the host and type wapt-get register.

Duplicating packages from external repositories

Package duplication principles

Duplicating a WAPT package consists of:

  • importing an existing WAPT package from an external repository;

  • changing its prefix (for example from tis to test);

  • resigning the WAPT package with the Administrator’s private key to allow the deployment of the duplicated package on your WAPT equipped hosts;

  • finally, uploading it on the main WAPT repository;

Attention

By importing a package in your repository and signing it, you then become responsible for that package and for what it does. It has been signed with your own private key.

Tranquil IT disclaims any liability if you choose to use WAPT packages retrieved from her repositories. Without a support contract, Tranquil IT does not guarantee the suitability of the package for your own particular use case, nor do they guarantee the ability of the package to comply with your Organization’s internal security policies.

  • go to the Private repository tab;

    Available software displayed in the WAPT console

    Available software displayed in the WAPT console

Every software package version available on the WAPT repository is shown.

If no package has been imported, the list is empty. Only the test-waptupgrade package will be present if the WAPT agent has been generated previously. Visit the documentation on creating a WAPT agent.

Two options are available to import packages:

Import a package from an external repository on the Internet

That first method allows you to download packages directly from a WAPT repository external to your Organization.

To import from a different repository than Tranquil IT, define a new repository address in the WAPT console preferences. For more informations check the documentation on configuring the external repositories;

Note

  • If no repository is set, the repository https://wapt.tranquil.it/wapt will be implicitly set.

  • Starting with WAPT 1.3.12.13, external repository SSL/ TLS certificates are verified by default.

  • click on Import package and Import from Internet;

    Import a package from Internet

    Import a package from Internet

The grid view displays the list of available packages on the remote repository. It is possible to choose the plateform, the OS and the language.

  • to import a package, select a package then Right-click ‣ Import;

Imported WAPT package in your local WAPT repository

Imported WAPT package in your local WAPT repository

  • validate the duplication in your local repository;

    Confirm the duplication of the package

    Confirm the duplication of the package

    Note

    It possible to change the maturity of a WAPT package before importing the package into your private repository.

  • click on Yes to confirm the duplication;

  • the download of the package starts …

    Progress of the package duplication process

    Progress of the package duplication process

  • then, enter your private key password;

    Enter the password for unlocking the private key

    Enter the password for unlocking the private key

The WAPT console confirms that the package has been duplicated in your local WAPT repository.

Confirmation of successful duplication

Confirmation of successful duplication

The package then appears in your local WAPT repository with your Organization’s prefix.

WAPT console displaying the duplicated package

WAPT console displaying the duplicated package

Attention

If the verification of the package signature is enabled, the public certificate of the signer must be located in one of the following folders:

  • C:\Program Files (x86)\wapt\ssl;

  • %appdata%\waptconsole\ssl;

If the certificate is not found in one of these two folders, then the following error will occur and the package will not be imported.

Error while validating the signature of the external repository

Error while validating the signature of the external repository

Changing the maturity of a WAPT package before importing it into the repository

Starting with WAPT 2.0, it is possible to change maturity before importing package on repository.

To achieve this, choose option Default package maturity and choose your maturity.

Choosing the maturity of the WAPT package before import

Choosing the maturity of the WAPT package before import

Editing a package before importing it

Starting with WAPT 1.3.12.13, it is now possible to edit a package downloaded from an external repository before importing it in your main WAPT repository.

To achieve this, choose instead the second option Download and Edit to import the package from an external WAPT repository.

Process for importing and editing a package

Process for importing and editing a package

PyScripter, if installed, opens the WAPT package.

Please refer to the documentation on creating WAPT packages from scratch.

Importing a WAPT package from a file

That second method allows you to import a .wapt file from any medium.

  • click on Import package and then Import from file;

    Import from a file

    Import from a file

  • select the file to import;

    Selecting the file to import

    Selecting the file to import

  • click on Open to import the file;

The WAPT console confirms that the package has been duplicated in your local WAPT repository.

File imported successfully

File imported successfully

The package then appears in your local WAPT repository with your Organization’s prefix.

Imported WAPT package showing in your local WAPT repository

Imported WAPT package showing in your local WAPT repository

Note

It is not possible to change the maturity before importing here.

Changing maturity of a WAPT package after import on a repository

When a package is imported on a WAPT repository it is possible to change the maturity by rigth-clicking on the WAPT package. Choose your maturity on Change packages maturity menu.

Changing the maturity of a WAPT package

Changing the maturity of a WAPT package

Changing the prefix and re-signing a WAPT package

When importing, the changing of the prefix and the re-signing of the WAPT package are transparent and automatic.

Once the package is ready, the WAPT package is uploaded onto the main WAPT repository.

Deploying WAPT packages from the WAPT console

  • edit the host onto which you want to deploy a WAPT package;

    Note

    Selecting multiple hosts using common shortcut keys Control-A or Shift-Arrow is possible.

    Selecting the host to configure

    Selecting the host to configure

  • A window opens, on the right side appears the list of packages available on the local WAPT repository, and on the left side it shows the list of packages currently assigned to the host.

  • drag and drop packages from the right pane to the left pane;

    Drag and drop the package on the host or the selection of hosts

    Drag and drop the package on the host or the selection of hosts

  • clicking on Save and Apply to hosts will launch the installation of the package(s) immediately on the selected host(s) that are connected to the WAPT Server;

  • clicking on Save will save the current configuration. Upgrading of the packages will occur during the WAPT agents’ next update cycle;

    Saving and applying configuration on selected host(s)

    Saving and applying configuration on selected host(s)

    Update process launched

    Update process launched

To launch the installation of WAPT packages, click successively on Update available packages then Apply updates.

Applying updates

Applying updates

The installation of the WAPT package(s) is launched on the selected host(s) connected to the WAPT Server.

Using the WAPT console (detailed)

Note

Some functionalities detailed here are only available with the Enterprise version of WAPT.

Software inventory as registered in the Windows registry of the host

Software inventory as registered in the Windows registry of the host

How to perform actions on the hosts?

Host configuration menu

Host configuration menu

List of actions available to be performed on the hosts from the WAPT console

Name

Multi-selection

Edit host

no

Check updates

yes

Apply upgrades

yes

Apply upgrades for applications not currently running

yes

Propose upgrades for applications not currently running

yes

Send a message to users

yes

Run package audits

yes

Add packages to host dependencies

yes

Remove packages from host dependencies

yes

Re-sign host packages

yes

Add package to host conflicts

yes

Remove package from host conflicts

yes

Remove the host

yes

Connect via RDP

no

Remote Assistance

no

Mesh remote desktop

yes

Windows Computer management

Update AD Group Policies on hosts

yes

Run CleanMgr on host

no

Computer management

no

Local users and groups management

no

Service management

no

Power ON with WakeOnLan

yes

Reboot computers

no

Shutdown computers

no

Trigger the scan of missing Windows updates

yes

Trigger the download pending Windows updates

yes

Trigger the install of pending Windows updates

yes

Refresh host inventory

yes

Trigger a restart of waptservice

yes

Searching a host

*Search* function in WAPT

Search function in WAPT

Allows you to search for a value in the selected column.

Showing the inventory

When the WAPT agents register, they send some information to the WAPT Server.

Information displayed in the console is not updated in real-time, you have to refresh the display to view new status and information.

Click on the Refresh button or press F5 on the keyboard.

WAPT console displaying inventory

WAPT console displaying inventory

The WAPT console lists hosts that are registered with the WAPT Server and some information that is useful for managing the hosts.

Selecting a host displays its information in the right panel of the WAPT console (Hardware inventory and Software inventory).

Hardware inventory displays the hardware inventory of the host

Common informations displayed in the Hardware inventory tab is:

  • the name of the host;

  • the description of the host;

  • the operating system running on the host;

  • the IP address of the host;

  • the last WAPT task that was run on the host;

  • the manufacturer of the host;

  • the model of the host;

  • the date of the latest update on the host;

  • the name of the user last or currently connected on host;

Host summary

Host summary

Status of packages in the WAPT console

Description

Status

List of installed WAPT packages

Status: OK

List of packages waiting to be installed

Status: MISSING

List of packages pending updates

Status: NEED-UPGRADE

List of packages that have failed to install

Status: ERROR

When a package returns a status ERROR, click on it to show the details of the error. Errors are print messages in the setup.py of your packages.

Error detail

Error detail

Acting on packages installed on a host
Possible actions for WAPT packages

Possible actions for WAPT packages

Hint

  • multiple selection of packages is possible;

  • the host must be seen by the WAPT Server when the action is launched;

  • if several hosts are selected, the action will be launched on all selected hosts;

Available parameters for the [option] section of waptserver.ini

Action

Description

Install a package

installs the selected package on selected hosts

Force a package

forces the re-installation of a selected package on selected hosts

Remove a package

removes the selected package from the selected hosts

Forget a package

tells the selected hosts not to use WAPT for managing the selected package

Audit the package

triggers an audit on the selected package (Enterprise only)

Hardware inventory tab

Information displayed by default in the Hardware inventory tab is:

  • information on the host’s hardware components;

  • some information about the host;

  • some information on the status of WAPT;

Host hardware inventory

Host hardware inventory

A Filter box allows to search for hosts.

Hint

Filters work with regular expression.

To add a column in the grid, drag and drop a hardware property from the Hardware inventory grid to the main grid.

Example: in hosts, drag and drop physical_memory in the left panel, and the column physical_memory appears in the main grid.

Adding a criteria to the main grid of the WAPT console

Adding a criteria to the main grid of the WAPT console

Software inventory tab

Common information displayed in the Software Inventory tab is:

  • maker;

  • software name;

  • software version;

  • installation date;

  • uninstall key;

  • uninstall string;

Software inventory as registered in the Windows registry of the host

Software inventory as registered in the Windows registry of the host

Windows update tab

WAPT Enterprise feature only

Information displayed in the Hardware inventory tab is:

  • Windows update agent version;

  • date of the last Windows update scan;

  • duration of the last scan;

  • WAPTWUA status;

  • date of the last version of wsusscn2.cab processed by WAPT;

  • status of WAPTWUA Enabled (True/ False);

    The grid then lists Windows cab files that have been installed or that are pending installation.

Information displayed in the Windows Updates tab are:

  • Status;

  • Product;

  • Update ID;

  • Kbids;

  • Published on;

  • installation on;

  • Severity on;

  • Classification;

  • Title;

  • Download size;

Inventory of Windows Updates

Inventory of Windows Updates

Task tab

Information displayed by default in the Tasks tab is:

  • pending tasks;

Details of pending tasks on the host

Details of pending tasks on the host

  • completed tasks;

Details of completed tasks

Details of completed tasks

  • tasks in error;

Details of tasks in error

Details of tasks in error

Performing a global search on all hosts

Performing global searches on all the criteria presented above is possible.

Choose the filters to check or uncheck.

Advanced search functionalities in the WAPT console

Advanced search functionalities in the WAPT console

Choice of filters

Possible options

Description

Host

Host section in the Hardware inventory tab when a host is selected

Hardware

DMI section in the Hardware inventory tab when a host is selected

Software

Software inventory section when a host is selected

Package

List of packages installed on the selected hosts

Has errors

Search only for hosts for which a task has not finished correctly

Needs updating

Search only for hosts needing upgrades

Connected only

Search only for connected hosts

Only authorized computers

Search only for hosts authorized by certificate

WAPT Group

Filter hosts based on their membership / dependency to a WAPT group package

AD Site

Filter hosts based on their membership / dependency to a Site on Active Directory

AD Group

Filter hosts based on their membership / dependency to a Active Directory group

Hint

Filters work with regular expression.

Doing a search based on a WAPT package

In the Softwares repository, select the package and then click on Show Hosts.

The grid will display the hosts on which the package is installed. Note that the filter is only active on the Package attribute of the selected package.

The different columns display information about the packages installed on the machine (e.g. package version, package status, audit status, installation date, architecture).

Filter by package

Filter by package

You can also add the columns Log install and Last Audit Output to display at a glance the installation and audit logs.

Creating a group package

Group packages allows you to create a package containing other packages to be affected as a dependency to a host.

To create a group of packages, go to the WAPT Packages tab, then click on Make package template from setup file and finally choose Group;

Package group grid

Package group grid

  • click on New bundle;

  • fill in the description, add packages to the group package by dragging and dropping them or by Right-clicking on the package name, and adding it to the bundle;

Creating a group package

Creating a group package

  • click on Save to save the bundle;

Hint

To uninstall a package, it is possible to add banned packages to a bundle.

Forbid a package

Forbid a package

Managing packages on repository

In the WAPT Packages tab, the list of packages currently available in the WAPT repository appears. By default, the console will only show the latest version of packages.

Filtering packages

A search bar is also available to filter packages. It is possible to specify a filter.

Displaying all packages

To display all package versions, untick Last version only.

Filtering on package type

To display a specific package type, use Filter packages:

Types of packages are:

  • all;

  • base;

  • group;

  • profile;

  • selfservice;

  • unit;

  • waptwua;

Filtering on WAPT package type

Filtering on WAPT package type

Others filters

Other available filters are:

  • architecture:

    • x86;

    • x64;

  • OS:

    • all;

    • Windows;

    • macOS;

    • Linux;

  • locale:

    • en;

    • fr;

    • de;

    • it;

    • es;

  • maturity (for default):

    • PROD;

    • PREPROD;

    • DEV;

Filtering on other attributes

Filtering on other attributes

Removing a WAPT package

To delete a package from the repository, Right-click ‣ Remove from repository.

Remove a package

Remove a package

Editing a WAPT package

To edit a package, Right-click ‣ Edit package, the package will be downloaded locally in the base package development directory set in the console settings.

Make changes to the package as wanted, rebuild the package and upload it back to the repository. Once your package has uploaded, refresh the package list using the Refresh packages list button or by pressing F5 on your keyboard.

View tab

Refresh

Refreshing the display of the WAPT console

Refreshing the display of the WAPT console

Displaying preferences

Displaying preferences

Displaying preferences

Displaying options in preferences

Displaying options in preferences

List of available actions to display preference options

Name

Description

Example

Maximum number of hosts to display

Max host in Inventory

2000

Language

Show the locale of the WAPT console

French/English/German

Reset console layout

Load default settings

Show debug informations

Add debug informations panel on the bottom of the WAPT console

False

Enable external tools in host popup menus

Show Windows tools on right-click

True

Hide unavaible actions

Hide if action are not possible for current user

False

Enable WAPTWUA features

Show Windows Update tab

True

Show host audit data tab

Show tab on Inventory of host

False

Restoring the default grid layout

Restoring the default grid layout

Restoring the default grid layout

Re-apply default layout. For example, you can remove the column Hardware inventory added in this section of the documentation.

Tools tab

Changing the Superadmin password of the WAPT Server

Changing the Superadmin password of the WAPT Server

Changing the Superadmin password of the WAPT Server

Changing the Superadmin password of the WAPT Server

Changing the Superadmin password of the WAPT Server

To change the WAPT Server password, fill in the old password and add a new one.

Building an Administrator certificate

Building an Administrator certificate

Building an Administrator certificate

Refer to the documentation on generating the Administrator’s certificate for signing WAPT packages.

Building the WAPT agent

Building the WAPT agent

Building the WAPT agent

Refer to the documentation on building the WAPT agent installer.

Changing the password of the Administrator’s private key

Changing the password of the Administrator's private key

Changing the password of the Administrator’s private key

Entering the password for unlocking the private key

Entering the password for unlocking the private key

Changing the password of the Administrator's private key

Changing the password of the Administrator’s private key

To change the private key password, fill in the old password and add a new one.

Cleaning the local cache

When importing a package from the Internet, the WAPT console downloads the package in %appdata%localwaptconsolecache .

To clean the cache and free up disk space, click on Tools ‣ Clean local cache.

Cleaning up the local cache

Cleaning up the local cache

Resetting Websocket connections

Resetting Websocket connections

Resetting Websocket connections

Use this method if you are restarting the waptserver service without restarting the Nginx web service.

Making a WAPT package template from a setup file

Making a WAPT package template from a setup file

Making a WAPT package template from a setup file

For more information, refer to the documentation for creating a package template from the WAPT console.

Building and uploading a WAPT package from the WAPT console to a repository

Building and uploading a WAPT package from the WAPT console to a repositorye

Building and uploading a WAPT package from the WAPT console to a repository

For more information, refer to the documentation on building the package and sending it to the WAPT server.

External repository settings

External repository settings

External repository settings

It is possible to add other repositories.

Repository settings

Repository settings

List of available actions to apply on repositories

Name

Description / Example

Repository name

wapt-template

Register new repository

Clear interface

Unregister repository

Select before repository

External packages repository

https://store.wapt.fr/wapt

Browse certificates

Download certificate of repository

http proxy to use (if needed)

http://proxy.mydomain.lan

Advanced parameters

Check if needed

Check HTTPS server certificate

Check if needed

Normalizing software titles

Normalizing software titles

Normalizing software titles

For more information, refer to the documentation on normalizing software names.

Configuring the WAPT console preferences

To make changes to the WAPT console settings, go to Tools ‣ Preferences.

Configuring the WAPT console preferences

Configuring the WAPT console preferences

Basic configuration
  • Basic tab for basic configuration options;

    Configuration options for the WAPT console

    Configuration options for the WAPT console

Arguments

Description

Example

WAPT server address or name

URL (IP or FQDN) of the WAPT server

srvwapt.mydomain.lan

Check and set

Check whether server exists and set this configuration

Write URL to waptconsole.ini

Manual override

Use when repository location is not standard

srvwapt.mydomain.lan/repo_packages

URL of the main WAPT repository

URL of the main WAPT repository (only if Manual override is checked)

http://srvwapt.mydomain.lan/wapt/

URL of the WAPT server

URL of the WAPT server (only if Specify manually is checked)

https://srvwapt.mydomain.lan/

Verifying the HTTPS certificate

Indicates whether the HTTPS certificate must be verified

yes

Path to the CA bundle of certificates

Path to the CA bundle of certificates that will allow certificates to be verified

Visit the documentation on activating HTTPS verification

Prefix to use when creating packages. Ex: tis or demo

Prefix that is given to packages during replication.

prefix

Path to the Administrator’s personal certificate

Path to the certificate associated with the private key used to sign packages

C:\private\mykey.crt

Licence directory

Path to the licence for Enterprise version

Set by default in WAPT install folder. It is possible to set another path

Show config file

Open waptconsole.ini file in %appdata%\Local\waptconsole

All parameters of the WAPT console

Hint

The button Get the server certificate downloads the WAPT Server HTTPS certificate to WAPT\ssl\server and tells the WAPT console to verify HTTPS connections using that bundle of certificates. The method is called Certificate pinning. Before downloding the HTTPS certificate, you must be sure that you are connecting with the right server.

Advanced configuration
  • advanced tab for advanced configuration options;

    Configuration options for the WAPT console

    Configuration options for the WAPT console

Arguments

Description

Example

Path to the waptdev folder

Indicates the path to the directory for storing packages being developed

C:\waptdev

HTTP proxy to use

Indicates a proxy server to be used by the WAPT console when accessing the WAPT repository or the WAPT Server

http://srvproxy.mydomain.lan:8080

Activate proxy settings for connecting to the WAPT repository or the WAPT Server

Activate proxy settings for connecting to the WAPT repository or the WAPT Server

False

Activating the proxy when accessing the WAPT server

Activating the proxy when accessing the WAPT server

False

Default package maturity

Default maturity for imported packages

PROD

Client certificate path for authentication

If remote repository is using Client side SSL authentication

Blank

Client authentication key path

If remote repository is using Client side SSL authentication

Blank

Editor for packages

Default editor for importing packages

PyScripter

To make changes to console settings, go to Tools ‣ Preferences.

Arguments

Description

Example

Maximum number of hosts to be displayed in the console

Indicates the maximum number of hosts to be displayed in the WAPT console, so to optimize the behavior of the console.

2000

Language

Selects the language for the WAPT console

English

Showing debug information in the WAPT console

Shows debug information in the WAPT console

True

Allow third-party tools in the contextual menus of the hosts

TODO

True

Activate administration functionalities

TODO

True

Hide unavailable options

TODO

True

Show config file

Open waptconsole.ini file in %appdata%\Local\waptconsole

All parameters of WAPT console

Plugins
  • plugins tab for adding in the WAPT console;

Creating a plugin

Creating a plugin

Click Add to add plugins, then edit the corresponding columns

Column

Description

Name

Name that will appear in the menu

Executable

Path of the executable that will be executed after the click

Arguments

Arguments passed to the executable. Some variables can be used like {ip}, {uuid} or {computer_fqdn}

Show config file

Open waptconsole.ini file in %appdata%/Local/waptconsole

Plugins will then appear in the menu:

Insert "Explorer" as a plugin with IP variables

Using WAPTtray

wapttray is a utility working in user context, it is located in the WAPT folder C:\Program Files (x86)\wapt.

wapttray launches at logon if the option has been ticked during installation. The icon will show up in the Windows tray toolbar.

We can also launch wapttray manually with a startup GPO pointing on C:\Program Files (x86)\wapt\wapttray.exe.

The tray icon is handy for autonomous users that want to choose the right moment to upgrade their packages.

WAPTtray in Windows notification tray

WAPTtray in Windows notification tray

Functionalities of the WAPTtray

List of functionalities of the WAPTtray

Action

Description

Showing the status of packages

launches the local web interface in a browser

Launching the installation of a update

launches the installation of pending upgrades

Refreshing the list of available

refreshes the list of available packages. Double-clicking on the tray icon brings about the same effect.

Launching the WAPT console

launches the WAPT console

Viewing the configuration file

opens the C:\Program Files (x86)\wapt\wapt-get.ini file with Local Administrator privileges (credentials may be asked)

Reloading network related service configuration

reloads the connection to the WAPT Server in the event of a network reconfiguration

Uploading the host’s inventory to the WAPT Server

updates the host’s inventory with the WAPT Server

Configuring all installed packages for the User

launches a session-setup to configure user environment for all packages installed on the host

Canceling WAPT tasks running on the host

shows running tasks, allows to cancel a running task, allows to cancel all running tasks

Stopping and starting the WAPT service

stops and reloads the WAPTservice

Exiting the WAPTtray

closes the tray icon without stopping the local WAPTservice

Using WAPTExit

waptexit allows to upgrade and install WAPT packages when a host is shutting down, at the user’s request, or at a scheduled time.

The mechanism is simple. If packages are waiting to be upgraded, they’ll be installed.

Hint

When to use WAPTexit?

The WAPTexit method is very effective in most situation because it does not require the intervention of the User or the Administrator.

WAPTexit window

WAPTexit window

WAPTexit

waptexit executes by default on shutdown; it is installed by default with the WAPT agent.

The behavior of waptexit is customizable in C:\Program Files (x86)\wapt\wapt-get.ini.

Manually triggering the execution of WAPTexit

By creating a desktop shortcut, one can allow users to launch upgrades by themselves at a time that is convenient to them simply by clicking the WAPTexit icon.

The behavior of waptexit is customizable in C:\Program Files (x86)\wapt\wapt-get.ini.

Triggering WAPTexit with a scheduled task

One can deploy a GPO or a WAPT package that will trigger WAPTexit at a pre-scheduled time.

Triggering WAPTexit with a scheduled task is best suited for servers that are not shutdown frequently.

You may adapt the procedure describing how to deploy the WAPT agent to trigger the WAPTexit.exe script at the time of your choosing.

Hint

You can use the following script for your scheduled task, adapted to your need (Enterprise only):

waptpython -c "from waptenterprise.waptservice.enterprise import start_waptexit
start_waptexit('',{'only_priorities':False,'only_if_not_process_running':True,
'install_wua_updates':False,'countdown':300},'schtask')"

Warning

All running software that are upgraded may be killed with possible loss of data. WAPTexit may fail to upgrade a software program if a software that you are upgrading is in the impacted_process list of the control file of one of the software you are trying to upgrade. See below for more information.

The method of triggering WAPTexit at a scheduled time is the least recommended method for desktops. It is better to let WAPTexit execute at shutdown or on user request.

Avoiding the cancellation of upgrades

To disable the interruption of the installation of updates you can run waptexit with the argument:

waptexit.exe -allow_cancel_upgrade = True

Otherwise waptexit will take the value indicated in C:\Program Files (x86)\wapt\wapt-get.ini:

[global]
allow_cancel_upgrade = False

If this value is not indicated in C:\Program Files (x86)\wapt\wapt\wapt-get.ini, then the default value will be 10.

Increase the trigger time in waptexit

To specify the wait time before the automatic start of the installations you can start waptexit with the argument:

waptexit.exe -waptexit_countdown = 10000

Otherwise waptexit will take the value indicated in the configuration C:\Program Files (x86)\wapt\wapt-get.ini:

[global]
waptexit_countdown = 25

If this value is not indicated in C:\Program Files (x86)\wapt\wapt\wapt-get.ini, then the default value will be 1.

Do not interrupt user activity

To tell WAPT not to run an upgrade of running software on the machine (impacted_process attribute of the package), you can run waptexit with the argument:

waptexit.exe -only_if_not_process_running=True

Otherwise waptexit will take the value indicated in C:\Program Files (x86)\wapt\wapt-get.ini:

[global]
upgrade_only_if_not_process_running = True

If this value is not indicated in C:\Program Files (x86)\wapt\wapt\wapt-get.ini, then the default value will be False.

Launching the installation of packages with a special level of priority

To tell WAPT to only upgrade high priority packages, you can run waptexit with the argument:

waptexit.exe -priorities = high

Otherwise waptexit will take the value indicated in C:\Program Files (x86)\wapt\wapt-get.ini:

[global]
upgrade_priorities = high

If this value is not indicated in C:\Program Files (x86)\wapt\wapt\wapt-get.ini, then the default value will be Empty (no filter on priority).

Customizing WAPTexit

WAPT Enterprise feature only

It is possible to customize waptexit by placing the image you want in C:\Program Files (x86)\wapt\templates\waptexit-logo.png.

Registering/ unregistering WAPTexit

To register or unregister waptexit in local shutdown group strategy scripts, use:

  • to enable waptexit at host shutdown:

wapt-get add-upgrade-shutdown
  • to disable waptexit at host shutdown:

wapt-get remove-upgrade-shutdown

Using Organizational Unit packages in WAPT

WAPT Enterprise feature only

New in version 1.7: Enterprise

Working principle

WAPT Enterprise offers organizational unit packages functionality.

It automates software installations based on your Active Directory infrastructure.

The WAPT agent is aware of its position in the Active Directory tree structure, therefore it knows the hierarchy of Organizational Units that concerns it, for example:

DC=ad,DC=domain,DC=lan
OU=Paris,DC=ad,DC=domain,DC=lan
OU=computers,OU=Paris,DC=ad,DC=domain,DC=lan
OU=service1,OU=computers,OU=Paris,DC=ad,DC=domain,DC=lan

If an Organizational Unit package is defined on each level, the WAPT agent will automatically download packages and configurations that are attached to each level, by inheritance, and will apply attached packages and their dependencies.

Filters and actions available with Organizational Units

WAPT console showing options applicable to OU

WAPT console showing options applicable to OU

Hint

You can see in the picture that update and upgrade actions can be performed through this menu, thus selecting hosts by their Organizational Unit.

In the Enterprise version, you may filter how hosts are displayed based on the Active Directory OU they belong to.

The checkbox Include hosts in subfolders allows to display hosts in subfolders.

Creating Organizational Unit packages in the WAPT console

You can create unit packages by Right-clicking on an OU ‣ Create or edit the unit package.

Right-click on OU to create unit package

Right-click on OU to create unit package.

A window opens and you are prompted to choose which packages must be included in the unit bundle.

Adding packages to unit bundle

Adding package to unit bundle.

Save the package and it will be uploaded to the WAPT server.

Faking Organizational Units for WORKGROUP hosts

It can happen that some specific hosts cannot be joined to an Active Directory domain.

With that specificity, such hosts do not show up in your Active Directory Organizational Units in your WAPT Console.

To make all hosts show up in the console under the right Organizational Unit, whether they are joined to an AD domain or not, WAPT allows you to specify a fake Organizational Unit WAPT agent configuration file.

The benefits of this trick are:

  • you can manage these hosts with WAPT as if they where joined to the AD;

  • out-of-domain and workgroup hosts are now showing up in AD tree view;

  • unit packages are usable on these hosts;

To setup a fake Organizational Unit on hosts, create an empty WAPT package;

wapt-get make-template demo-configure-fake-ou

Then use the following code:

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():

  print('Setting Fake Organizational Unit')
  fake_ou = "OU=TOTO,OU=TEST,DC=DEMO,DC=LAN"
  inifile_writestring(WAPT.config_filename,'global','host_organizational_unit_dn',fake_ou)

The host_organizational_unit_dn must be like below in wapt-get.ini:

[global]
host_organizational_unit_dn="OU=TOTO,OU=TEST,DC=DEMO,DC=LAN"

Note

Stick to a specific case with your host_organizational_unit_dn (don’t mix “dc”s and “DC”s, “ou”s and “OU”s…). Follow the case used in the DN/computer_ad_dn fields in the hosts grid.


Using profile bundles in WAPT

WAPT Enterprise feature only

New in version 1.7: Enterprise

Working principle

WAPT Enterprise offers Active Directory profile bundle functionality.

It automates installation of WAPT software and configuration packages on hosts, based on their membership to Active Directory Computer Security Groups.

Important

Active Directory Computer’s security groups contains Computers, not Users.

Active Directory computer group

Active Directory computer group

Automatically installing software and configurations based on user and user group membership is not implemented with WAPT. This use case is better served with the differentiated self-service feature that is also available with WAPT Enterprise.

Creating profile bundle packages in WAPT console

You can create profile bundle packages by clicking on Bundles -> Create AD Profile.

Click on New host AD profile to create a *profile* bundle

Click on New host AD profile to create a profile bundle

Important

Requirements:

  • the profile package name must be exactly the same as the AD Security group name;

  • the profile package name is case sensitive;

Example:

  • AD Security group: HW_laptops;

  • WAPT profile bundle: HW_laptops;

A window opens and you are prompted to choose which packages must be in the just created profile bundle.

Adding packages to profile bundle

Adding package to profile bundle

Save the profile bundle package and it will be uploaded to the WAPT server.


Using WAPT Windows Update Agent (WAPTWUA)

WAPT Enterprise feature only

New in version 1.7: Enterprise

Note

Since version 1.7, WAPT is able to manage Windows Updates on your endpoints.

Working principle

Regularly, the WAPT server downloads an updated wsusscn2.cab file from Microsoft servers. By default, downloads happen once a day and no download is triggered if the wsusscn2.cab file has not changed since the last download.

WAPT Windows Update flow process

WAPT Windows Update flow process.

Note

In some cases, you may wish to push new KBs before the next Patch Tuesday release.

To do so, you may follow this documentation on packaging .msu files for these Out-of-band updates.

The wsusscn2.cab file is then downloaded by the WAPT agent from its nearest repository and then passed on to the standard WUA Windows utility to crunch the update tree for the host.

Regularly, the host will analyze the available updates using the wsusscn2.cab file. The host will send its list of needed updates as determined by its WUA to the WAPT server.

If an update is pending on the host and if that update is not present on the WAPT server, the server will download the needed update from official Microsoft servers.

Hint

This mode of operation allows WAPT to download only the necessary updates on the computers, thus saving bandwidth, download time and disk space.

Note

Downloaded updates are stored:

  • on Linux hosts in /var/www/waptwua;

  • on Windows hosts in C:\wapt\waptserver\repository\waptwua;

The WAPT Windows Update Agent repository download URL is based on the repo_url parameter in wapt-get.ini:

  • in case of repository replication, it is fully operational with WAPT Windows Update to reduce bandwidth use;

  • do not forget to synchronize the waptwua folder if you are replicating your packages with distant repositories;

Note

If in your company, a proxy is needed to go out on the Internet, then be sure to set the proxy server in the waptserver.ini file.

Difference between WAPT Windows Updates and WSUS

WSUS downloads by default the updates for selected categories. This can lead to a very large update database and lots of storage used.

WAPT Windows Update only downloads updates that have been requested by at least one computer client. This helps to keep the local database small (a few 10s of Gigabytes) and it can be easily cleaned up if you want to recover space.

Major OS upgrades

Major OS upgrades are upgrades from one OS version to another. That includes, for example, upgrades from Windows 7 to Windows 10, or from Windows 10 1803 to Windows 10 1903.

Major version upgrades are not handled in the same way as minor OS upgrades. Major upgrades are handled via the download of the new install ISO content (same content as for a fresh install) and running the setup.exe with the correct parameters. This process is the same for WSUS, SCCM and WAPT Windows Updates.

In the case of WAPT Windows Updates, you need to create a OS update package using a template package provided on https://store.wapt.fr.

Driver upgrades

Driver upgrades via WSUS are not recommended since it is hard to properly handle side effects. In the case of WAPT Windows Updates, DRIVERS ARE NOT DOWNLOADED since they are not referenced in the wsusscn2.cab files provided by Microsoft.

It is recommended to push driver updates via a custom WAPT package. If the driver patch is packaged as a .msu, you may package it as a standard WAPT package.

Just select the .msu file and click create package in the WAPT console to launch the wizard for simplified package creation.

If the driver update is packaged as a .zip containing the .exe file, you can create a WAPT package containing the necessary files and setup.exe binary with the correct silent flag.

Out of band KB

Microsoft sometimes provides OOB updates that are not contained in the wsusscn2.cab index. Those updates are not included in the main update because they may fix a very specific problem or may have drawbacks in some situations.

If you want to deploy an OOB KB update, you can download it from the Microsoft catalog https://www.catalog.update.microsoft.com/Home.aspx.

Just select the .msu file and click create package in the WAPT console to launch the wizard for simplified package creation.

Attention

You have to be careful that OOB updates may break your system, be sure to read the prerequisites on the Microsoft bulletin corresponding to the update and thoroughly test the update.

Configuring WAPTWUA on the WAPT agent

WAPTWUA is configured in wapt-get.ini.

Add [waptwua] section.

You then have several options:

Configuration options in the [waptwua] section in the wapt-get.ini

Options

Default Value

Description

enabled

False

Enable or disable WAPTWUA on this machine.

direct_download

False

Download updates directly from Microsoft servers.

default_allow

False

Set if missing update is authorized or not by default

download_scheduling

None

Set the Windows Update scan recurrence (Will not do anything if waptwua package rule or wsusscn2.cab file have not changed) (ex: 2h)

install_scheduling

None

Set the Windows Update install recurrence (Will do nothing if no update is pending) (ex: 2h)

install_at_shutdown

False

Install update when the machine will shutdown

install_delay

None

Set a deferred installation delay before publication in the repository (ex: 7d)

allowed_severities

None

Define a severity list that will be automatically accepted during a WAPT windows update scan. ex: Important, Critical, Moderate

Hint

These options can be set when generating the agent.

Example [waptwua] section in wapt-get.ini file:

[waptwua]
enabled =true
default_allow =False
direct_download=False
download_scheduling=7d
install_at_shutdown=True
install_scheduling=12h
install_delay=3d

The install_scheduling option will try every 12 hours to install updates on the client. It is not in graphical options due to a potential danger. Indeed, trying to install updates on your IT infrastructure while working hours can impact your production.

When you create the waptagent.exe from your console, these options are equivalent to this:

WAPT Windows Update agent options

WAPT Windows Update agent options

Hint

if default_allow option is True and Wapt WUA is enabled too, clients will contact the WAPT Server and ask to download the missing updates. The clients will install missing updates on their own at time of upgrade.

Example package source code to modify [waptwua] settings:

def install():
 inifile_writestring(WAPT.config_filename,'waptwua','enabled','true')
 inifile_writestring(WAPT.config_filename,'waptwua','install_at_shutdown','true')
 inifile_writestring(WAPT.config_filename,'waptwua','download_scheduling','7d')
 inifile_writestring(WAPT.config_filename,'waptwua','allowed_severities','Critical,Important')

Using WAPTWUA from the console

The WAPT Windows Update Agent tab in the WAPT console comes with two sub-menus to manage WAPTWUA.

WAPTWUA Package tab

The WAPTWUA Package tab allows you to create waptwua rules packages.

  • when this type of package is installed on a machine, it indicates to the WAPTWUA agent the authorized or forbidden KBs;

  • when several waptwua packages are installed on a machine, the different rules will be merged;

  • when a cab is neither mentioned as authorized, nor mentioned as prohibited, WAPT agents will then take the value of default_allow in wapt-get.ini;

If a Windows update has not yet been downloaded to the WAPT server, then the WAPT agent will flag the update as MISSING.

Note

  • if the WAPTWUA agent configuration is set to default_allow = True, then it will be necessary to specify the forbidden cab;

  • if the WAPTWUA agent configuration is set to default_allow = False, then it will be necessary to specify the authorized cab;

Hint

  • to test updates on a small set of computers, you can set WAPTWUA default value to default_allow = False;

  • you can test updates on a small sample of hosts and if everything is good, you can release the updates to the entire fleet of computers;

Creating a *waptwua* Package

Creating a waptwua Package

Windows Updates list tab

The Windows Update List tab lists all needed Windows Updates.

Important

The server does not scan the wsussc2.cab itself, it lets the Windows Update Agent utility present on all Windows machines do it. If an update seems to you as missing from the list, you must run a scan on one of the machines present in the console. If you run a WUA scan on a Windows 7 agent, the CAB and Windows 7 files will be displayed on the :guilabel`Windows Update List` tab.

The left pane displays update categories, allowing you to filter by:

  • criticality;

  • product;

  • classification;

In the right panel grid, if the Downloaded on column is empty, it means that the update has not yet been downloaded by the WAPT server and is not present on the WAPT server (This update is not missing on any host).

  • you can force the download of an update by right-clicking ‣ Download;

  • you can also force the download of the wsusscn2.cab file with the Download WSUSScan cab from Microsoft Web Site button;

  • you can see the Windows Updates download on the server with the Show download task button;

Hint

To cleanup your waptwua folder, you can remove no longer needed Windows updates. WAPT server will only re-download deleted updates if one of the WAPT equipped hosts requests it;

Listing of Windows Update

Listing of Windows Update

Launching WUA on clients

From the console you have three options.

Windows Update action buttons available in the WAPT console

Windows Update action buttons available in the WAPT console

The Trigger the scan of pending Windows Updates button will launch the scan on the client and list all updates flagged for the OS. You can scan the client from the console like that or by using wapt-get waptwua-scan from the command-line.

Hint

Every 30 minutes, the WAPT Server will look for updates that have been requested at least once by WAPT Clients and that have not yet been downloaded and cached. If an update is pending, the WAPT Server will download it from official Microsoft servers.

You can force this scan with the Download index and missing cabs from Microsoft Web site button in tab Windows Updates ‣ Windows Updates list

Pending Windows Updates showing in the WAPT console

Pending Windows Updates showing in the WAPT console

If you want to download from the console, use the Trigger the download of pending Windows Updates button.

The command-line for downloading kb’s from the client is wapt-get waptwua-download, it will scan the current status of Windows against current rules, download missing kb’s and send the result to the server.

If you want to install the pending update(s), use wapt-get waptwua-install from the command-line prompt.

If you want to trigger the installation from the console, click on Trigger the install of pending Windows Updates button.

Hint

When you want to install the pending updates stored in cache, the WAPT Service triggers the WUA service.

The WAPT Service will enable and start the WUA Service temporarily to install the updates. When updates are installed, waptservice will stop and disable the WUA service until the next cycle.

Notion of UpdateID

In WAPT we don’t use kbids but updateids.

This allows us to be finer in the management of updates.

Duplicate kb

In this example, KB4537759 appears multiple times because there are 3 different updateids:

  • win10 1803;

  • win10 1903;

  • win10 1909;

You should therefore authorize an updateids and not a kb ids.

WAPT does not force Windows update uninstall

Uninstalling a Windows update can be dangerous for the machine. When an update is detected as forbidden by WAPT, its uninstallation will NOT be forced.

If you really want to uninstall an update, you should package the KB that you to uninstall as a WAPT package.

Here is an example:

from setuphelpers import *

uninstallkey = []

def install():
        with EnsureWUAServRunning():
                run('wusa /uninstall /KB:4023057')

Video demonstration


Using the reporting functions in WAPT

WAPT Enterprise feature only

New in version 1.7: Enterprise

Working principle

WAPT Enterprise offers advanced reporting capabilities.

Indeed, who better than you to know what you want in your report.

With WAPT we offer to write your own SQL queries to display the result in the wapt console.

WAPT query Designer

The query designer offers you the ability to edit your own queries on the WAPT PostgreSQL database.

To create a new report, click on Reporting ‣ Design Mode ‣ New query.

Designing a query in WAPT reporting

Designing a query in WAPT reporting

Hint

  • to rename a query, press the F2 key;

  • in the top banner, you can write your SQL query;

To edit / modify / save your reports:

  • the Reload queries button is used to reload queries saved on the server, for example, if a colleague has just edited a new query;

  • the New query button will add a new blank query to the list;

  • the Delete query button will delete the selected query from the WAPT server;

  • the Export to Excel button will export the result of your query to a spreadsheet;

  • the Save queries button will save your query to the WAPT server;

  • the Duplicate button will duplicate an existing query to avoid writing a request from scratch;

  • the Execute button executes the selected query;

Note

  • the queries are saved in the PostgreSQL WAPT database;

  • the shortcut CTRL+space allows you to build your queries more effectively;

Query examples

Computers query

  • counting hosts:

    select count(*) as "Nb_Machines" from hosts
    
  • listing computers:

    select
    computer_name,
    os_name,
    os_version,
    os_architecture,
    serialnr
    from hosts
    order by 4,3,1
    
  • listing computers MAC addresses and IP:

    select distinct unnest(mac_addresses) as mac,
    unnest(h.connected_ips) as ipaddress,
    computer_fqdn,h.description,
    h.manufacturer||' '||h.productname as model,
    h.serialnr,
    h.computer_type
    from hosts h
    order by 1,2,3
    
  • listing Windows versions:

    select
    host_info->'windows_version' as windows_version,
    os_name as operating_system,
    count(os_name) as nb_hosts
    from hosts
    group by 1,2
    
  • listing operating systems:

    select host_info->'windows_version' as windows_version,
    os_name as "Operating_System",
    count(os_name) as "Nb_Machines"
    from hosts
    group by 1,2
    
  • listing hosts not seen in a while:

    select
    h.uuid,
    h.computer_fqdn,
    install_date::date,
    version,
    h.listening_timestamp::timestamp,
    h.connected_users from hostsoftwares s
    left join hosts h on h.uuid=s.host_id
    where s.key='WAPT_is1'
    and h.listening_timestamp<'20190115'
    
  • filtering hosts by chassis types:

    select case
    dmi->'Chassis_Information'->>'Type'
     when 'Portable' then '01-Laptop'
     when 'Notebook' then '01-Laptop'
     when 'Laptop' then '01-Laptop'
     when 'Desktop' then '02-Desktop'
     when 'Tower' then '02-Desktop'
     when 'Mini Tower' then '02-Desktop'
     else '99-'||(dmi->'Chassis_Information'->>'Type')
    end as type_chassis,
    string_agg(distinct coalesce(manufacturer,'?') ||' '|| coalesce(productname,''),', '),
    count(*) as "Nb_Machines" from hosts
    group by 1
    
  • listing of hosts with their Windows Serial Key:

    select
    computer_name,
    os_name,
    os_version,
    host_info->'windows_product_infos'->'product_key' as windows_product_key
    from hosts
    order by 3,1
    

WAPT query

  • listing WAPT packages in WAPT server repository:

    select
    package,
    version,
    architecture,
    description,
    section,
    package_uuid,
    count(*)
    from packages
    group by 1,2,3,4,5,6
    
  • listing hosts needing upgrade:

    select
    computer_fqdn,
    host_status,
    last_seen_on::date,
    h.wapt_status,
    string_agg(distinct lower(s.package),' ')
    from hosts h
    left join hostpackagesstatus s on s.host_id=h.uuid and s.install_status != 'OK'
    where (last_seen_on::date > (current_timestamp - interval '1 week')::date
    and host_status!='OK')
    group by 1,2,3,4
    

Packages query

  • listing packages with their number of installation:

    select
    package,
    version,
    architecture,
    description,
    section,
    package_uuid,
    count(*)
    from hostpackagesstatus s
    where section not in ('host','unit','group')
    group by 1,2,3,4,5,6
    

Software query

  • listing WAPT Discovery agents:

    select
    h.uuid,
    h.computer_name,
    install_date::date,
    version,
    h.listening_timestamp::timestamp,
    name
    from hostsoftwares s
    left join hosts h on h.uuid=s.host_id
    where
    s.key='WAPT_is1'
    and (name ilike 'WAPT%%Discovery%%' or name ilike 'WAPT %%')
    
  • listing hosts with their 7zip version associated:

    select
    hosts.computer_name,
    hostsoftwares.host_id,
    hostsoftwares.name,
    hostsoftwares.version
    from hosts, hostsoftwares
    where hostsoftwares.name ilike '7-zip%%'
    and hosts.uuid=hostsoftwares.host_id
    order by hosts.computer_name asc
    
  • listing hosts with their software:

    select
    n.normalized_name,
    s.version,string_agg(distinct lower(h.computer_name),' '),
    count(distinct h.uuid)
    from hostsoftwares s
    left join normalization n on (n.original_name = s.name) and (n.key = s.key)
    left join hosts h on h.uuid = s.host_id
    where (n.normalized_name is not null)
    and (n.normalized_name<>'')
    and not n.windows_update
    and not n.banned
    and (last_seen_on::date > (current_timestamp - interval '3 week')::date)
    group by 1,2
    
  • listing normalized software:

    select
    n.normalized_name,
    string_agg(distinct lower(h.computer_name),' '),
    count(distinct h.uuid)
    from hostsoftwares s
    left join normalization n on (n.original_name = s.name) and (n.key = s.key)
    left join hosts h on h.uuid = s.host_id
    where (n.normalized_name is not null)
    and (n.normalized_name<>'')
    and not n.windows_update
    and not n.banned
    and (last_seen_on::date > (current_timestamp - interval '3 week')::date)
    group by 1
    

You can also find several more examples of queries on Tranquil IT’s Forum.

Feel free to post your own queries on the same forum with an explanation of what your query does, ideally with a screen capture or a table showing a sample of your query result.

Normalizing software names

Sometimes, the version of the software or its architecture are an integral part of the software name. When they register with the WAPT Server inventory, they appear as different software whereas they are just one software for us humans.

To solve this problem, we propose to standardize the name of the software with WAPT.

Normalizing the name of software

Normalizing the name of software

  • click Normalize Software Names in the Tools menu;

  • select the software to standardize, for example, all different version of Adobe Flash Player;

  • on the column normalized, press F2 to assign a standardized name to the selected software. Then press Enter;

Note

  • to select several programs, select them with the shift-up/down key combination;

  • you can also indicate a software like windows update or banned (Press spacebar in the corresponding column);

  • press on Import to load the changes from the server;

  • press on Write to save your changes;

You can now run your queries on this standardized name.

Connecting to the WAPT database using a PostgreSQL client

You can connect your WAPT database to a client if you prefer to use a PostgreSQL client.

To do so, you’ll have to change some configuration files on your WAPT server.

  • find out in which version your PostgreSQL is:

    ps -ef | grep -i sql
    postgres   512     1  0 Jan05 ?        00:00:24 /usr/lib/postgresql/12/bin/postgres -D /var/lib/postgresql/12/main -c config_file=/etc/postgresql/12/main/postgresql.conf
    
  • modify pg_hba.conf of the PostgreSQL version in use. In /etc/postgresql/12/main/pg_hba.conf for Debian and /var/lib/pgsql/12/data/pg_hba.conf for Centos under # IPv4 local connections section, add your address:

    host    wapt             all             192.168.0.65/32              md5
    

    where 192.168.0.65 is your IP address that is authorized to connect to the WAPT database.

  • allow PostgreSQL to listen on every interface in /etc/postgresql/12/main/postgresql.conf for Debian and /var/lib/pgsql/12/data/postgresql.conf for Centos, section Connection Settings:

    listen_addresses = '*'
    
  • restart the service for your PostgreSQL version.

    systemctl restart postgresql@12-main.service
    
  • connect to PostgreSQL on waptserver:

    sudo -u postgres psql template1
    
  • then give a password to wapt user:

template1=# ALTER USER wapt WITH PASSWORD 'PASSWORD';

Video demonstration


Using WAPT SelfService

WAPT Enterprise feature only

New in version 1.7: Enterprise

Presentation

With WAPT 1.7 Enterprise you can now filter the list of self-service packages available for your users.

Your users will be able to install a selection of WAPT packages without having to be a Local Administrator on their desktop.

The Users gain in autonomy while deploying software and configurations that are trusted and authorized by the Organization. This is a time saving feature for the Organization’s IT support Helpdesk.

How does it work?

With WAPT 1.7 Enterprise, a new type of WAPT package exists beside base, group, host, profile and unit packages: they are selfservice packages.

Create a *selfservice* package

Create a selfservice package

A selfservice package may now be deployed on hosts to list the different self-service rules that apply to the host.

How to use the selfservice feature?

Hint

The selfservice feature is only available with WAPT Enterprise.

In the Discovery version, only Local Administrators and members of the waptselfservice group can access self-service on the agent.

In the Discovery version, it is not possible to filter the packages made accessible to the user.

In the console go to the tab Self-service rules.

You can now create your first selfservice rule package.

  • give a name to your new selfservice package;

  • click on Add to add an Active Directory group (at the bottom left);

  • name the selfservice group (with F2 or type directly into the cell);

  • drag the allowed software and configuration packages for this selfservice group into the central column;

  • add as many groups as you want in the package;

  • save the package and deploy the package on your selection of hosts;

  • once the package is deployed, only allowed packages listed in the selfservice group(s) of which the User is a member will be shown to the logged in User;

Note

  • if a group appears in multiple selfservice packages, then the rules are merged;

  • the authentication used is system authentication, local users and groups, but if the machine is in a domain then authentication and groups will also work with users and groups in the domain;

How to use the self-service on the user station?

The self-service is accessible to users in the start menu under the name Self-Service software WAPT.

It is also available directly in <base>\waptself.exe.

The login and password to enter when launching the self-service are the User’s credentials (local or Active Directory credentials).

The self-service then displays a list of packages available for installation.

Self Service

Self Service

  • the user can have more details on each package with the + icon;

  • different filters are available for the user on the left side panel;

  • the Update Catalog button is used to force a wapt-get update on the WAPT agent;

  • the list of package categories is displayed to the user. To add a category to the list, you must specify the category in the categories section of the control file of the relevant package;

  • the current task list of the WAPT agent is available with the task bar button;

  • it is possible to change the language of the interface with the configuration button at the bottom left.

Customizing the Self Service interface

Adding the Logo of your Organization

In the Enterprise version only of WAPT, it is possible to change the logo that appears in the self-service interface and therefore improve the acceptation of the Self Service feature by your users.

To do this, simply place the logo you want in <wapt>\templates\waptself-logo.png

Note

It is highly recommended to use a .png file with a 200 x 150px resolution.

Managing package categories

Default categories are:

  • Internet;

  • Utilities;

  • Messaging;

  • Security;

  • System and network;

  • Storage;

  • Media;

  • Development;

  • Office​​;

You can create your own categories easily by filling the control file’s categories section of any WAPT package and write a new category of your choice, WAPT will automatically show the package in the new category.

WAPT Agent Settings for WAPT Self-Service

WAPT Agent can be configured to force WAPT SelfService packages filtering to Local Administrators Settings for WAPT Self-Service and Waptservice Authentification.

Configuring a different authentication method for the selfservice

As mentioned above, authentication on WAPT service is configured by default in system mode.

This means that the WAPT service transmits the authentication directly to the operating system; it also recovers the groups by directly interrogating the operating system.

This behavior is defined with the value of service_auth_type in wapt-get.ini. The default value is system.

In this mode we assume that Local Administrators can see all the packages. To change this behavior, modify the value of waptservice_admin_filter in wapt-get.ini.

You may be interested in looking up this article describing the settings for WAPT Self-Service and Waptservice Authentification for more options.

Two additional modes are available starting with version 1.8.2:

  • waptserver-ldap: this mode allows authentication to the WAPT server. The WAPT server will make a LDAP request to verify authentication and groups. Warning ! For this to work, you must have configured LDAP authentication on the WAPT server, (the configuration of the admin group will be ignored) See this article on configuring authentication against Active Directory for more information.

  • waptagent-ldap, This mode allows authentication with an LDAP server identified in wapt-get.ini. The WAPT agent will make a LDAP request to verify authentication and groups.

    You may be interested in looking up this article describing the settings for WAPT Self-Service and Waptservice Authentification for more options.

Note

For the system authentication under GNU/Linux to work correctly, be sure to correctly configure your pam authentication and your nsswitch.conf. The id username command must return the list of the groups the user is member of.

Video demonstration


Differentiating user roles in WAPT

WAPT Enterprise feature only

New in version 1.5: Enterprise

Introduction

WAPT offers the possibility to differentiate administrator roles based on a PKI to sign packages and actions.

Hint

The following description of roles differentiation is temporary as it will evolve in the near future.

WAPT admin users roles differentiation

WAPT admin users roles differentiation

WAPT admin users roles differentiation

Private key + certificate types

Key usages

Simple private key + certificate

Allows authentication on WAPT console + interactions with WAPT agents

Developer private key + certificate

Allows authentication on WAPT console + interactions with WAPT agents + package signing

Certificate Authority (CA) private key + certificate

Allows authentication + interactions + package signing + private key issuing

Common WAPT install will generate a CA private key by default, allowing private key issuing for developers and package signing.

It is possible to emit a Certificate Authority for each subsidiaries. It is then possible to issue a personal private key and its corresponding certificate to each IT admins.

By looking at the above schematics, we can deduce the following conclusion:

  • WAPT agents in HQ can be managed by HQ IT team and cannot be managed by subsidiaries IT teams;

  • WAPT agents in the subsidiary having both certificates, from HQ and subsidiary, can be managed by local IT team and by HQ IT team;

The usage of an existing PKI is possible, WAPT Console comes with a simple certificate generator.

Generating a new certificate

Generating a new self-signed certificate

Generating a new self-signed certificate

Generating the Certificate Authority (CA)

When installing WAPT, you are asked to create a .pem / .crt pair by checking the boxes Certificate CA and Code Signing.

This .pem / .crt pair will allow to sign WAPT packages and new certificates.

Generating a new certificate with the Certificate Authority

To create a new pem/ crt pair from the private key, click on Create a certificate.

Note

The new certificate will not be a self-signed certificate;

This new certificate will be signed by the AC (the key generated at the time of the first installation of WAPT);

You must then fill in the AC’s certificate and the AC’s key.

When generating the new pem/ crt pair, you have the option to choose whether or not the new certificate will be a Code Signing type.

Hint

For recall, a Code Signing certificate is reserved to individuals with the Administrator role in the context of WAPT and a simple SSL certificate without the Code Signing attribute is reserved to individuals with the role of Package Deployer.

Administrators will be authorized to sign packages that CONTAIN a setup.py executable file (i.e. base packages).

Individuals with the Package Deployer role will be authorized to sign packages that DO NOT CONTAIN setup.py executable file (i.e. host, unit and group packages).

Generating a certificate without the *Code Signing* attribute

Generating a certificate without the Code Signing attribute

Keys and certificates that are Not Code Signing may be distributed to individuals in charge of deploying packages on the installed base of WAPT equipped devices.

Another team with certificates having the Code Signing attribute will prepare the WAPT packages that contain applications that will need to be configured according to the Organization’s security guidelines and the user customizations desired by her.

Generating a certificate with the *Code Signing* attribute

Generating a certificate with the Code Signing attribute

Generating a new prm/ crt pair will also allow to formally identify the individual who has signed a package by looking up the WAPT package certificate’s CN attribute.

Hint

The new certificates will not be CA Certificates, which means that they will not be authorized to sign other certificates.

As a general rule, there is only one CA Certificate pem / crt pair per Organization.

Deploying certificates of local IT admins on clients

Some Organizations will choose to let local IT administrators perform actions on WAPT equipped devices by issuing them personal certificates that will work on the set of devices for which the local IT admins are responsible.

The headquarter IT admins will deploy the certificates of local IT admins on the computers that local admins manage on their respective sites.

This way, local IT admins will not be able to manage computers located in headquarters, but on their own sites only.

You will need to copy the certificates of allowed local IT admins on client in C:\program files(x86)\wapt\ssl.

Hint

Do not forget to restart the WAPT service on clients for them to use their new certificate. Open a command line cmd.exe then:

net stop waptservice
net start waptservice

If you want to deploy the certificates using WAPT, below is an example of a package to deploy certificates on client computers.

# -*- coding: utf-8 -*-
from setuphelpers import *

uninstallkey = []

def install():
  print(ur"Copy of AC's distant site")
  filecopyto('ca_distant.crt',makepath(install_location('WAPT_is1'),'ssl',))

def audit():
  print('Auditing %s' % control.asrequirement())
  return "OK"

if __name__ == '__main__':
  update_package()

Synchronizing WAPT inventories to GLPI

WAPT Enterprise feature only

New in version 2.0: Enterprise

Working principle

WAPT Enterprise offers synchronization between the inventories of your hosts and Glpi ITSM Software.

The method automatically synchronizes changes on your IT infrastructure with the Glpi server.

Installing the required dependencies

In order to receive inventories on your Glpi server, you’ll need the FusionInventory plugin on your Glpi server.

After installing FusionInventory, you will have an endpoint on your WAPT server to send the inventories to (…/glpi/plugins/fusioninventory/).

Configuration

You can open the window to configure Glpi with Tools > Manage Wapt to Glpi.

WAPT console showing the Glpi configuration in WAPT

WAPT console showing the Glpi configuration in WAPT

Properties in Glpi Server Properties add the required parameters in the waptserver.ini configuration file.

[options]
...
glpi_server_endpoint = glpi.mydomain.lan/glpi/plugins/fusioninventory/
glpi_server_user = user
glpi_server_pass = password
glpi_server_pause_timeout = 20,15
glpi_inventory_update_delay = 4
glpi_inventory_update_range = 25
  • glpi_server_endpoint: url to FusionInventory plugin where to upload inventories on the glpi server;

  • glpi_server_user, glpi_server_pass: Glpi server credentials;

  • glpi_server_pause_timeout = A,B: pause uploading for A seconds when server takes more than B seconds to respond;

  • glpi_inventory_update_range: every how many uploads do you want the database to be updated, if you stop the upload it will restart at last update;

  • glpi_inventory_update_delay = C: The upload is triggered automatically every C hours if not already running;

Using WAPT to send inventory updates to Glpi

As you can see on the configuration window you can fill in the settings, trigger or stop an upload right from the WAPT console:

  • when you fill in Glpi Server Properties, the configuration is registered on the WAPT server when you click Save;

  • you can retrieve properties already registered on the WAPT server by clicking on Reset (the password is not loaded);

  • the Endpoint field is the Glpi server url to send the inventories to the glpi_server_endpoint;

  • you can trigger an upload without waiting for the scheduled task by clicking Upload;

  • you can stop the upload at any time by clicking Cancel;

Hint

The upload status is updated every 15s, you can follow the progress with the status bar.

If you have many hosts, the upload may take a long time. To avoid this, when the upload is triggered, only inventories that have changed are uploaded:

  • with Force upload every inventory is uploaded, ignoring already uploaded data.

Advanced use of the Glpi plugin

To display advanced properties, select the Advanced button.

WAPT console showing the Glpi advanced configuration in WAPT

WAPT console showing the Glpi advanced configuration in WAPT

  • The scheduled task runs every Cron every… hours only if the Endpoint is entered. You can disable the scheduled task by leaving the Endpoint empty. ~> glpi_inventory_update_delay.

Hint

If you want to disable automatic upload, you have to Save a blank Endpoint.

  • you can trigger pauses (Pause…) when the server response time is too long (over…). ~> glpi_server_pause_timeout;

  • Update db… sets the database synchronization frequency during upload. ~> glpi_inventory_update_range