Configure agent version control
Agent version control is a feature that gives you and your security operations team control over the specific versions of the Deep Security Agent that will be deployed when:
- using deployment scripts
- upgrading the agent through an upgrade alert, button, check box or other widget in the manager (the exceptions are listed in the FAQ)
- upgrading the agent through the agent upgrade on activation feature
This allows security operations teams who do not have control over Deep Security Manager's local inventory of agents or the relays the ability to declare exactly what agents will be used at any given time.
As new agents are released by Trend Micro, your security operations team can test them in controlled environments before changing the version control settings to expose the new agents to downstream applications teams in their production environment.
Topics:
Set up agent version control
- Before you begin, import the agent versions you want to use.
- Go to Deep Security Manager.
- Click Administration at the top.
- On the left, expand Updates > Software > Agent Version Control.
All the agent platforms appear in the main pane.
- (Optional) Use the Show/Hide Platforms section on the right to restrict the agent platforms that are visible.
- Make your agent version selections and click Save. Follow this guidance:
Only agent versions 9.0 or later are displayed. For Solaris specifically, only versions 11.0 or later are displayed. If you want to deploy earlier agents, you'll have to use the agentVersion= setting available in the deployment scripts. For details, see Use deployment scripts to add and protect computers.
Column Description PLATFORM This column lists the platforms for which Deep Security Agent software is available. VERSION CONTROL This column is where you select which version of the agent will be used by deployment scripts and so on. It has the following options:
- Latest: Indicates to use the latest agent software build available in your local inventory, either long-term support (LTS) or feature release (FR). The logic to determine the latest agent is based on the agent version number: the highest version is used. For example, a Deep Security 12 update agent with version 12.0.0.460 is higher than the Deep Security 12 General Availability (GA) agent. However, the Deep Security 12 feature release agents with version 12.5.0.350 is considered later than an LTS agent with version 12.0.0.460. In summary, choose Latest if you want the latest LTS or FR agent for the platform. For details on LTS and FR releases, see Deep Security 20 release strategy and life cycle policy.
- Latest LTS: (default) Indicates to use the latest long-term support (LTS) software build available in your local inventory. Latest LTS can be the original LTS release, or can be an update to the original LTS release. Any FRs in your inventory are ignored. LTS build versions always have ‘0’ as the minor version number. For details on LTS and FR releases, see Deep Security 20 release strategy and life cycle policy.
- <agent_version> for example, 11.0.0.760: Indicates to use a specific agent version available in your local inventory. Other agents in your inventory are ignored. If no agent version appears in the list, it's because there is no agent in your local inventory that matches the OS. To fix this issue, import an agent to your inventory.
The latest version of the agent is sometimes a few releases behind your manager version. For example, the latest LTS for Windows Server 2003 is 10.0.0.3377 as of this writing. Although a release may be behind your manager's, it is still supported if you can see it on the Agent Version Control page. For details, see Agent platform support policy.
RESULTING AGENT This column shows the agent that will be deployed based on your selection under VERSION CONTROL.
If the column shows an N/A (No agent in inventory) message, it's because there is no agent in your local inventory that matches the selection in VERSION CONTROL. To fix this issue, import an agent to your inventory or change the VERSION CONTROL selection.
Use agent version control with URL requests
Agent version control provides the ability to control what agents are returned when any URL request is made to Deep Security Manager to download the agent. For details, see Using agent version control to define which agent version is returned.
Agent version control FAQs
How does version control interact with agent import?
Prior to the introduction of agent version control, the primary way to control the agent version was to selectively import only those agents that you were confident you wanted to deploy. Once the agents were imported, the latest one for each platform was distributed to relays. The latest agents were then picked up from the relays by features like upgrade on activation and deployment scripts.
If you want to continue on this functionality (pre-12 functionality):
- As before, import the agents you want to deploy to your inventory, and remove the old ones. See Get Deep Security Agent software for details.
- Go to the Agent Version Control page and make sure all platforms are set to the default, Latest. For instructions, see Set up agent version control.
The Latest setting instructs the manager to continue using the latest agents in its local inventory, and you can continue to use your existing processes without any changes.
Is version control supported in multi-tenant deployments?
Yes.
You, as the primary tenant (t0), must import newer agent versions into your local inventory, and then allow each of your tenants to make decisions about what agents they want to deploy using the Agent Version Control page. If a tenant only wants to use LTS agents, or lock in to a specific agent version, they can do so independent of other tenants.
Do I need to update my deployment scripts to use this feature?
Yes.
To update your deployment scripts:
- In Deep Security Manager 12 or later, go to Support > Deployment Scripts and generate new deployment scripts. For instructions, see Use deployment scripts to add and protect computers.
- Re-distribute and re-run the new scripts as necessary.
The latest deployment scripts pass additional information to Deep Security Manager (for example, tenant information and platform information) that is required for the version control feature to work properly.
What happens if I don't update existing deployment scripts?
If you have existing deployment scripts that you generated prior to the availability of the agent version control feature, and you do not take any action to update them, they will default to Latest. This default will be used for any older deployment scripts regardless of how you have set your agent version control settings. Replace the older deployment scripts with new deployment scripts to leverage the settings you define in the agent version control settings.
Deployment scripts that are generated after the availability of the agent version control feature will use your agent version control settings.
What features are out of scope (exceptions)?
By design, the features listed below are out of scope for the agent version control feature. These features are typically accessed by the Deep Security Manager administrator directly, in many cases to test a specific agent version in a development or staging environment prior to deploying the agent version into production.
We have left full access to all agent versions accessible in these specific scenarios:
- the Computer details page > Upgrade Agent button
- the Computers > Actions > Upgrade Agent Software page
Selecting either of the above options launches a wizard with a drop-down list that always defaults to 'Use latest version for platform' regardless of your version control settings. For details, see Upgrade the agent from the Computers page.
- agent upgrades that are not initiated directly from Deep Security Manager. For example, if you export an agent package, transfer it to the server, and initiate the upgrade from the command line, the agent version control settings will not be involved in this upgrade.