Troubleshoot Policy Deployment

Contents
capamsc141
Contents
When you assign a policy to a host, the policy is not deployed on the assigned endpoint until policyfetcher retrieves the deployment task and runs the policy script. As a result, deployment errors might occur for different reasons when the policy is transferred or deployed at the endpoint.
To resolve policy deployment errors, advanced policy management provides you with troubleshooting actions. You can perform these actions using either 
Privileged Access Manager
Enterprise Management or the policydeploy utility. In 
Privileged Access Manager
Enterprise Management, the troubleshooting actions are located in the Policy sub-tab of the Policy Management tab.
The troubleshooting actions are as follows:
  • Redeploy
    Creates a deployment task that contains the policy script and deploys the task to the endpoint. Use this option when the policy deploys on the endpoint with errors, that is, the Selang policy script execution fails. Fix the command syntax of deploy or undeploy script manually before you can redeploy the policy.
     
    Note:
    This option is only available in
    Privileged Access Manager
    Enterprise Console, and is not supported in the policydeploy utility.
  • Undeploy:
    Undeploys the policy from the specified endpoint without unassigning the policy from the corresponding host. Use this option to remove any policies from the endpoint that are not assigned to the host on the DMS.
    Note:
    You can deploy the policy directly to the specified endpoint manually using policydeploy utility. Direct deploy of the policy without assigning it to the host on the DMS is not available in
    Privileged Access Manager
    Enterprise Console.
  • Reset
    Resets an endpoint and undeploys all the effective policies on the specified host.
    Privileged Access Manager
     resets host status and deletes all GPOLICY, POLICY, and RULESET objects on the specified host by creating deployment tasks and sending the tasks to the host for execution.
    Use this option to clean an endpoint from all policy deployments. It also cleans endpoint status on the DMS.
    Note:
    This option does not remove DEPLOYMENT or GDEPLOYMENT objects from the endpoint or from the DMS, because you might need these objects for auditing purposes. You can use the dmsmgr -cleanup function to remove the DEPLOYMENT and GDEPLOYMENT objects after you reset the endpoint. After you reset an endpoint, you can assign policies to the endpoint as normal.
  • Restore
    Undeploys any policies on the specified host, and then deploys all the policies that must be deployed (assigned or directly deployed) on the host by creating deployment tasks and sending the tasks to the host for execution. Use this option when you re-install
    Privileged Access Manager
     or the operating system on the endpoint, or when you restore an endpoint from a backup, to redeploy all the policies that the DMS indicates are effective on that endpoint. This option does not change the endpoint status on the DMS.
How to Remove Obsolete Endpoints
The DMS stores information about your enterprise. If you remove a computer from the enterprise when you uninstall 
Privileged Access Manager
from that computer, the DMS still contains a reference to that node. As a routine maintenance procedure, you should clean the DMS from these obsolete nodes.
To remove obsolete nodes, do one of the following:
  • Run the dmsmgr utility on the DMS computer to perform a routine clean up:
    dmsmgr -cleanup number_of_days -dms name
    number_of_days
    Defines the minimum number of days in which the 
    Privileged Access Manager
    node has been unavailable for.
  • Manually delete a specific node by issuing the following selang command on the DMS computer:
    rr HNODE HNODE_name
When you delete a node, 
Privileged Access Manager
removes all the HNODE related deployment tasks, removes all the deployment tasks' packages (unless they have other deployment task members), and only then removes the HNODE object.
View Deployment Audit Information
Privileged Access Manager
Enterprise Management provides an audit of your policy deployments. This audit gives you a view of your policy deployments and a descriptive list of deployment tasks. The list details what triggered each deployment task, when it was created, and what type of deployment was involved. For each deployment task, you can further explore the following details: which host and policy pair was the deployment task that is created for, the version of the policy that was deployed, the status of the deployment task (queued, succeeded, or failed), and the selang output (result of deploying the command).
Follow these steps:
  1. In 
    Privileged Access Manager
    Enterprise Management, follow these steps:
    1. Click Policy Management.
    2. Click Policy subtab.
    3. Expand the Deployment tree in the task menu on the left.
      The Deployment Audit task appears in the list of available tasks.
  2. Click Deployment Audit.
    The Deployment Audit page appears.
  3. Define a scope for the deployment audit, then click Go.
    Privileged Access Manager
     Enterprise Management retrieves information about deployments that are in the scope you defined and displays the results after a short delay.
  4. (Optional) Click on the trigger of a deployment to view more information about the associated deployment tasks.