Altiris ITMS 8.7.1 released

19. September 2023

Release 8.7.1 of the IT Management Suite (ITMS 8.7.1) from Broadcom has been available since mid-September 2023. The release can be installed immediately via the Symantec Installation Manager (SIM).
We are happy to support you in updating to the new version, please contact us.

These New Features were introduced with Release 8.7.1:

New Symantec Management Platform Features

Pending system reboot halts ITMS installation, upgrade, or repair	Symantec Installation Manager does not allow the installation, upgrade, or repair of ITMS to begin if it detects a pending system reboot on the Notification Server. If a pending system reboot is detected, a message appears on the corresponding Review Details page, stating that you must reboot the Server to continue the installation, upgrade, or repair. Reboot the Notification Server, and then continue your installation, upgrade, or repair.
Removed Apple Profile Management Capabilities	Apple Profile Management solution is no longer available, starting with the 8.7.1 release. Use the MacOS MDM functionality, available starting from ITMS 8.6 RU2.For more information, see Setting up MDM for macOS.
Software resource deletion triggers cascading deletion of related items	You may want to delete older software resources from the software library, and then have that deletion trigger a cascading deletion of associated software packages, software delivery policies/tasks, and associations with other software resources. However, there are significant dependencies between a software resource and other entities that you may not realize. There are three options to address these dependencies: • Delete all associated policies and tasks on this server: This option deletes all policies, tasks, and dependencies associated with a software resource, and then deletes the software resource and associated packages. • Replicate deletion immediately in hierarchy on all child servers: This option deletes software resources on child notification servers replicated from a parent notification server. • Additionally delete policies and tasks managed by child servers: Use this option to delete resources that were created on child notification servers.For more information, see the Deleting a Software Resource topic.
Removed network protocols	The following network protocols are removed from connection profiles: • ASF • EMC • MD Array
New Reports identifying outdated plug-ins	There are three new reports that help you to identify situations where the version of the Symantec Management Agent installed on a computer is not consistent with the version of the Notification Server to which the agent reports. These report also help identify situations in which the version of an agent plug-in installed on a computer is not consistent with the version of the Symantec Management Agent found on the computer.Access the reports by selecting Reports, the Notification Server Management folder, the Agent folder, and then the Agent and Plug-ins Actual and Expected Versions folder. The three new reports are as follows: • Symantec Management Agent Health Status Summary Helps identify computers on which the version of the Symantec Management Agent is outdated. • The Symantec Management Agent – Actual and Expected Versions Displays the actual version of the Symantec Management Agent installed on each computer, as well as the expected version of the agent based on the version of the Notification Server to which it connects. • Symantec Management Agent Plug-ins – Actual and Expected Versions Helps identify situations in which the version of a plug-in installed on a computer is not consistent with the version of the Symantec Management Agent installed on that computer.
Reports, filters, and targets now have Modified By and Modified Date/Time information	You can now identify when reports, filters, and targets were last modified and who modified them. Most reports and filters have Modified By and Modified Date/Time information. You can get a list of targets by using the Search Items functionality and searching for Resource Targets. The Modified By and Modified Date/Time information associated with targets is visible there.If you do not want to see this information, follow these steps: 1. In the Symantec Management Console, on the Settings menu, select Notification Server > Core Settings, and then select the Active Settings folder. 2. Select the + button to display the Add new Core Setting dialog. 3. In the Name field, enter `ShowModifiedAtTitle`. 4. In the Value field, enter the following values: • 0: turn OFF, do not show • 1 (default): show only for modifiable items • 2+: always show, even for read-only items 5. Select OK to confirm and exit this new setting.
CEM Installation Package for Linux	As an administrator, you can create a standalone Cloud Enabled Management (CEM) installation package for Linux computers, so that you can manually install the Symantec Management Agent and Cloud Enabled Management policy on such computers.There are two new standalone CEM agent installation packages for Linux, one for Linux distributions that use RPM packages and another for Ubuntu (which uses .DEB packages).You can distribute these standalone packages either using email, or downloaded from a server or externally accessible file share hosted by your organization. These methods allow you to manually install the Symantec Management Agent and Cloud Enabled Management policy on Linux computers when they are not connected to your organization’s network directly or via VPN.After installing the Symantec Management Agent and Cloud Enabled Management policy, you can manage computers over the Internet without having them connect to your organization’s network. The standalone CEM installation packages lets you configure Linux computers to be managed by ITMS without connecting to your network, and you can then manage those computers without connecting to your network. For more information, see Generating and Installing the Cloud-Enabled Management Offline Package.
Support for TLS 1.3	Symantec Management Platform supports TLS 1.3 for Symantec Management Agent SSL connections. TLS 1.3 is natively supported by Windows 11 and Windows Server 2022.For example, to enable support for the Notification Server communication profile for Symantec Management Agents, follow these steps: 1. In the Management Console, selectActions > the Symantec Management Agent folder > [Default Notification Server Communication Profile]. 2. In the profile that appears, select the Edit link next to SSL certificates are defined for current profile. 3. In the Security Settings for Symantec Management Agent SSL Connection dialog that appears, in the Transport Layer Security protocols section, select the TLS 1.3 check box.
Actions available to non-administrator users in the agent UI	As an administrator, you can determine if a non-administrator can see and use the Update Configuration and Send Basic Inventory buttons in the Agent UI. By default, these buttons do not appear to non-administrators.On the Targeted Agent Settings page, the Restrict non-administrators access to the Symantec Management Agent user interface option is selected by default, so non-administrator users cannot see the Update Configuration and Send Basic Inventory buttons in the Symantec Management Agent UI. Clearing this check box allows them to see and use both these buttons.The new Allow Non-Administrators to Update Configuration and Allow Non-Administrators to Send Basic Inventory options allow you to provide non-administrators with access to the corresponding buttons.For more information, see the Targeted Agent Settings Page topic.
Control whether non-administrators can create repeat schedules	When creating custom security roles, customers often clone the Symantec Administrator security role and then make adjustments to the various privileges and permissions. As an administrator, you can limit access to some functionality that they do not want non-administrators to use. Using the new `ServerScheduleRepeatEditable4NonAdmins` setting, you can prevent non-administrators from creating repeat schedules, so that they cannot create tasks that will execute multiple times in succession within a short duration. This setting is not visible in the console by default, but can be added in the Add New Core Setting dialog. 1. In the Symantec Management Console, on the Settings menu, select Notification Server > Core Settings, and then select the Active Settings folder. 2. Select the + button to display the Add new Core Setting dialog. 3. In the Name field, enter `ServerScheduleRepeatEditable4NonAdmins`. 4. Enter the desired value: • 1: Non-admin users can create repeat schedules by default • 0: Non-admin users can not create repeat schedules by default
Prevent non-administrators from creating shared schedules	When creating custom security roles, customers often clone the Symantec Administrator security role and then make adjustments to the various privileges and permissions. As an administrator, you an limit access to some functionality that they did not want non-administrators to use.Using the new `ServerScheduleSharedEditable4NonAdmins` setting, you can prevent non-administrators from creating shared schedules. This setting is not visible in the console by default, but can be added in the Add New Core Setting dialog. 1. In the Symantec Management Console, on the Settings menu, select Notification Server > Core Settings, and then select the Active Settings folder. 2. Select the + button to display the Add new Core Setting dialog. 3. In the Name field, enter `ServerScheduleSharedEditable4NonAdmins`. 4. Enter the desired value: • 1: Non-admin users can create shared schedules by default • 0: Non-admin users can not create shared schedules by default
New Core Performance page provides an overview of overall system performance	The new Core Performance page provides an overview of overall system performance, including system load, event queue status, and processing history. This page displays information previously only accessible in log files, and presents a historical view based on data snapshots. To display the Core Performance page, select Manage > Settings > Notification Server > Internals > Core Performance. Use this page to troubleshoot when you experience system performance issues. This page can help identify situations when available resources are insufficient to handle the system load, or the event queues are being flooded or are not being processed. In addition, use the page to make adjustments to resource allocations. This page has the following sections: • System Load Displays a variety of information, including the number of CPUs and amount of RAM available to the Notification Server and the percentage of such resources currently being consumed. It also displays the number of TCP, IIS and Web Sockets connections. Likewise, it displays the number of CPUs available to SQL Server, the percentage of those resources currently being consumed and the number of SQL Connections. • Event Queue Status Displays data regarding:The size of each of the five different event queuesThe number of messages in each queueThe number of threads allocated to each queueThe number of active threads in each queueYou can change the number of threads allocated to each queue directly on this page. • Processing History Displays historical trends based on data snapshots. It can show one of three views: – Queue Status: Shows the number of messages in each queue at particular points in time, as well as the load on the server at those times. – Server Processing: Shows the number of items processed per second at particular points in time, and the server load at those times. – Persistent Traffic: Shows amount of data sent and received using web sockets connections at various points in time, along with the corresponding system loads in terms of CPU and RAM.
Filter Automation Policy Report Results	When running a report from within an automation policy, you can now apply the report’s pre-defined parameters to the report results, as well as apply additional filter conditions.
IT Analytics improvements	You can now use IT Analytics with browsers such as Google Chrome and Microsoft Edge. You can also use IT Analytics with SQL Server 2022 databases.
Software Compliance Detailed Summary report now includes an All option for Compliance Status	The Software Compliance Detailed Summary report now includes an All option for Compliance Status. Selecting this option allows you to display all Managed Delivery Policies, regardless of their status.
The 8.7.1 SMP Server and Task Server support .Net Framework 4.8.x, and require .Net Framework 4.8.x for installation and upgrade	The 8.7.1 Symantec Management Platform Server and Site Server Task Service support the .Net Framework 4.8.x, and require the .Net Framework 4.8.x for installation and upgrade.

New Symantec Management Agent Features

Prevent package download over metered connection

End users can connect their systems to the Internet or your organization’s network in a variety of ways, such as VPN, Metered, or Wi-FI. Some end users connect their computer using a tethered connection from their mobile phone. Downloading a large installation package could easily consume the monthly data allowance for their phone. To prevent this data consumption from happening, use the Over Metered Conection option in the Prevent Downloading section of the Targeted Agent Settings Page‘s Software Delivery tab.
For more information, see the Targeted Agent Settings Page topic.

New OS Support

The following operating systems are now supported for the installation of the Symantec Management Agent and solution plug-ins:
• Oracle Linux 9.2
Visit the Support statement in the Release Notes
• Red Hat Enterprise Linux 9.2
Visit the Support statement in the Release Notes

New Symantec Management Console Features

New Server Settings audit

The Server Settings Audit tracks the history of actions performed on an Item, by the corresponding User. This audit also tracks core settings modifications by users.For more information, see the Server Settings Audit topic.

New script types added to the Run Script Task

Two new options have been added to the Script Type option for Run Script tasks. The existing PowerShell option continues to execute scripts using the native version of PowerShell, which is usually installed on windows by default.

• The PowerShell Core option uses a non-native version of PowerShell, such as PowerShell 7.
• The PowerShell (any version option first tries to use PowerShell Core, but if PowerShell Core is not found, reverts to the native version of PowerShell.

For more information, see the Run Script Task Page topic.

New Inventory Solution Features

Enhanced Detection of Microsoft Store APPX apps	Information about APPX apps (that is, Microsoft Store apps) is now collected from Windows 11 22H2 computers. The information collected regarding APPX apps is also now more consistent with the information displayed inAdd/Remove Programs, in terms of the names reported and apps detected. In addition, ITMS now collects and reports the installation date of APPX apps.
Retry mechanism to send NSE collected by Standalone Inventory Package,	In the Standalone Inventory package, you can now configure options to re-send data to the Notification Server if a previously sent NSE file is not delivered to the Notification Server.For more information, see the Inventory Delivery Retries and Retry Timeout configuration options in the Stand-Alone Inventory Package Options topic.
Generating NSEs with unique names by Standalone Inventory Package.	Starting from 8.7.1, each execution of standalone inventory package generates a NSE with a unique name that includes the host name of the machine where the package is executed, as well as the execution date and time.

New ITMS Management Views Features

Display only those policies that include currently active software resources.

The Software Releases view includes the Policies Installing this Software pane. This pane that shows the policies that include the selected software release. In some cases, a particular software release may be included in several different policies.
There is a new option in the Policies Installing this Software pane of the Software Releases view: Show only active policies.
If you select this option, the Policies Installing this Software pane displays only enabled policies.
For more information, see the Software Product Summary Page topic.

New Software Management Features

Use Known As rules to merge software resources, including previously discovered resources	You can use the Known As functionality to consolidate multiple resources so you can manage these resources as a single software resource. You can also generate a report as you create the rule to display the list of resources matching the rule. The report also displays duplicate resources available in the database. While Known As rules were previously only applied to resources discovered after the rules were created, you can now also apply Known As rules to previously discovered resources. For more information, see the Add or Edit Known-As Wildcard Dialog Box topic.
Message indicating Managed Software Delivery policy halted due to pending restart or logoff from previously executed policy	A message now appears in red text in the Symantec Management Agent when a pending restart or logoff associated with a Results Based Action in a Managed Software Delivery policy is preventing other Managed Software Delivery policies from executing. The pending restart or logoff associated with the Results Based Action in the Managed Software Delivery policy also appears under the Status column for that policy in the Symantec Management Agent.
New icon indicates if Managed Software Delivery policy published to Software Portal	A new icon identifies whether a Managed Software Delivery policy has been published to the Software Portal. This icon helps to quickly and easily identify those policies that have been published to the Software Portal when viewing a list of multiple policies.
Software Portal displays more characters	Software Portal tiles now display more characters, minimizing the need for end users to hover over tiles to see the full names of available items. Tiles can now use two lines of text on tiles to display the names of items. This should reduce the need for end users to hover over a tile to see the full name in cases involving longer names. If the full name cannot be displayed on two lines, an ellipsis appears at the end of the display text. End users can hover over the tile to see the full name.
Show only active policies in Software Releases View	The Software Releases view includes the Policies Installing this Software pane/ This pane that shows the policies that include the selected software release. In some cases, a particular software release may be included in several different policies. There is a new option in the Policies Installing this Software pane of the Software Releases view: Show only active policies. If you select this option, the Policies Installing this Software pane displays only enabled policies. For more inforamtion, see the Software Product Summary Page topic.

New Deployment Solution Features

Support for Wi-Fi network adapters in WinPE	Our engineering team created a workaround to enable devices to connect to a PXE server from a preboot environment, using a Wi-Fi adapter. For example, an end user working from home needs to image or re-image a device, but does not have an Ethernet connection. WinPE does not natively include support for Wi-Fi adapters, meaning it is not possible to connect to a PXE server using a Wi-Fi connection by default. This procedure shows you how to use a Wi-Fi adapter to let devices to connect to a PXE server from a preboot environment. For more information, visit the Release Notes directly.
HTTP/HTTPs support for Windows Scripted OS installations	Prior to 8.7.1, Windows Scripted OS Install tasks tasks could only access the installation package using a UNC connection. The installation package needed to be directly visible to the PECT agent. The PECT agent could not access package servers behind the firewall through the Internet Gateway when Cloud Enabled Management was used to perform a scripted OS installation.The Windows Scripted OS Install task has been improved. If a Windows Scripted OS Install task cannot access the Windows installation package using a UNC connection, it will now attempt to access it using HTTP/HTTPs. This makes it possible for a Windows scripted OS installation to be performed when the PECT agent does not have direct access to the installation package.
The Deployment Solution supports HTTP Boot	Users whose hardware supports HTTP Boot and have iPXE boot working on PXE server can now use this feature with the Deployment Solution.HTTP Boot combines the Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and Hypertext Transfer Protocol (HTTP) to provide system deployment and configuration capabilities over the network. Compared to PXE Boot, HTTP Boot can handle much larger files than TFTP, and scale to much larger distances. You can also use the Boot To – UEFI media task for this feature, making sure to include the name of the device responsible for HTTP Boot.
Support for DHCP option 82	The DHCP option 82 enables Option 82 support. Option 82 allows a DHCP Relay Agent to insert circuit−specific information into a request forwarded to a DHCP server. Selecting this option allows responses generated by the PXE/NBS to include the Option 82 information, and this information will not be dropped by the DHCP proxy.
Improved TFTP server performance	The TFTP performance has been improved, and as result, improving the PXE boot time. You can improve this time by increasing the value of the MTU Packet Size. TFTP performance may be configured by changing the value of the MTU Packet Size option in the TFTP Settings panel of the NBS General Settings page. By default, the MTU packet size value is 1456, and now can be changed to up to 65535.
Offline domain join	You can now join offline computers to a domain, so that users with computers provisioned by Cloud Enabled Management can connect to a domain.Briefly, you use the smatool.exe utility to create provisioning data, then you import the provisioning data. You then use this Offline Domain Join option within the Apply System Configuration task in a deployment job. This option configures the computer to connect to the domain after the next boot.For more information, see the procedure in the Join Offline Computers to a Domain Using the Offline Domain Join page topic.
Linux OS kernel updated to 5.10.0-22	The kernel version has been updated to 5.10.0-22 in LinuxPE. Download Linux LinPE from the console and import them manually. For more information, visit the Release Notes directly.
The Boot To task is extended.	A new option was added to the Boot to task: Ignore pending reboot operations on client
Removed legacy certificate extraction policies.	The Extract SSL Certificate (x86) – Install and the Extract SSL Certificate (x64) – Install policies are no longer available, starting with the 8.7.1 release.

With ITMS 8.7.1, various improvements or «fixed issues» were also released in the following solutions:

Symantec Management Platform
Asset Management Solution
Data Connector Solution
Deployment Solution
Inventory Solution
Monitor Solution
Patch Management Solution
Software Management Solution
Workflow Solution

Release Notes and User Guides

The release notes and other useful documents for Altiris can be conveniently found at:

Altiris links & downloads

As with all updates, there are a few things to consider, especially if you are running multiple clients and servers. We have profound experience in this area and would be happy to advise you on updating to the latest version. Feel free to contact us.