Executing remote actions

Contents

Executing remote actions

Automatic and manual triggering

The way of triggering a remote action, whether manually or automatically, usually depends on the particular usage scenario.

Manual triggering is basically used in Assisted service scenarios, where the a support team member executes a remote action to help an end-user solve an issue. The rest of scenarios typically schedule the execution of a remote action either periodically or in response to the detection of a specific issue:

Manual triggering Automatic triggering
  • Assisted service
  • Self-help
  • Self-healing
  • On-demand data

Delayed first execution of automatically triggered actions

Once an automatically triggered remote action is saved, it is scheduled for execution. To avoid excess network and processing load, the Engine distributes the execution of remote actions so that not all actions run simultaneously on the target devices.

Thus, due to this distributed scheduling, the first execution of an automatically triggered remote action can be delayed up to its triggering period or, if the triggering period is longer than an hour, up to a maximum of one hour after it was created.

Controlling script execution on the device

When a remote action is triggered either automatically or manually on a device, the payload of the remote action is executed on the device only if the script execution policy allows it. Define the script execution policy of a device when installing the Collector on that device. Optionally, modify later the script execution policy of a device with the help of Nxtcfg (the Collector configuration tool).

For security reasons, the script execution policy controls the remote action scripts that are allowed to execute on a particular device.

  • Signed by a trusted publisher or by Nexthink (default): the Collector runs on the device only those remote actions with a PowerShell script that is signed either by Nexthink or by a company whose certificate is listed in the Trusted Publishers certificate store.
  • Signed by a trusted publisher: the Collector runs on the device only those remote actions with a PowerShell script that is signed by a company whose certificate is listed in the Trusted Publishers certificate store.
  • Disabled: the Collector runs no remote action on the device.
  • Unrestricted: the Collector runs any remote action on the device, regardless of the digital signature of its script. Useful for testing purposes, but not recommended in production.

Executing your own signed scripts

The default policy lets official remote actions from the Nexthink Library execute on the device without requiring any additional configuration. If you choose to create and sign your own scripts for remote actions, add the signing certificate to the Trusted Publishers certificate store in Windows.

In addition, if your certificate to sign scripts was generated by a private CA (that is, a CA whose root certificate is not already present in the Trusted Root Certification Authorities certificate store of Windows), add the root certificate of the CA to the Trusted Root Certification Authorities certificate store. Similarly, if you used an intermediate certificate to sign your scripts, include the full chain of intermediate certificates in the Intermediate Certification Authorities certificate store:

  1. Log in to Windows as an administrator.
  2. Press Win+R keys to open the Run dialog:
    1. Type in certlm.msc.
    2. Click OK.
  3. Click Yes to allow the program to make changes to your device.
  4. Right-click the name of the desired certification store (e.g. Trusted Publishers) in the left-hand side list.
    1. Select All-tasks > Import... from the context menu to start the Certificate Import Wizard.
  5. Click Next to start the wizard.
  6. Click Browse and select your certificate file.
  7. Click Next.
  8. In the dialog Place all certificates in the following store, click Next to accept the proposed certificate store.
  9. Verify the certificate to be imported and click Finish.

TrustedCertificatesStores.png

It is recommended though not to import the certificates individually on every device, but to use a administration tool to deploy the certificates on all devices at the same time. Use Group Policy Objects (GPOs) of Active Directory to this end, for instance.

Results of remote actions

The outputs declared by a remote action are displayed in the Finder. Each output defines a label which is used by the Finder to name the column in the list of results of the remote action.

In addition to their defined outputs, remote actions return their status in a supplementary field called Execution status details. If difficulties where found during the execution of the remote action, the status field indicates it with an error message.