Security requirements and setup

WMI Provider Permissions

  • On the SMS Provider computer, click Start, click Run, type wmimgmt.msc, and then click OK.
  • Right-click WMI Control, and then click Properties.
  • On the Security tab, expand Root, and then click SMS.
  • Click Security in the results pane to see the permissions.
  • Click Advanced, click <Your ClientIQ Group>, and then click View-edit.
  • If the <Your ClientIQ Group> group does not have Enable Account and Remote Enable permissions, grant the permissions.
  • Press Apply / OK.
  • Now expand SMS and select site_XXX.
  • Click Security in the results pane to see the permissions.
  • Click Add and enter <Your ClientIQ Group> and then click OK.
  • Select Enable Account, Remote Enable
  • Press Apply / OK.
  • Close down wmimgmt.msc

DCOM Permissions

  • From the Start menu, click Run and type Dcomcnfg.exe.
  • In Component Services, click Console root, expand Component Services, expand Computers, and then click My Computer. On the Action menu, click Properties.
  • In the My Computer Properties dialog box, on the COM Security tab, in the Launch and Activation Permissions section, click Edit Limits.
  • In the Launch Permissions dialog box, click Add.
  • In the Select User, Computers, or Groups dialog box, in the Enter the object names to select (examples): box, type <Your ClientIQ Group> and click OK.
  • In the Permissions for <Your ClientIQ Group> section, select the check box to allow Remote Activation.
  • Click OK twice, and then close Computer Management.

Client Permissions

  • Add <Your ClientIQ Group> to either an existing Client Administrator group, or add <Your ClientIQ Group> to a Group Policy Object and utilize Group Policy Preferences or Restricted Groups to ensure it is local administrator on all clients you want to manage.

SCCM Permissions

  • From the Start Menu go to All Programs -> Microsoft System Center -> ConfigMgr Console
  • Expand Security Rights
  • Right-Click on Users and click on “Manage ConfigMgr Users”
  • Press Next
  • Select “Add a new user” and add <Your ClientIQ Group> and press Next
  • Select “Add another right or modify an existing one” and press Next
  • Under Class: select “Advertisement”, under Instance: select “(All Instances)”, under Rights: check Read.
  • Press Next
  • Select “Add another right or modify an existing one” and press Next
  • Under Class: select “Collection”, under Instance: select “(All Instances)”, under Rights: check Read and Read Resource
  • Press Next
  • Select “Add another right or modify an existing one” and press Next
  • Under Class: select “Site”, under Instance: select “(All Instances)”, under Rights: check Read
  • Press Next
  • Under Class: select “Package”, under Instance: select “(All Instances)”, under Rights: check Read.
  • Press Next
  • Press Next
  • Press Close

 

ClientIQ is a distributed client/server system. The distributed nature of ClientIQ means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not configurable, and some use ports that can be customized. You must verify that the required ports are available if you use any port filtering technology such as firewalls, routers, proxy servers, and IPsec.

The port listings that follow are used by ClientIQ and do not include information for standard Windows services, such as Group Policy settings for Active Directory and Kerberos authentication. For information about Windows Server services and ports, see http://go.microsoft.com/fwlink/?LinkID=123652.

Ports needed to be open to allow traffic from ClientIQ to SCCM site server

Description UDP/TCP
RPC (initial connection to WMI to locate provider system) 135

Ports needed to be open to allow traffic from ClientIQ to Active Directory

Description UDP/TCP
Lightweight Directory Access Protocol (LDAP) 389
LDAP (Secure Sockets Layer [SSL] connection) 636/636
Global Catalog LDAP 3268
Global Catalog LDAP SSL 3269
RPC Endpoint Mapper 135/135
RPC — DYNAMIC

Ports needed to be open to allow traffic from ClientIQ to DNS

Description UDP/TCP
Domain Name System (DNS) 53/53

Ports needed to be open to allow traffic from ClientIQ to Windows Clients

Description UDP/TCP
Server Message Block (SMB) 445
Remote Control (control) 2701 2701
Remote Control (data) 2702 2702
Remote Control (RPC Endpoint Mapper) 135
Remote Assistance (RDP and RTC) 3389
Wake On Lan 9
ICMPv4 Type 8 (Echo) or ICMPv6 Type 128 (Echo Request) n/a