Configure agent version control
Agent version control is a feature that gives you and your security operations team control over the specific versions of the Deep Security Agent that will be deployed when:
- using deployment scripts
- upgrading the agent through an upgrade alert, button, check box or other widget in the Workload Security console (the exceptions are listed in the FAQ)
- upgrading the agent through the agent upgrade on activation feature
This allows security operations teams the ability to declare exactly what agents will be used at any given time.
As new agents are released by Trend Micro, your security operations team can test them in controlled environments before changing the version control settings to expose the new agents to downstream applications teams in their production environment.
- Go to the Workload Security console.
- Click Administration at the top.
- On the left, expand Updates > Software > Agent Version Control.
All the agent platforms appear in the main pane.
- (Optional) Use the Show/Hide Platforms section on the right to restrict the agent platforms that are visible.
- Make your agent version selections and click Save. Follow this guidance:
Only agent versions 9.0 or later are displayed. For Solaris specifically, only versions 11.0 or later are displayed. If you want to deploy earlier agents, you'll have to use the agentVersion= setting available in the deployment scripts. For details, see Use deployment scripts to add and protect computers.
Column Description PLATFORM This column lists the platforms for which Deep Security Agent software is available. VERSION CONTROL
This column is where you select which version of the agent will be used by deployment scripts and so on. It has the following options:
- Latest: Indicates to use the latest agent software build , either long-term support (LTS) or feature release (FR). The logic to determine the latest agent is based on the agent version number: the highest version is used. For example, a Deep Security 12 update agent with version 184.108.40.2060 is higher than the Deep Security 12 General Availability (GA) agent. However, the Deep Security 12 feature release agents with version 220.127.116.110 is considered later than an LTS agent with version 18.104.22.1680. In summary, choose Latest if you want the latest LTS or FR agent for the platform. For details on LTS and FR releases, see Deep Security release strategy and life cycle policy.
- Latest LTS: (default) Indicates to use the latest long-term support (LTS) software build . Latest LTS can be the original LTS release, or can be an update to the original LTS release. Any FRs are ignored. LTS build versions always have ‘0’ as the minor version number. For details on LTS and FR releases, see Deep Security release strategy and life cycle policy.
- <agent_version> for example, 22.214.171.1240: Indicates to use a specific agent version. Other agents are ignored.
This column shows the agent that will be deployed based on your selection under VERSION CONTROL.
If the column shows an N/A (Removed from inventory) message, it's because Trend Micro deemed the agent unsuitable for deployment and removed it.
Agent version control provides the ability to control what agents are returned when any URL request is made to Workload Security to download the agent. For details, see Using agent version control to define which agent version is returned.
Do I need to update my deployment scripts to use this feature?
To update your deployment scripts:
- In the Workload Security console, go to Support > Deployment Scripts and generate new deployment scripts. For instructions, see Use deployment scripts to add and protect computers.
- Re-distribute and re-run the new scripts as necessary.
The latest deployment scripts pass additional information to Workload Security (for example, platform information) that is required for the version control feature to work properly.
What happens if I don't update existing deployment scripts?
If you have existing deployment scripts that you generated prior to the availability of the agent version control feature, and you do not take any action to update them, they will default to Latest LTS. This default will be used for any older deployment scripts regardless of how you have set your agent version control settings. Replace the older deployment scripts with new deployment scripts to leverage the settings you define in the agent version control settings.
Deployment scripts that are generated after the availability of the agent version control feature will use your agent version control settings.
What features are out of scope (exceptions)?
By design, the features listed below are out of scope for the agent version control feature. These features are typically accessed by the Workload Security administrator directly, in many cases to test a specific agent version in a development or staging environment prior to deploying the agent version into production.
We have left full access to all agent versions accessible in these specific scenarios:
- the Computer details page > Upgrade Agent button
- the Computers > Actions > Upgrade Agent Software page
Selecting either of the above options launches a wizard with a drop-down list that always defaults to 'Use latest version for platform' regardless of your version control settings. For details, see Upgrade the agent from the Computers page.
- agent upgrades that are not initiated directly from Workload Security. For example, if you export an agent package, transfer it to the server, and initiate the upgrade from the command line, the agent version control settings will not be involved in this upgrade.