I’m fairly certain this is not possible. I don’t think the “action” inspector has context until an action is taken, which seems to be part of the issue.
The idea is to allow a computer to show up in the “Applicable Computers” count as needing remediation, but not be applicable to the taken action of the same fixlet/task until a certain condition is met, similar to when constraints are set using the “Execution” and “Users” tabs in the take action dialog.
My use case is in updating software with an open action that will “wait” until the target application is closed or not running before the action runs.
My failed attempts:
(
if
(
not
exists
action
whose
(active
of
it
))
then
TRUE
else
(
not
exists
running applications
whose
(name
of
it
=
“chrome.exe”
)))
(if (not exists action whose(active of it AND origin fixlet id of it = )) then TRUE else (not exists running applications whose(name of it = “chrome.exe”)))
(if (not exists action whose(origin fixlet id of it = 760916)) then TRUE else (not exists running applications whose(name of it = “chrome.exe”)))
We do currently do this (fail if the app is running) in many cases, at least as one of the action options.
To achieve the desired outcome I specify above, I can create a task as I normally would so that applicable computers show up that need the patch, but then when I take action I edit the applicability only for the action appending: AND (not exists running applications whose(name of it = “chrome.exe”)) This is fine for me to do, but it is not something that other console operators are going to know or remember to do.
The reason this is preferred over the option of failing in the actionscript is that the open action will not attempt to run until the application is closed, which is what I want. If I fail in the actionscript using a “continue if” statement, then the action will report back failure. Then my only option would be to have it retry on failure over and over again, which will fail over and over again, but MIGHT succeed eventually. This seems like an undo burden on the endpoint.
The other option would be to use a “pause while” statement in the actionscript that waits for the application to close, then performs the update. This is problematic because while paused, no other actions can run on the client, and the application may never close. I could also add a timer to the pause while so that it will not last forever, but then i’m back to the failing over and over until it MIGHT succeed eventually while also having an action run on the client without doing anything which will prevent other actions for periods of time.
I prefer to patch with minimal user interruption when I can. If I can patch when the application is not running, then I don’t have to bug the user at all. If the user never closes the app, then I have to send a different action that warns the user first and asks them to save their work, then do the patch. I prefer to avoid this case as much as possible.
What I’ve done in the past is change the relevance in the task to only be applicable if the application is not running. Then when taking action target computers using the “Dynamically target by property”. Then when your computers become relevant (i.e. application is closed) the task will run.
The only problem I see with this method would be reporting on what computers still need the updated application, since only computers NOT running would be applicable. You would need another task, or analysis to detemine your true compliancy.
My suggestion would be to have two seperate tasks, one that is only applicable only if the application is NOT running. Another that is always applicable. You could use the task that is always applicable for your reporting, you could also have that task force the application closed and prompt the user to take action to remediate all the computers that never close that app.
Might be more of a constraint than you want, but in the Action area you could “Include Action Settings Locks” and configure it to run only if no user is logged on. This is more restrictive than “run only if Chrome is not executing” but may help. The Fixlet would be relevant to everything with a lower version of Chrome, but the Action won’t kick off until no user is logged on.
What it sounds like you’re really looking for would be an Action Constraint. I’m using these heavily to deploy patches to machines during predefined Patch Windows. Unfortunately Constraints currently only allow you to use Client Settings values, and don’t allow you to specify Relevance Statements directly (RFE anyone?)
Another thing you could possibly try, though it’s ugly, would be to create the Fixlet, create a custom Action Constraint (using a Client Setting); then Export the fixlet, modify the exported XML to replace the constraint with your own relevance not exists running applications whose(name of it = “chrome.exe”), and then try to re-import the fixlet on the console. I’m curious as to whether that would work.
I did look into trying the export / alter / import trick to see if I could get custom relevance in the action constraints. I did not try it, but I need to look closer at this option.
I was afraid the best answer would be to file an RFE, which seems to be the case.
I do use the run only if “no user is logged on” in some cases, but the goal is to patch all machines with a single action without having to wait for a user log off condition to upgrade users that could be upgraded right away.
The other part of the reason for this question has to do with making this easy for other console operators, which is why putting this condition in the applicability relevance is not desirable(breaks auditing patches based upon applicability), nor is requiring specific things to be done when taking action depending on the desired effect.
I’m really interested in hearing whether we can use custom constraints with the export/import trick. If you can make that work, you’d want that as an Action Preset for this fixlet, so when other console operators take an action from it it “just works as expected”. (Honestly I don’t expect it to work though).
The similar case I see is for the IBM-provided Java and Internet Explorer fixlets. Those have multiple actions; a Default Action that fails if the program is open, and a second Action that kills running instances of the program.
Maybe you could instead have it create a batch on the fly, then execute the batch; and have the batch file wait for chrome to be closed?
GOTO MAIN
:WAIT
SLEEP.EXE 30
:MAIN
TASKLIST | FIND /I “chrome.exe” && CALL :WAIT
Then in the relevance you have to check whether chrome is upgraded, OR whether your action has run (and maybe the batch file is still waiting for chrome to not be running). Maybe add a clause like
not exists last active time of action whose (it > boot time of operating system)
The batch file would have to be called using runhidden instead of wait otherwise it would lock up action execution on the client until chrome is closed, which I definitely don’t want.
This is an interesting option, but it does break the ability to use relevance cleanly to determine success or failure. In this case success would be that either chrome is updated, or there is something running on the client trying to update it.
Additionally, the whole power of relevance is things happen if and only if they need to, or should. I don’t like the idea of trying to work my way around something that is already built in, just not quite the way I want.
I’m doing something kind of similar with an action I have that constant polls the system. The idea is that I create a whole set of Actions that are constrained by a client setting (“PatchWindowState”), then allow all of the actions to run when PatchWindowState is set to certain values (the different values control how the machine behaves when patching is complete, like reboot timings, etc.)
if not exists last active time of action then true else (absolute value of (now - last active time of action)) > (if not exists setting “PatchWindowState” of client then 60 * minute else if value of setting “PatchWindowState” of client as lowercase = “closed” then 60 * minute else 10 * minute)
As a “fixlet”, (last active time of action) does not exist, so the if/then returns True. As an Action, this controls whether the action is reapplied after 60 minutes (when not in a patch window) or reapplied after 10 minutes (when in an active patch window).
What I’m not sure about, is whether “last active time of action” exists on the action’s first execution, or whether it is set after the first execution. So you could try
if not exists last active time of action then true else not exists running applications whose(name of it = “chrome.exe”)
You may get into a weird state around when “last active time of action” is created. If it does not exist on the first attempt to execute the action, then on the first attempt the “chrome” relevance would not be evaluated (but it would be evaluated for retry/reapply, I think).