Again, software management is a monitor, so it has nothing to do with auditing, and an audit request will likely have no effect (unless new info found on the device makes it become targeted via filter by a software management policy). A software management policy works very similarly under the hood as a monitoring policy looking for outdated or missing software, which runs a response component to update or install the software. The only difference is that there is a compliance status updated by the software monitors, and the installations (response components) run without having an actual alert raised in the platform.
Here's how it looks in the logs (AEMAgent.log) when the software management policy is applied:
A few things to note:
- You will see the detected software version first, followed by the latest version. In the first line for 7-zip, we can see the installed version 23.01 followed by the latest version. They are the same in this case.
- The "isThreshold\":True" or "False" refers to whether or not the device is out of compliance for the software. "True" means it’s not compliant and needs an update or installation. In this case in the second to last line, VLC is set to "install if not present" and the found version is blank, thus it is not compliant (threshold True) and needs to be installed.
- Just like monitors, when a device meets the criteria for auto-install or auto-update, we'll see an alert in the logs. The monitor ID is the same as above for VLC, and we can also see the stdOut from the install/update component that was run in response (like response components)
- 12.7.0.1113|2024-02-05T11:00:25.743-05|INFO|ALERT b4dee11a-f11d-4615-b8dd-72995421fb38 b391ea0c-6459-4eb7-973f-836eb7202a61 SoftwareManage {"value":["VLC Media Player",""],"isThreshold":true,"componentResult":{"StdOut":"Software: VLC Media Player 3.0.20 for Windows\r\n=====================================\r\n- Downloading VLC Media Player, 64-bit, version 3.0.20...\r\n- Downloading: https://download.videolan.org/pub/videolan/vlc/3.0.20/win64/vlc-3.0.20-win64.exe\r\n- Downloaded: VLCLatest.exe\r\n- Device is 64-bit: installing 64-bit version of VLC.\r\n=====================================\r\n- Digital Signature verification passed.\r\n=====================================\r\n: Please note that VLC Media Player automatically assigns itself as the default\r\n program for various media file types as part of the installation process.\r\n- Installation concluded at 02/05/2024 11:00:25.\r\n","ExitCode":0,"StdErr":""}}|{ }
- Of course, we also see the "alert" resolve (goes back to compliant) when vlc is detected after install, and once then later "poll" for the latest after it's been resolved
- 12.7.0.1113|2024-02-05T11:00:34.379-05|INFO|RESOLVED b4dee11a-f11d-4615-b8dd-72995421fb38 afba5c60-201b-42c6-a53c-408bdc9d5215 SoftwareManage|{ "logcontext": "Monitoring.Program", "membername": "handler" }
- 12.7.0.1113|2024-02-05T11:00:34.480-05|INFO|POLL|{ "logcontext": "Monitoring.Program", "membername": "handler", "httpStatusCode": 200, "definitionName": "SoftwareManage", "monitorId": "b4dee11a-f11d-4615-b8dd-72995421fb38", "json": "{\"value\":[\"VLC media player\",\"3.0.20\"],\"isThreshold\":false}" }
- STDout of component sent in alert
- That "monitor ID" denotes the specific ID for that softwares monitor. You can use notepad++ to "find all in current document" to see a complete timeline of every check that was done.