zac - The command line management interface for the Micro Focus ZENworks Agent that is installed and running on Windows managed devices.
zac command options
The zac utility performs command line management functions on the ZENworks managed device, including installing and removing software bundles, applying policies, and registering and unregistering the device.
Most commands have a long form and a short form:
Long form: add-reg-key
Short form: ark
When both forms are available, the command is listed as follows:
add-reg-key (ark) arguments
When using the command, enter only the long form or the short form:
zac add-reg-key arguments
zac ark arguments
Arguments can be mandatory or optional. Mandatory arguments are included in angle brackets <argument>. Optional arguments are included in square brackets [argument]. If an argument includes a space, enclose it in quotation marks:
zac ark "arg 1"
Gathers the current status of the ZENworks Antimalware Engine for local troubleshooting.
Examples:
zac mas
zac malware-agentstatus
Clears the security restriction on the %ZENWORKS_HOME%\\zav\\events folder.
Examples:
zac mcfs
zac malware-clearfoldersecurity
Disables on-access scans for the number of minutes specified in the command. If a time is not specified the default is 60 minutes.
Examples:
zac mdas
zac mdas --15
zac-disable-onaccess-scans --90
Enables on-access scans that are disabled by the malware-disable-onaccess-scans zac command.
NOTE:This command is only an “undo” of the mdas zac command that still has time remaining. This command will not enable on-access scanning if it is disabled in the policy.
Examples:
zac meas
zac malware-enable-onaccess-scans
Installs the Antimalware engine on this device.
Examples:
zac mi
zac malware-install
Lists all assigned Antimalware policies in the zone, to include Antimalware Enforcement, Custom Scan, Network Scan, and Scan Exclusions policies, if applicable.
Examples:
zac mpl
zac malware-policy-list
Deletes Antimalware files that are currently in quarantine file. Defaults to deleting all quarantined files.
Examples:
zac mqd --f testfile.exe testfile02.bat
zac mqd --a
Lists all quarantined files that have been found from Antimalware scans and ondemand events.
Examples:
zac mql
zac mql --filedetails
Restores Antimalware quarantined files to specific locations. Defaults to restoring all files to their original locations while overwriting existing files. The command does not keep a copy in quarantine or exclude from all file scans.
Examples:
zac mqr
zac mqr --r c:\temp --k
zac mqr --x 4
Removes the Antimalware engine from this device.
Examples:
zac mr
zac malware-remove
Gathers the current status of the ZENworks Antimalware Engine and reports it to the ZENworks Server.
Examples:
zac mrs
zac malware-reportstatus
Scans the device for malware infections using either Full, Quick, Custom, or Network scan.
Examples:
zac ms --full
zac ms --quick
zac ms --custom myCustom policyName
zac ms --custom myNetwork policyName
Restarts scans that were previously aborted.
Examples:
zac msrs
zac malware-scan-restart
Resets the security restriction on the %ZENWORKS_HOME%\\zav\\events folder to the default setting.
Examples:
zac msfs
zac malware-setfoldersecurity
Creates an Antimalware (AM) diagnostics package in the %ZENWORKS_HOME%\\zav\\diag folder. This takes several minutes and notifications may be displayed on the device if Agent Notification settings are enabled.
Examples:
zac msp
zac malware-support
Updates the ZENworks Antimalware Engine with the latest scan and product definitions.
Examples:
zac mus --agent
zac mus --signature
Resets the RollupStatus table to the current timestamp.
Examples:
zac mrdb
zac malware-reset-db(mrdb)
Reconfigures an enabled Authentication Satellite.
Examples:
To fetch the configuration files from the server:
zac asr -t config
To reconfigure the CASA signing certificate:
zac asr -t casa
To reconfigure the entire Satellite:
zac asr -t all
Reconfigures the Jetty web server.
To reconfigure the Jetty web server:
zac ssr -t jetty -u Administrator -p password
Configures a satellite device with externally signed certificates.
-rc - Confirms reconfiguration of the Satellite Server so that the administrator is not prompted for reconfiguration.
Installs the specified bundle. Use the bundle-list command to get a list of the available bundles and their display names.
Example:
zac bin bundle1
Launches the specified bundle. Use the bundle-list command to get a list of the available bundles and their display names.
Example to launch a bundle based on the display name:
zac bln bundle1
Example to launch a bundle based on the display name and turn selfhealing off if the launch action fails (by default, selfhealing is turned on):
zac bln bundle1 -noSelfHeal
Displays the list of bundles assigned to the device and the logged in user.
Example:
zac bl
Displays the status, version, GUID, and requirements information for the specified bundle. Use the bundle-list command to get a list of the available bundles and their display names.
Example:
zac bln bundle1
Refreshes information about the specified bundle.
Example:
zac br bundle1
Uninstalls the specified bundle. Use the bundle-list command to get a list of installed bundles and their display names.
Example:
zac bu bundle1
Verifies an installed bundle (specified by bundle display name) to ensure that no files have been removed or corrupted. Use the bundle-list command to get a list of the installed bundles and their display names.
Example:
zac bv bundle1
Lists public key certificate information for each known ZENworks server or adds a trusted root certificate to the device trusted store. The file can be in ASN.1 DER format or base-64 encoded delimited by ----BEGIN CERTIFICATE---- and ----END CERTIFICATE--.
Example:
To list the certificate for each known ZENworks server:
zac ci
To add a trusted root certificate to the devices trusted store:
zac ci c:\certs\mytrustcacert.der -u myuser -p mypassword
Verifies if the server certificate and key file copied to the remint repository are valid and updates the results to the server.
Shows the status and configuration of the collection role.
Example:
collection-point [wake]
wake - Wakes the modules that perform collection (Inventory, MD status, Message sender)
Finds orphaned files on the Satellite device and rolls them up to the parent collection server or deletes them if they have already been rolled up.
This command builds a list of the files in the folders under zenserver_home\work\collection\ and then tries to find the original upload information for each entry in the collection stats database.
If there is an entry for a file in the database, and it shows that the file has not been rolled up, it rolls the file up. If the entry shows that the file has already been rolled up, it deletes the file on the Satellite device. If there is no entry for a file in the database, the file is rolled up. This command also lists any files that were not uploaded or deleted.
Before running this command, on Linux, you should run the zac crw command and on Windows, the zac cp wake command to send any pending files to the parent server.
Example:
zac cuo
Validates satellite content by computing the checksum on each file.
The optional log file details results of the checksum comparison.
Example:
zac cchk -l:"C:\Program Files\Novell\ZENworks\logs\cchk.log"
Compares the list of content IDs and their sync states on this CDP with what the Primary Server thinks it should have.
You can use the following options:
Example:
zac cvc -l:"C:\Program Files\Novell\ZENworks\logs\cvc.log"
Imports missing content from the directory specified by content-path, logging to the file specified by log-path.
Example:
zac cic c:\import_source_directory -l:"C:\Program Files\Novell\ZENworks\logs\cic.log"
Wakes the Content Distribution Point worker thread. You can use either of the following options:
Examples:
zac cdp
zac cdp replicate
zac cdp replicate Windows-Bundle
This command is applicable only if the agent is promoted as a Satellite Server.
The content types include:
Default
linux-bundle
Policy
Macintosh-Bundle
Patch-Informational-Bundles
zscm-policy
subscription-default
Patch-Critical-Bundles
Patch-System-Bundles
subscription-optional
Patch-Recommended-Bundles
subscription-recommended
Imaging
SystemUpdate-Agent
Patch-Software-Bundles
subscription-security
Windows-Bundle
NOTE:The content types are case-sensitive.
Deletes the orphan contents from the file system that are no longer needed.
-c - Performs checksum on local content
-l:<path to log> - The optional log file details results of the operation.
Displays, removes, or restores the workstation GUID in the file system in preparation for taking an image.
For example:
To display the GUID value:
zac fsg
To remove the GUID and also conninfo.dat from the file system:
zac file-system-guid -d
To restore the GUID to the file system:
zac file-system-guid -r
To display the GUID value:
zac fsg
Runs an inventory scan or opens the Collection Data Form.
Example to run an inventory scan:
zac inv scannow
Example to open the Collection Data Form:
zac inv cdf
Example to run a full scan:
zac inv -f scannow
Displays the configuration location. The configuration location determines which ZENworks server (or servers) the device connects to for authentication, configuration, content, and collection purposes.
Examples:
zac config-location
zac cl
Edits an existing location.
<location name>: Specify a name for the location.
Accepts the following options:
IPv4: Specify IPv4 if you want the devices in this location to try communicating with the servers using IPv4 URLs first before attempting IPv6 URLs.
IPv6: Specify IPv6 if you want the devices in this location to try communicating with the servers using IPv6 URLs first before attempting IPv4 URLs.
Changes or displays the logger configuration for the ZENworks Agent.
You can use the following options:
Example to reset the log file:
zac logger resetlog
Example to show the current log level:
zac logger level
Example to set the log level to DEBUG and above:
zac logger level DEBUG
Displays the ostarget record associated with the workstation OS or a specified version string.
Examples:
To display the version string and corresponding ostarget info for the workstation:
zac ostarget
To display the corresponding ostarget info for a specific version string:
zac ostarget "Windows 10 1703 64 Enterprise (Build 15063)"
After running the command OSVersion and OSTargetEntry are displayed.
NOTE:Ensure that both OSVersion and OSTargetEntry are same.
OSVersion: Windows 10 1703 64 Enterprise (Build 15063)
OSTarget Entry: windows10-1703-ent-gen-x64
Product: Windows 10 Enterprise x64 Version 1703
Version: 10.0 1703
Vendor: Microsoft
Primary Role: Workstation
Package Manager: msi
Architecture: x86_64
Scans the device for patches that are not applied, using the device's current patch signature (DAU) file. The results are then uploaded to the server.
An example to run a patch scan:
zac ps
Uploads the last scan results to the server; it does not run a new detection scan.
An example to run a quick patch scan:
zac ps --quick
Scans the device for patches that are not applied, using an updated patch signature (DAU) file. The results are then uploaded to the server.
An example to run a complete patch scan:
zac ps --complete
Updates devices with the latest version of all patch policies.
An example to run a patch apply policy:
zac pap
If you want to update the device with one or more patch policies, specify the patch policy names or IDs. An example: zac pap patch1 patch2
Releases any quarantined patches on the device where the command is run from quarantine so that a one-time installation attempt can occur, either from a patch policy schedule or a remediation schedule.
An example to run a patch quarantine release:
zac pqr
Distribute all patch policies to the device. This will attempt to distribute all patches that do not match the policy.
Distribute all patch policies to the device. An example to run a patch distribution policy: zac pdp
If you want to distribute one or more patch policies to the device, specify the patch policy names or IDs. An example: zac pdp patch1 patch2
Downloads the content associated with the specified patch names.
Syntax: zac patch-download (pd) [options]
The following are the available options:
--patch: Name of the patches that should be installed. If you want to install multiple patches, then specify the name of the patches separated by a comma.
Example: zac pd --patch patch_name1, name2, name3
Downloads the catalog used for scanning the patches.
Syntax: zac patch-download-catalog (pdc)
Exports the patch details in the catalog to the PatchMetadata.csv file.
Syntax: zac patch-export-catalog (pec)
Downloads and Installs the specified patch.
Syntax: zac patch-install (pi) [--patch <patch name>]
The following are the available options:
--patch: Name of the patch that should be downloaded and installed.
Example 1: zac pi --patch notepad
In this example, notepad patch will be downloaded and installed.
NOTE:Only one patch can be specified at a time.
Lists all the required patches.
Syntax: zac patch-list (plp) [options]
The following are the available options:
--all: List all the patches, including the installed patches.
This command returns a list of the policies that are currently enforced on the device. By default, this displays the effective (non-filtered) policies.
zac pl –all
Displays both filtered and non-filtered policies.
Lists the policies that are currently being enforced on the device (effective policies). To list all policies (effective and non-effective), use the --all option.
Examples:
zac pl
zac pl --all
Applies all of the policies assigned to the device and user.
Example:
zac pr
Applies all of the policies assigned to the device and user forcefully and without logging off.
Example:
To apply forcefully all of the policies assigned to the device and user:
zac pr /force
To forcefully apply all of the policies assigned to the device and user without logging off:
zac pr /force /nologoff
Registers the device by using the specified key. Registration with keys are additive. If the device has previously been registered with a key and you register it with a new key, the device receives all group assignments associated with both keys.
Example:
zac ark key12
Option 1: [-a <authorization key>]
Option 2: [-k <RegKey>] <ZENworks Server address:port>
Registers the device in a Management Zone.
To execute this command you must have Create/Delete device rights for the folder that you are attempting to register.
You can use the following options:
Examples:
zac reg -k key1 https://123.456.78.90
zac reg -k key1 -u administrator -p novell https://zenserver.novell.com:8080
To add or modify the authorization key:
zac register -a c24e-b9b42
c24e-b9b42 is the authorization key.
The port number is required only if the ZENworks Server is not using the standard HTTP port. If a username and password are not supplied, you are prompted for them.
NOTE:
The -g and -k options will not be honored if the corresponding device object is already present on the server and reconciliation takes place with that device object.
When you modify or update the GUID using the -g option, then audit and messages generated with the old GUID will be lost.
Registers a device in the current zone and assigns it the GUID of an existing device object. The currently associated device object is deleted.
To execute this command you must have Create/Delete device rights for the folder on which you are attempting to reregister.
For example, if you image a device after replacing the hard drive, the device might get a new GUID. However, by using the reregister command, you can assign the device’s GUID that it had before you replaced the hard drive.
Examples:
To reregister, specify a username and password:
zac reregister -u myuser -p mypassword eaa6a76814d650439c648d597280d5d4
To reregister and be prompted for a username and password:
zac reregister eaa6a76814d650439c648d597280d5d4
NOTE:
The -g and -k options will not be honored if the corresponding device object is already present on the server and reconciliation takes place with that device object.
When you modify or update the GUID using the -g option, then audit and messages generated with the old GUID will be lost.
Removes the device’s registration from the Management Zone.
To execute this command you must have Create/Delete device rights for the folder on which you are attempting to unregister.
Example:
To force a device to unregister locally when a server cannot be contacted:
zac unr -f -u myuser -p mypassword
To unregister locally and suppress prompting for a user name and password:
zac unr -s
Use -a option to unregister asynchronously. With this option server deletes the device asynchronously.
The -a, -f, -u, and -p parameters are optional. If you don’t use the -u and -p parameters, you are prompted to enter a username and password. The -f parameter ignores the ZENworks database and forces the device to be unregistered locally; this option is necessary only if the device object has already been deleted from the ZENworks database or if the device cannot connect to the database. If -a option is specified, ZENworks server returns the unregister call quickly, but deletes the device object asynchronously from the database at a later point of time. If your device deletion is not complete and tries to register the device again, then the ZENworks server displays an error. If there is large amount of data associated with the device in the database, it might take long time to delete the device. Ensure that -a option is used when actual device deletion on server takes long time and causes the agent unregister command to timeout.
NOTE:Running the UNR command might cause high utilization of the database. This might be due to any of the following reasons:
The UNR command is running on the server.
The zone contains a large number of managed devices.
The managed devices have a huge history.
Patch Management is enabled.
Reestablishes trust with the current Management Zone. The username and password used must be of the Zone Administrator.
Example:
zac retr -u myuser -p mypassword
The -u and -p parameters are optional. If you don’t use the -u and -p parameters, you are prompted to enter a username and password.
Requests a remote management session from the managed device even in the absence of the Z-icon. This command is available on managed devices with 11.3.1 and later versions.
Examples:
zac request-remote-session
zac rrs
Clears the ZENworks cache on the device. This removes all entries in the cache database and deletes any cache files associated with those entries.
Example:
zac cc
NOTE:If your ZENworks administrator has enabled the self defense feature for the ZENworks Agent, you must supply an override password before running the zac cc command. Otherwise, you receive the following message:
You do not have permission to clear the cache. Please contact your ZENworks administrator.
You must request the override password from your ZENworks administrator. If he has not set an override password, he must do so before you can use the command. After you receive the password:
Double-click the ZENworks icon (z-icon) in the system tray, click Agent (under Status), then click the Policy Override link in the Agent Security Settings section to display the About box.
Click Override Policy, enter the override password, then click Override.
Go to a command line prompt and run the zac cc command.
After the cache is successfully cleared, return to the About box and click Load Policy to disable the password override.
Outputs the HTML pages displayed in the ZENworks icon’s property pages to files in the specified target directory.
Example:
zac dpp c:\temp
Settings are downloaded by the Settings Module to the local cache on every refresh. This will return the effective settings associated with the given key.
Example:
zac gs key1
All valid ZENworks settings keys are stored in the %ZENSERVER_HOME%\cache\zmd\settings directory.
Example to list the Remote Management settings:
zac gs RemoteManagement
Initiates a general refresh to refresh all bundles, policies, registration, and configuration settings; initiates a partial refresh to refresh all policies, registration, and configuration settings.
Use bypasscache to avoid using data from the server cache during the refresh. This option is useful for testing or troubleshooting.
Examples:
zac ref general bypasscache
zac ref partial bypasscache
Specifies a proxy to contact rather than contacting a ZENworks Server directly.
The options are:
Examples:
IPv4:
zac sp 123.456.78.90:2349 administrator novell
zac sp /default 123.456.78.90:2349
zac sp /clear
IPv6:
zac sp /ipv6 [2001:db8:0:1:1:1:1:1]:2349 administrator novell
zac sp /default /ipv6 [2001:db8:0:1:1:1:1:1]:2349
zac sp /clear /ipv6
If a username and password is not specified, then you will be prompted to enter them.
Queries the Management Zone for proxy work assigned to this device.
Example:
zac wpr
Lists port and status of the web server.
Example:
zac zhs
This command is applicable only if the agent is promoted as a satellite.
Collects ZENworks support information, including cache data, configuration data, debug logs, product installation information, refresh times, status events, and basic system information. The information is packaged into a ZIP file and placed in the location you specify. If you do not specify a location, ${TEMP}\zeninfo-${DateTime}.zip is used for Windows and ${TMPDIR}\zeninfo-${DateTime}.zip is used for Linux. If you are experiencing problems with a managed device, Micro Focus Support might ask you to run this command and send the resulting ZIP file to Micro Focus to help troubleshoot your problem.
You can use the following option:
The zeninfo command can be run by the local administrators. If you are not a local administrator and you run the command, the system prompts you to enter the administrator credentials. You can also set the AllowZenInfoWithoutAdminPwd string value to True, which enables any user to run the zeninfo command. To set the AllowZenInfoWithoutAdminPwd string value, do the following:
Open the Registry Editor.
Go to HKLM\Software\Novell\ZCM\.
Set the AllowZenInfoWithoutAdminPwd string value to True.
WARNING:If the AllowZenInfoWithoutAdminPwd string value is set to True, the sensitive ZENworks Configuration Management settings and configuration information is visible also to the users who are not the local administrators.
Displays information about the ZENworks Server that the device is accessing for configuration information (the Configuration server) or lists the information for the Configuration server.
Examples:
zac zc
zac zc -l
This command rolls up status information to the Primary Server. You can either roll up information that was updated since the last time the status was rolled-up or you can roll up the complete status information.
Examples:
To roll up status information that was updated since the last successful status roll up:
zac sts rollup
To roll up status information on the same thread
zac sts rollup syn
To roll up complete status information:
zac sts rollup full
NOTE:From the ZENworks 2020 release onwards, the zac bsr command has been deprecated. Execute the zac sts command to roll up bundle status information.
Retrieves the system update when it is assigned to a device.
NOTE:This command is not applicable on Satellite Servers.
Enables administrators to resend the system update status to the server immediately.
Resets the ZENworks Endpoint Security Management cache on the managed devices.