Application Resilience policies for Forescout SecureConnector

Application Resilience policies for Forescout SecureConnector are supported on devices running:

• a supported version of the Windows operating system
• PowerShell version 5.1 or higher

Due to PowerShell restrictions imposed by Microsoft, Application Resilience isn't supported for this application on devices running Windows 11 SE.

• one of the following versions of Forescout SecureConnector:

  • 11.x or higher

    Significant software changes in higher versions may cause health checks to become invalid.

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component	Test performed
Services	Installed	Running	Signed by
ForeScout SecureConnector Service (SecureConnector.exe)1	P	P	n/a
Processes	Running
Forescout SecureConnector (SecureConnector.exe)2	P
Application name
The application uses the following name: SecureConnector* (the asterisk [*] indicates the health check accepts any additional characters starting from that position in the application name)

¹ Only checked if Permanent system daemon is not selected in the policy configuration

² Only checked if Permanent system daemon is selected in the policy configuration

You can configure an Application Resilience policy for Forescout SecureConnector to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair Forescout SecureConnector if it's not functioning, or reinstall it if it's missing or can't be repaired.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue	Resolution
Repair
The ForeScout SecureConnector Service (SecureConnector.exe) isn't running1	The RAR component restarts the service.
The ForeScout SecureConnector Service (SecureConnector.exe) isn't installed and the service's executable can be detected on the device1	The RAR component reinstalls the missing service.
The Forescout SecureConnector process isn't running2	The RAR component restarts the process.
Reinstall
Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.
The ForeScout SecureConnector Service (SecureConnector.exe) isn't installed and the service's executable cannot be detected on the device1	If the application is installed, the RAR component uninstalls it. After the application is uninstalled, or if the application wasn't installed, the RAR component downloads and installs the configured version of the application.
Forescout SecureConnector failed to be repaired, or the expected version isn't installed

¹ Only checked if Permanent system daemon is not selected in the policy configuration

² Only checked if Permanent system daemon is selected in the policy configuration

You can add a 32-bit installer, a 64-bit installer, or both. The installers:

• must be MSI files

• can have any file name

Before you activate an Application Resilience policy you need to configure the policy. You need to configure the application version and indicate the permanent deployment types in addition to the settings in Configuring Application Resilience policies.

To configure the application version and permanent deployment type:

1. Under Forescout SecureConnector version, enter the version of Forescout SecureConntector you expect to be running on your devices.

   • The target version must be a sequence of digits separated by a period.
   • You can use wildcard "*" characters after the major version, for example, 11.* or 11.2.* or 11.2.00.*.

   Make sure the version you are entering is consistent with version 11.x or higher.

2. Under Select the permanent deployment type that should be used to determine if the application is Compliant, select the option that applies to your Forescout SecureConnector configuration:

   • Permanent application
   • Permanent service (only available for Report and Report and repair)
   • Permanent system daemon

If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.

To configure the Forescout SecureConnector specific settings:

1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

   • The application version is lower than the expected version.
   • The application can't be repaired.

2. [Optional] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration.

   If you use MODE=<mode_value>, the <mode_value> used must match the deployment type selected in Select the permanent deployment type that should be used to determine if the application is Compliant.

   For example, if Permanent application is selected, eXAmPLe_nh2p9iPB3QQocH7XvBONmcA7WEC_YM5OGhSbHGIebIFAAEIRshq must be the <mode_value> string associated with installing Forescout SecureConnector as a permanent application:

   Copy

    MODE=eXAmPLe_nh2p9iPB3QQocH7XvBONmcA7WEC_YM5OGhSbHGIebIFAAEIRshq

3. [Optional] Under Additional uninstallation commands, enter the applicable uninstallation command-line parameters to configure any settings not covered by the policy configuration.

   For more information about the available command-line parameters, see Forescout's documentation.