Configure agent version control | Trend Micro Service Central

Agent version control gives you and your security operations team control over the specific versions of Deep Security Agent deployed when:

Using deployment scripts.
Upgrading through an upgrade alert UI component in the Workload Security console (the exceptions are listed in the FAQ).
Upgrading through the agent upgrade on activation.

This provides security operations teams with the ability to declare exactly which agents will be used at any given time.

As new agents are released by Trend Micro, your security operations team can test them in controlled environments before changing the version control settings to expose the new agents to downstream applications teams in their production environment.

Set up agent version control

Go to the Workload Security console.
Click Administration at the top.
On the left, expand Updates → Software → Agent Version Control. All the agent platforms appear in the main pane.
Optionally, use Show/Hide Platforms on the right to restrict the agent platforms that are visible.
Make your agent version selections and click Save.

Follow this guidance:

Column	Description
PLATFORM	This column lists the platforms for which agent software is available.
VERSIONCONTROL	This column is where you select which version of the agent will be used by deployment scripts and so on. It has the following options: Latest: Indicates to use the latest agent software build, either long-term support (LTS) or feature release (FR). The logic to determine the latest agent is based on the agent version number:the highest version is used. For example, an agent with version 12.0.0.460 is higher than the version 12 General Availability (GA) agent. However, the version 12 feature release agents with version 12.5.0.350 are considered later than an LTS agent with version 12.0.0.460. In summary, choose Latest if you want the latest LTS or FR agent for the platform. For details on LTS and FR releases, see Deep Security release strategy and life cycle policy. Latest LTS (default): Indicates to use the latest long-term support (LTS) software build . Latest LTS can be the original LTS release, or can be an update to the original LTS release. Any FRs are ignored. LTS build versions always have 0 as the minor version number. For details on LTS and FR releases, see Deep Security release strategy and life cycle policy. <agent_version> (for example, `11.0.0.760`): Indicates to use a specific agent version. Other agents are ignored.
RESULTINGAGENT	This column shows the agent that will be deployed based on your selection under VERSIONCONTROL. If the column shows an N/A (Removed from inventory) message, it is because Trend Micro deemed the agent unsuitable for deployment and removed it.

Note that only agent versions 9.0 or later are displayed. For Solaris specifically, only versions 11.0 or later are displayed. If you want to deploy earlier agents, you need to use the `agentVersion= setting` available in the deployment scripts. For details, see [Use deployment scripts to add and protect computers](computers-add-deployment-scripts.xml).

Use agent version control with URL requests

Agent version control allows you to control which agents are returned when any URL request is made to Workload Security to download the agent. For details, see Using agent version control to define which agent version is returned.

Agent version control FAQs

Do I need to update my deployment scripts to use this feature?

Yes. To update your deployment scripts:

In the Workload Security console, go to Support → Deployment Scripts and generate new deployment scripts. For instructions, see Use deployment scripts to add and protect computers.
Re-distribute and re-run the new scripts as necessary.

The latest deployment scripts pass additional information to Workload Security (for example, platform information) that is required for the version control feature to work properly.

What happens if I don't update existing deployment scripts?

If you have existing deployment scripts that you generated prior to the availability of the agent version control feature, and you do not take any action to update them, they will default to Latest LTS. This default will be used for any older deployment scripts regardless of how you have set your agent version control settings. Replace the older deployment scripts with new deployment scripts to leverage the settings you define in the agent version control settings.

Deployment scripts that are generated after the availability of the agent version control feature will use your agent version control settings.

What features are out of scope (exceptions)?

By design, the following features are out of scope for the agent version control feature. These features are typically accessed by the Workload Security administrator directly, in many cases to test a specific agent version in a development or staging environment prior to deploying the agent version into production.

There is full access to all agent versions accessible in the following scenarios:

Computer → Upgrade Agent .
Computers → Actions → Upgrade Agent Software.
Selecting either of the preceding options launches a wizard with a list that always defaults to Use latest version for platform regardless of your version control settings. For details, see Upgrade the agent from the Computers page.
Agent upgrades that are not initiated directly from Workload Security. For example, if you export an agent package, transfer it to the server, and initiate the upgrade from the command line, the agent version control settings will not be involved in this upgrade.