The Autotask Endpoint Management Web Portal

Transcription

The Endpoint Management
Web Portal
Updated Thursday, October 27, 2016
© 2016 Autotask Corporation
Table of Contents
Table of Contents
2
The Endpoint Management Web Portal
6
Sites
7
Add a Site
9
Manage Sites
13
Site Summary
16
Site Settings
20
Proxy Settings in AEM
27
Connection Brokers
29
Node Scores
32
Designate a Local Cache
34
User-Defined Fields
38
Devices
42
Add a Device to AEM
43
Deploy and Install Agents on Servers, Desktops and Notebooks
50
Methods for Deploying Agents
51
Deploy Agents Using Active Directory
53
Download or Email the AEM Agent
57
LAN Deployment Using the Agent Browser (Windows Only)
59
LAN Deployment from the Web Portal
62
Install and Uninstall Agents
66
Install or Uninstall the Agent on Windows
67
Install or Uninstall the OS X Agent
70
Install or Uninstall the AEM Agent on Linux
72
© 2016 Autotask Corporation l Page 2 of 487
Cloning or Ghosting Devices that Have AEM Installed
73
Create an Agent Policy
74
Manage Mobile Devices (MDM)
78
Install or Uninstall an Android Agent
80
Install or Uninstall an iOS Agent
82
Create an iOS Mobile Device Management Policy
86
Manage and Monitor SNMP-Enabled Network Devices and Printers
92
Download or Create Network Monitor Components
96
Manage and Monitor ESXi Devices
100
Create an ESXi Policy
104
Audits
106
111
Manage Devices
115
Device Summary
119
Move Devices to Another Site
123
Messages
124
Suspended Devices
125
Delete Devices
127
Target Devices with Filters and Groups
129
Filters
130
Groups
142
Manage Your Endpoints
145
Patch Management
147
Create a Patch Management Policy
160
Create a Windows Update Policy
174
Network Management
178
Discover Devices on the Network
183
iOS Software Management
189
Backup Management
198
Datto Backup Integration
202
Security Management
205
Kaspersky Endpoint Security Integration
208
Webroot Endpoint Security Integration
218
Create a Security Management Policy
227
Monitors and Policies
232
Manage Monitors
239
Managing Policies
250
Create a Monitoring Maintenance Window Policy
253
Create a Monitoring Policy
256
Create a Power Policy
261
Apply Policies to New Devices
265
Components and ComStore
266
Download Components from the ComStore
268
Create or Edit a Component
301
Scripting
306
Scripting Ninite using Autotask Endpoint Management (AEM)
313
Input Variables
315
Deploy Components Using Jobs
319
Manage Jobs
326
Manage Job Alerts
329
The Job View
331
Manage Components
333
Create a Custom Component Monitor
338
Alerts and Tickets
345
Manage Alerts
346
Manage Tickets
352
Create a Ticket in the Web Portal
358
Create a Ticket in the Agent Browser
361
Activity Logs and Reports
364
Account Dashboard
365
Account Activity
371
Device Activity
372
User Activity
373
Find the Right Report
376
Reports at Device Level
377
Reports at Site Level
382
Reports at Account Level
412
Reports on Activities
423
Reports on Alerts
428
Reports on Endpoints
434
Status and Health Reports
449
User Reports
473
Schedule and Run a Report
476
Manage Reports
479
Index
481
The Endpoint Management Web Portal
The Web Portal is your Endpoint Management control console. Depending on your security level, you have
visibility of every site you manage as well as your entire device estate.
In the Web Portal, you do the following:
l
l
l
l
l
Set up and configure your Autotask Endpoint Management account. This includes setting up security
levels and users, branding your portal, configuring account and site settings, and installing and managing third-party integrations. Refer to Set Up Autotask Endpoint Management.
Manage the sites in which you can group your devices by customer, location, department, etc. Refer
to "Sites" on page 7.
Add (by deploying agents) and manage all your devices, including Windows, Mac and Linux devices,
mobile devices and network devices and printers. Refer to "Devices" on page 42.
Set up monitors that alert you automatically when thresholds are exceeded, and push them out to multiple devices through policies. Refer to "Monitors and Policies" on page 232.
Create and manage components (applications, monitors and scripts) that get deployed to your endpoints. Refer to "Components and ComStore" on page 266.
l
Schedule jobs. Refer to "Deploy Components Using Jobs" on page 319.
l
Create policies. Refer to "Managing Policies" on page 250.
l
Manage patches, network devices, software, backups, and security. Refer to "Manage Your Endpoints" on page 145.
l
Manage alerts and tickets. Refer to "Alerts and Tickets" on page 345.
l
Generate reports. Refer to "Activity Logs and Reports" on page 364.
Sites
About sites
In Autotask Endpoint Management (AEM), a site allows you to organize your endpoints in a way that fits your
business requirements.
A site lets you group devices together. You can define sites in the way that suits you best. If you are a Managed Service Provider, a site might mean a customer. If you are supporting one large IT organization and your
devices are spread out over a number of locations, a site may be an office department or a location. Whatever
your situation, you can set up your sites as per your preference.
Note that a device can only belong to one site, but it can be moved between sites as required.
Site Types: Managed and OnDemand
When you register your Autotask Endpoint Management (AEM) account, two sites are created for you by
default: a Managed and an OnDemand site. The two types of sites differ in functionality:
l
l
Devices added to your Managed site will have a Managed Agent installed and will be able to access
all the AEM features.
Devices added to your OnDemand site will have an OnDemand Agent installed and will have limited
access in AEM.
To learn more about the differences, refer to Key differences between Managed and OnDemand Agents.
Site icons
In the Web Portal, Managed sites do not have any icon next to their names by default. However, depending
on the integrations configured for your account, an icon may be displayed next to your sites. For further information, refer to our integration topics: Configuring Third Party Integrations.
OnDemand sites display this icon by default:
To learn about the Agent status icons in your system tray or menu bar, refer to Agent icons.
More information about sites
l
l
To find out how to add a new site to your account, refer to "Add a Site" on page 9.
To find out how to access details about an individual site or perform actions for multiple sites, refer to
"Manage Sites" on page 13.
l
For an overview of the Site Summary page, refer to "Site Summary" on page 16.
l
For information on how to configure settings for a site, refer to "Site Settings" on page 20.
l
To find out how to create site groups and add sites to them, refer to "Create Site Groups" on page 143.
Add a Site
When you register your AEM account, two sites are created for you by default: a Managed and an OnDemand
site. Managed sites can access all the AEM features, while OnDemand sites have limited access. For further
information, refer to "Sites" on page 7.
A site lets you group devices together. You can define sites in the way that suits you best. If you are a Managed Service Provider, a site might mean a customer. If you are supporting one large IT organization and your
devices are spread out over a number of locations, a site may be an office department or a location. Whatever
your situation, you can set up your sites as per your preference.
Note that a device can only belong to one site, but it can be moved between sites as required.
To add additional sites:
1. Go to the Sites tab and click on the New Site button.
2. Fill in the details in the New Site window.
Field
What to Enter
Name
Give a relevant name to your site to make sure your teams will be able to find
the devices in the place they expect (e.g. "Glasgow Office", "St. John's Comprehensive School", etc.).
Description
Give a relevant description to your site.
Phone Number
This field only becomes visible if your AEM account is integrated with
Autotask PSA. Refer to Autotask PSA and Endpoint Management Integration.
Enter a phone number so that the system can look for duplicate Autotask
PSA companies. The phone number entered here will not be saved for the
new site. Entering a phone number is optional.
Type
Select Managed or OnDemand as required. Refer to "Sites" on page 7.
Proxy type
If the devices that you're going to install the Agent on use a proxy server to
connect to the Internet, enter the proxy details here to ensure that the devices
are already configured when you install the Agent on them. For more information, refer to "Proxy Settings in AEM" on page 27.
Field
What to Enter
Security Levels
Select the security levels for which this site should be accessible. Refer to
Security Levels.
Groups
Select the site group(s) that the new site should be added to. This step is
optional. Refer to "Groups" on page 142.
3. Click Save.
4. If your AEM account is not integrated with Autotask PSA, your new site will be saved and you'll be directed to the "Site Summary" on page 16 page.
5. If you are integrated with Autotask PSA, you will be directed to the Map Site page where you will have
the following options to choose from:
Radio Button
Description
Create a new company for this site
Select this option if you would like to map your new AEM site
to a new PSA company, that is, if you would like to create a
new PSA company for this site. Enter a Phone Number
and assign one of your PSA Account Managers to the
new PSA company by selecting a name from the drop-down
list.
Map the site to an existing company
recommended by the system
to an existing PSA company recommended by the system.
Choose the required company from the list displayed.
Map the site to a different existing company of your choice
to an existing PSA company of your choice. Enter at least
three characters to the Filter field and click Search.
Choose the required company from the list displayed.
The filter searches for the name, phone number
and address of the PSA companies.
Do not map this site to a company
Select this option if you do not wish to map your new
AEM site to a PSA company. If you choose this option, you
will not be able to create any ticket for this AEM site.
You can always edit your mapping rules on
the Autotask Integration page later. For
more information, refer to Re-run mapping
analysis.
6. Click Finish Mapping. The new site will be saved and you'll be directed to the "Site Summary" on
page 16 page.
7. To delete a site, locate it by clicking on the Sites tab, then hover over it and click the Delete site icon
at the end of the row.
If your AEM account is integrated with Autotask PSA, you can easily see which PSA company
your AEM site is mapped to by selecting the Autotask PSA Company column from the column
chooser in the Sites list. If a site is mapped to a PSA company, you can click the hyperlinked
name to open the company detail page in PSA. Note that one PSA company can be mapped to
more than one AEM site, that is, multiple AEM sites may show the same PSA company name in
your Sites list. For more information about mapping rules, refer to Configure company (site)
and resource (user) mapping.
Manage Sites
Permission to view Sites
Sites
When logging into Autotask Endpoint Management (AEM), you land on the Sites page which lists all the sites
that you currently have in your account. You can also access a list of your sites by opening a group they are
associated with. For more information, refer to "Groups" on page 142.
To find out how to add a new site to your account, refer to "Add a Site" on page 9.
For further information about site types, refer to "Site Types: Managed and OnDemand" on page 7.
Sites tab
The Sites page gives you a summary about each of your sites in your account.
By default, the following information is displayed:
Field
Description
Name
The name of your site. You can give any name to your site when creating it and you
can edit it in "Site Settings" on page 20. The name is hyperlinked and once you click on
it, it will direct you to the "Site Summary" on page 16 page.
Description
The description of your site. You can give any description to your site when creating it
and you can edit it in "Site Settings" on page 20.
ID
The unique ID (identifier) of your site. This field cannot be edited as it is hard-coded.
Devices
It shows the total number of devices that have this site's Agent installed. Click on the
hyperlinked number to be directed to the list of devices.
Offline
It shows the number of devices that have this site's Agent installed and are offline. Click
on the hyperlinked number to be directed to the list of devices.
Proxy
It shows the proxy settings of this site that you can configure in "Site Settings" on page
20.
Field
Description
Delete icon
This icon appears when you hover over a row. Click the icon and confirm that you want
to delete the site. If you have a device in the site you would like to delete, the device
will be deleted as well. For further information, refer to "Manage deleted devices" on
page 127.
The page lets you do the following:
Field
Description
Column Chooser
The column chooser lets you select which columns should be visible in the results
view. You can click on All or None to select or deselect all the options, and you can
restore the default view by clicking on Restore Defaults. Drag and drop any of the
columns to re-arrange their order in the results view. Click Save to apply the changes
or Cancel to discard them.
Note: You must select at least one column in the column chooser.
Search
It is a dynamic search field that lets you search for your sites. As you type, the search
results are narrowed to match your search string.
Show entries
It lets you select to show 10 / 25 / 50 / 100 entries per page.
Shortcut for actions
An arrow pointing towards right in each row, just to the left of the first column. Once
you click on it, you will see a few icons displayed. These icons provide a shortcut for
actions that you can do in the sites. For further information about these shortcuts, see
the list of Action bar icons below.
Previous / Next
Click on Previous / Next to see the previous or next page of results.
There are a number of extra buttons available in the Action bar:
Icon
Name
Description
Add site(s) to site group
Add the selected site(s) to a site group. Refer to "Groups" on page 142.
Edit description of selected
sites
Edit the description of the selected site(s). Refer to "Site Settings" on
page 20.
Schedule a job
Schedule a job for the selected site(s). Refer to "Deploy Components
Using Jobs" on page 319.
Run a quick job
Run a component through a quick job for the selected site(s). Refer to
"Deploy Components Using Jobs" on page 319.
Export to CSV
Allows you to export a list of the devices in the selected sites in .CSV
format. Make sure to select the columns you want to include in the
export.
Send a message to the selec- Send a message to all the devices in the selected site(s). The message
ted devices
will pop up on the devices once they are online.
Note: It usually takes a few minutes for the message to appear.
Schedule reports
Schedule one or more reports for the selected site(s). Refer to "Schedule
and Run a Report" on page 476.
Icon
Name
Description
Map site(s) to Autotask
account
Map the selected site(s) to a PSA company. Once you have clicked on
the icon, the Map Sites page will open. For more information about the
options on this page, refer to "Add a Site" on page 9.
This icon is only displayed if your AEM account has been
integrated with Autotask PSA. Refer to Autotask PSA and
Endpoint Management Integration.
Refresh
Refreshes the current view. This will show your sites' most up-to-date
status.
Summary
Shortcut. It directs you to the "Site Summary" on page 16 page.
Device List
Shortcut. It directs you to this site's device list. Refer to "Manage Devices"
on page 115.
Audit
Shortcut. It directs you to the site's Audit tab. Refer to "Audits" on page
106.
Manage*
Shortcut. It directs you to the site's Manage tab.
Monitor*
Shortcut. It directs you to the site's Monitor tab.
Support
Shortcut. It directs you to the site's Support tab.
Report
Shortcut. It directs you to the site's Report tab.
Policies*
Shortcut. It directs you to the site's Policies tab.
Settings
Shortcut. It directs you to the "Site Settings" on page 20 page.
*Not available in OnDemand sites.
Site Summary
Permission to view or manage Sites
Sites > click on a site > Summary
When you log into Autotask Endpoint Management (AEM), you land on the Sites page which lists all the sites
that you currently have in your account.
By clicking on the name of one of your sites, you will be directed to the site's summary page. Here, you will
see statistical information about this site's endpoints, such as their security or energy usage.
In the top right corner, you will find the QR code
of this site. By clicking on it, you can enlarge
and scan or print the QR code.
In the top area of the Site Summary page, you can see the following information:
Field
Description
Devices*
The following numbers are displayed:
• Total number of devices
• Number of devices that are online
• Number of devices that are offline
• Number of devices that have been offline for more than a week
Click on the hyperlinked numbers to be directed to the list of devices of
that category.
Security
It shows the percentage of devices that have the following features enabled:
• Anti-virus
• Firewall
• MS Updates
It also shows:
• The number of missing patches on the devices
Once you click on the hyperlinked % number, it will show you a list of
devices that have that specific feature disabled. Once you click on the
number next to Patch Management (Patch Mgt.), it will show you the
missing patches of all the devices in the site.
Energy Usage*
It shows you the number of hours this site's devices were online in the previous and the
current month and how much they cost you in those months. The calculation is based on
the power rating setting configured in "Site Settings" on page 20.
Further down, there are three sections that you can collapse or expand by clicking on their names:
l
Security Status
l
Favorites
l
Notes
Once each section is expanded, further information is displayed as outlined below.
Security Status
Field
Description
Anti-Spyware Summary
It shows the number of devices that have:
• At least one active and updated anti-spyware product
• At least one active but not up-to-date anti-spyware product
• No active anti-spyware product
Anti-Virus Summary / AEM
Managed Anti-Virus Summary
This section will display a different name and information, depending on
whether you have configured the Kaspersky Endpoint Security (KES) Integration
or the Webroot Endpoint Security Integration. Refer to "Kaspersky Endpoint
Security Integration" on page 208 and "Webroot Endpoint Security Integration"
on page 218.
Without any of the above integrations enabled, the section is called Anti-Virus
Summary and shows the number of devices that have:
• At least one active and updated anti-virus product
• At least one active but not up-to-date anti-virus product
• No active anti-virus product
With any of the above integrations enabled, the section is called
AEM Managed Anti-Virus Summary and shows:
• The total number of devices targeted in security management policies. Note
that this number may not match the sum of devices listed for the various statuses
below as one device may be listed for more than one status. (For example, the
same device may be listed for the status "Installed, not active" and "No valid
license".)
The following device statuses are displayed:
• Installed & Active
• Not Installed
• Installed, not Active
• Reboot Required
• Active Threats
• Needs Update
• No Valid License
Field
Description
Firewall Summary
• At least one active firewall product
• No active firewall product
Security Status information is displayed for Windows devices only. It does not include anti-spyware status for Windows XP devices and the status of servers (as they do not report security center information).
Click the hyperlinked number of devices next to any status to see the list of devices of that
status.
The name of the anti-spyware, anti-virus and firewall products is listed under each section, along with their
status:
Icon
Description
Enabled and up to date
Enabled but not up to date
Disabled
By clicking on the Show/Hide Graph
icon in the Anti-Spyware Summary, Anti-Virus Summary and Firewall
Summary areas, you can see a graphical representation of the data.
Favorites
This section lists all the devices in this site that have been marked as a favorite, which allows for an easier
access to them. For further information on how to mark a device as a favorite, refer to "Manage Devices" on
page 115.
The following information is displayed in the Favorites area by default:
Field
Description
Hostname
The name of your device. This can be edited in the device itself.
Description
The description of your device that can be edited in "Device Summary" on page 119.
IP Address
The IP address of your device.
Ext IP Addr
The external IP address of your device.
Last User
The user that last logged into this device.
Operating System
The operating system of your device.
You can change the default columns by clicking on the Column Chooser icon:
Icon
Name
Description
Column Chooser
view. You can click on All or None to select or deselect all the options, and you
can restore the default view by clicking on Restore Defaults. Drag and drop any
of the columns to re-arrange their order in the results view. Click Save to apply
the changes or Cancel to discard them.
To learn what actions you can perform on your favorite devices, refer to "Action bar icons" on page 116.
You can also see some additional remote connection icons next to your devices. For more information, refer
to "Remote takeover icons" on page 118.
Notes
You can add notes about the site.
1. Enter your note.
2. Click Save to save the note.
3. Or click Reset to delete the current note. All previously entered notes will remain intact.
Site Settings
Permission to manage Site Settings
Sites > click on a site > Settings
If you are the person who is responsible for implementing Autotask Endpoint Management (AEM) in your company, you have probably reviewed your Account Settings as one of the first steps in implementation. While
account settings are fundamental for the optimal running of AEM, they may not apply to all sites in your
account and you may need to modify them for certain sites. Individual site settings may override account settings or complement them with additional information. For information about sites, refer to "Sites" on page 7.
The correct permission to access Site Settings can be set up in Setup > Security Levels. For further information, refer to Security Levels.
As OnDemand sites cannot access all AEM features, some settings may not be available for them.
The settings described below are available for Managed sites.
General
You can modify basic information about your site by clicking on Edit.
Field
What to Enter
Name
Give your site a meaningful name. By default, you have one site called Managed and one called
OnDemand.
ID
This is the unique ID (identifier) of your site. This field cannot be edited as it is hard-coded.
Description
Enter a meaningful description.
Type
Choose one of the two available site types:
• Managed
• OnDemand
To find out how the two site types differ, refer to "Sites" on page 7.
Power Rating
You can specify the cost and power rating of your devices within the site. These numbers will provide the
basis for you managed endpoints' energy usage calculation that you can view on a Managed site's summary
page. For more information, refer to "Site Summary" on page 16.
The default wattage of 350W and the default cost can be changed by clicking on Edit.
The fields accept numeric values only.
Field
Value
Desktop
Define the power rating of desktops. This can be overridden on the "Device Summary" on page
119 page.
Laptop
Define the power rating of laptops. This can be overridden on the "Device Summary" on page 119
page.
Server
Define the power rating of servers. This can be overridden on the "Device Summary" on page 119
page.
Other
Define the power rating of any other devices. This can be overridden on the "Device Summary" on
page 119 page.
Cost per
kWh
Define the cost per kWh.
The formula to calculate the managed endpoints' energy usage calculation is as follows:
(UptimeInMinutes * Wattage) / 60 / 1000 * Price
If you leave these fields blank, the power rating configured in your Account Settings will be
applied. Alternatively, you can override the power rating settings on the "Device Summary" on
page 119 page as well.
Proxy
Configure your site with proxy settings in case you use proxy servers in your environment.
1. Click Edit to configure your proxy settings.
Field
What to Enter
Proxy Type
Select the correct proxy type:
• HTTP
• Socks4
• Socks5
• Select None if you do not wish to use any proxy for this site.
Proxy Host
Enter the proxy host as required by your proxy server.
Proxy Port
Enter the proxy port as required by your proxy server.
Proxy Username
Enter the proxy username as required by your proxy server.
Proxy Password
Enter the proxy password as required by your proxy server.
2. Click Save.
Site proxy settings will not apply to devices that had already been in the site before the proxy settings got configured. Existing devices with an Agent installed will need to be manually configured
for proxy.
For further information, refer to "Proxy Settings in AEM" on page 27.
Custom Agent Settings
You can specify here whether this site should use connection brokers, that is, whether any Agent in this site
can become a connection broker. The default setting is set to ON. Switch off the option Use Connection
Brokers if you would like to prevent any Agent in this site from becoming a connection broker. For more
information refer to "Connection Brokers" on page 29.
The configuration applied in Account Settings will override any selection made at site level, however, once you have configured the connection broker option in Account Settings, you can modify it
manually at site level.
Agent Deployment Credentials
To be able to deploy an Agent across a LAN, you'll need to have a username and password for the device(s)
you're going to install the Agent on. It is possible to cache these credentials so that you don't have to enter
them each time for each device. The credentials entered here will be used in addition to any credential specified in Account Settings. For information on how to add Agent deployment credentials, refer to Account Settings.
Switch off the option Use Account Level Agent Deployment credentials if you wish to use the credentials
added at site level only.
SNMP Credentials
If you would like to manage SNMP-enabled devices in AEM, you can cache their SNMP credentials so that
you don't have to enter these whenever adding new managed network devices. The credentials entered here
will be used in addition to any credential specified in Account Settings.
If you wish to use the SNMP credentials configured at site level only, switch off the option Use Account
level credentials for SNMP-enabled devices.
For information on how to add SNMP credentials, refer to Account Settings.
For further information about how to manage your network devices, refer to "Manage and Monitor SNMPEnabled Network Devices and Printers" on page 92.
ESXi Credentials
If you would like to manage ESXi devices in AEM, you can cache their credentials so that you don't have to
enter these whenever adding new devices. The credentials entered here will be used in addition to any credential specified in Account Settings.
If you wish to use the ESXi credentials configured at site level only, switch off the option Use Account level
credentials for ESXi hosts.
For information on how to add ESXi credentials, refer to Account Settings.
For further information about how to manage your ESXi devices, refer to "Manage and Monitor ESXi Devices"
on page 100.
Splashtop
If you cannot see this section, that is because you haven't downloaded the Splashtop extension for your
account, yet. To learn how to download and enable it for your account, refer to Account Settings.
Once the Splashtop Streamer is enabled for the entire account, the option Install Splashtop Automatically
will be switched on at site level by default and all supported devices will automatically install the Splashtop
Streamer. Turn the option off if you would like to prevent the Splashtop Streamer from being installed automatically.
If the installation of Splashtop Streamer is disabled in Account Settings, you will not be able to turn in on at
site level and the following message will be displayed:
For further information about Splashtop settings, refer to Splashtop Remote Screen Share Integration.
Email Recipients
You can add one or more email recipients and define what type of email notifications they should receive.
Mail recipients set up here will receive notifications from this site only.
The notification type ComStore Components is available for selection in Account Settings only.
It is possible to set up email recipients for the entire account. For more information on that and on how to add
email recipients, refer to Account Settings.
Local Caches
The Local Caches option is not available for OnDemand sites.
A local cache is a designated device that can be used as a component cache to store components and/or as
a patch cache to store patches. For more information, refer to "Designate a Local Cache" on page 111.
Once you have nominated your local caches, they will be listed in Site Settings with the following details:
Name, Priority, Drive, Cache type. You can perform the following actions:
l
l
l
Drag and drop any of the local caches to re-arrange their order. This allows you to prioritize which
local cache your devices should contact first.
Hover over one of the local caches and click on the Delete this cache icon to remove it from the list.
For more information, refer to "Edit or remove a device as a local cache" on page 113.
You can specify a time frame after which the cached patches should be deleted from the local patch
cache. You can choose After 30/60/120/180 days or Never. By default, After 120 days is selected.
Assigned Resource for End-User Tickets
The Assigned Resource for End-User Tickets option is not available for OnDemand sites.
You can select one of the Administrators that end-user tickets of this site should be assigned to by default. If
No default user is selected, the end-user tickets will be assigned to the Administrator selected in Account
Settings. If no Administrator is selected in Account Settings, the end-user tickets will be assigned to the user
who registered the account.
The setting applied at site level will override the setting applied in Account Settings.
Variables
The Variables option is not available for OnDemand sites.
Here, you can specify variables that can be used when writing custom scripts or components. The variables
can be defined with a specific value that the Agent will use when executing the script. How you refer to the
variables in your script will be defined by the scripting language you apply (e.g. in batch scripts, you can refer
to a variable in the format of %VariableName%).
Site variables will override variables of the same name that are configured in Account Settings. For information on how to add variables at Account level and how to update site variables using a template, refer to the
Variables and Update Site Variables sections in Account Settings.
Credentials
You can specify a username and password for this site. This can become useful when running a script as you
can make the component require the site credentials that you set up here. For further information, refer to
"Scripting" on page 306.
1. Click Edit.
2. Select Use the following credentials for this site.
3. Enter a Username and a Password.
4. Click Save.
User-Defined Fields
This area allows you to override the 10 user-defined fields that you can configure in Account Settings. These
fields can be populated with information that is not picked up in the device audit so that it can be filtered and
searched upon to provide additional targeting for jobs and policies. You can enter the user-defined field information manually on the "Device Summary" on page 119 page or it can be populated by the AEM Agent on Windows devices. For further information, refer to "User-Defined Fields" on page 38.
To configure the user-defined fields, do the following:
1. Hover over one of the user-defined fields and click on the pencil icon to edit it.
2. Rename the field under Site Label.
3. Click on the green tick
to save the changes.
Kaspersky Endpoint Security
If you cannot see this section, that is because you haven't downloaded the Kaspersky Endpoint Security
(KES) component for your account, yet. Once KES is downloaded, this section will be displayed.
By default, the option Activate Security Management is turned ON if you have a KES policy configured for
the site.
Turning the setting OFF will deactivate all the currently active KES security management policies of the site.
Turning the setting ON will activate all the KES security management policies that have previously been
deactivated for the site.
The Activate Security Management setting will automatically be turned OFF if you remove all
KES policies configured for the site.
To learn about other settings at account level, refer to Windows Security Center Audit.
For more information about KES, refer to "Kaspersky Endpoint Security Integration" on page 208.
Webroot Security Agent
If you cannot see this section, that is because you haven't downloaded the Webroot Endpoint Security
component for your account, yet. Once Webroot is downloaded, this section will be displayed.
By default, the option Activate Security Management is turned ON if you have a Webroot policy configured
for the site.
Turning the setting OFF will deactivate all the currently active Webroot security management policies of the
site. Turning the setting ON will activate all the Webroot security management policies that have previously
been deactivated for the site.
The Activate Security Management setting will automatically be turned OFF if you remove all
Webroot policies configured for the site.
To learn about other settings at account level, refer to Windows Security Center Audit.
For more information about Webroot, refer to "Webroot Endpoint Security Integration" on page 218.
Proxy Settings in AEM
Permission to manage Site Settings
Sites > click on a site > Settings > Proxy
Agent Browser
A proxy or proxy server is a connection (a program or a computer) between your device and the Internet. It
serves as an intermediary as it processes the requests your device sends out, and returns the information
you need from the Internet. Proxies are often used to hide your location or IP address, to control Internet
usage (by blocking or bypassing certain websites), or to improve security. In order for your device to access
the proxy server, it needs to have the correct proxy settings.
Autotask Endpoint Management (AEM) can be configured with proxy settings so that it can be used in environments that use proxy servers. Proxy settings can be managed in the Web Portal within a site. Once configured, the settings will apply to any new device added to the site. Individual proxy settings can be applied
locally within the Agent settings as well.
How to...
Configure site proxy settings in the Web Portal
1. Click on the Sites tab and click on the name of the site you wish to configure proxy settings for.
2. Click the Settings tab to the right, and scroll down to the Proxy section.
3. Click Edit.
4. Specify if the proxy type is HTTP, Socks4, or Socks5.
5. Fill in the proxy details as required by your proxy server: host, port, username, password.
6. Click Save to update the settings.
Once saved, the proxy settings will apply to any new Agent added to the site. Existing devices with an Agent
installed will need to be manually configured for proxy. Refer to "Configure proxy settings in the AEM Agent"
on page 28.
You can also configure proxy settings when creating a new site by entering the above details
under Proxy type on the New Site page. Refer to "Add a Site" on page 9.
Configure proxy settings in the AEM Agent
Site proxy settings will not apply to devices that had already been in the site before the proxy settings were
configured. Therefore, existing devices with an Agent installed will need to be manually configured for proxy.
1. On the device that you would like to configure proxy settings for, right-click on the AEM icon in the system tray or click on it in the menu bar and select Settings.
2. Under the Network tab, specify if the proxy type is HTTP, Socks4, or Socks5.
3. Fill in the proxy details as required by your proxy server: DNS/IP (host), port, username,
password.
4. Click OK to apply the proxy settings.
Connection Brokers
Any User
Setup > Account Settings > Custom Agent Settings
Sites > click on a site > Settings > Custom Agent Settings
About connection brokers
Autotask Endpoint Management (AEM) uses connection brokers to reduce outbound network traffic within a
subnet. This can be useful especially for low bandwidth environments where you have a number of devices
connected to the AEM platform.
Connection brokers handle pings and keep alive requests to tell the platform if the devices within the subnet
are online or not. By default, the option to use connection brokers is enabled for every account, however, this
can be disabled in Account Settings and "Site Settings" on page 20.
How to...
Enable / disable connection brokers
The option to use connection brokers is enabled for every AEM account by default, however, you can manually disable it for the entire account or at site level.
The ability to disable connection brokers can be useful when diagnosing single device problems or to overcome local network configuration issues where communication between Agents with a connection broker
may be more difficult than allowing them to reach the platform directly.
To disable or enable the use of connection brokers, do the following:
1. Go to Setup > Account Settings > Custom Agent Settings or Sites > select a site > Settings >
Custom Agent Settings.
2. Switch the option Use Connection Brokers on or off accordingly. It will then allow or prevent any
Agent from becoming a connection broker in the entire account or at site level.
When switching the option off at account level, it will override any selection made at site level.
However, once you have configured the connection broker option in Account Settings, you can
modify it manually at site level.
Nominate a device as connection broker
The AEM Agent polls the platform every 90 seconds with keep-alive-messages. If the option to use
connection brokers is enabled at account and/or site level, and there is more than one Agent on a LAN connecting to the AEM platform, one of those Agents will automatically be designated as a connection broker. It
will then deal with all the pings and keep-alive-messages from the other devices in the subnet, which keeps
the outbound traffic to a minimum. To learn how an Agent obtains a node score ranking to become a connection broker automatically, refer to "Node Scores" on page 32.
You also have the ability to manually select a device within your network to act as a connection broker. This
will give the device a node score of 20 by default.
Nominate a device as a connection broker that is likely to have the highest uptime within your
network, such as a server.
In order to force an Agent to become a connection broker, do the following:
1. Locate the AEM Agent on the local device and right-click on it.
2. Click Settings.
3. Click the Preferences tab.
4. Select the option Force this device to become a Connection Broker (CB).
5. Click OK.
This will set the device to have a node score of 20, thus ensuring that the device is a connection broker. For
further information, refer to "Node Scores" on page 32.
If you have more than one device that has been set up as a connection broker inadvertently, the
device that contacts the platform first will become the connection broker.
Find the connection broker
The connection broker for each site is not shown on the "Site Summary" on page 16 screen, however, you
can find it through one of the ways outlined below.
Through the Agent
1. Open the AEM Agent on a local device.
2. Under the Summary tab, locate the AEM Connection section to see the IP address of the connection broker through which this device is connected to the platform.
3. In case this device is the connection broker, the following entry will be displayed:
In the log file
If a connection broker is being used, it will be reported in the AEM log file in the following format:
CB:COMPUTERNAME, Score:3 at 192.168.139.1
For further information about the log file, refer to How do I find the AEM log files?
Node Scores
Each device with an Autotask Endpoint Management (AEM) Agent installed will obtain a node score ranking
to determine whether it can be established as a Connection Broker.
The node score is calculated when a device runs an audit (once a day for Managed Agents and once every 7
days for OnDemand Agents). An Agent will only respond to a connection broker request if its node score is
equal to or greater than the node score of the requesting Agent. This ensures that the most robust device of
the network will become the connection broker for the subnet. For more information, refer to "Connection
Brokers" on page 29.
Agents are graded on a score of between 0 and 19, 0 being the least suitable and 19 the most suitable to be
used as a connection broker.
Devices with disabled node score functionality will show -1 for their node score.
The node score is calculated from the following areas:
l
Network connection type
l
Operating system type
l
Time elapsed since last system boot
The score will be generated through the following score process:
Administrator
Sites > click on a site > Devices
Sites > click on a site > Settings > Local Caches
What is a local cache?
a patch cache to store patches.
A component cache stores a local copy of all downloaded components in your Autotask Endpoint Management (AEM) account and then distributes the components to other devices in the same site without the
need to pull them from the AEM Amazon cloud platform.
A patch cache downloads and stores patches from Windows Update to serve them for devices in the same
site through a patch policy. The patch cache will continuously download new patches as the need for them
arises.
Using a local cache for downloading either components or patches reduces bandwidth usage and drastically
improves efficiency when deploying components and conducting patching operations.
A local cache is not the only way to avoid downloading a component multiple times. If the
same component is scheduled to be installed on another device in the same AEM site, the target device will query other nodes on the network to see if the file exists locally. If the file is available only on a local device that is not a local cache, the Agent will download the component
from that location. This is known as peer sharing. Peer sharing is only used if the component is
not cached locally.
Supported operating system
Local cache type
Component cache
Windows
Patch cache
For more information on supported versions of the above operating system, refer to Supported Operating Systems and Requirements for the Agent.
Requirements
l
Only desktops, servers, and laptops with up-to-date audit information may be nominated as local
caches.
l
l
Local caches need to have adequate hard drive space to store the components and/or patches.
For component caches, port 13229 must be available for inbound communications, and accessible to
all devices on the local network.
A local cache should preferably be a device that is always left on, e.g. a server.
Default location for cached components and patches
Your cached components and patches will be stored in the following locations by default:
Type
Location*
Cached components
Drive:\ProgramData\CentraStage\Packages
Cached patches
Drive:\ProgramData\CentraStage\Patches
* You can specify the drive when nominating the cache. Refer to "Designate a device as a local cache" on page
35.
How to...
Designate a device as a local cache
We recommend restricting individual sites to a single geographical area for the smoothest possible operation with local caches.
1. Navigate to a site and click on the Devices tab.
2. Click the check box next to the device you wish to select as a local cache. You can select more than
one device.
3. Click the Add/Remove as local cache icon
in the Action bar.
4. A pop-up window will appear listing all devices you have selected. You can collapse or expand each
device.
5. Select any or both of these check boxes:
Cache all Components in this account - It will nominate the device as a component cache. The
device will receive all components that have been downloaded to your Component Library. Additionally, it will sync with your Component Library when a component is created, edited or deleted.
Refer to "Download a component" on page 269.
Cache Patches (use with a Patch Management Policy) - It will nominate the device as a patch
cache. Ensure that you have at least one active patch management policy. Refer to "Create a Patch
Management Policy" on page 160.
6. Select a drive on which the cached files should be stored. Refer to "Default location for cached components and patches" on page 35.
A local cache will stop downloading patches if the selected drive's free disk space falls
below 1 GB.
7. Click Save.
8. Your local caches will now be listed in Site Settings where you can re-arrange their order of priority,
and you can also specify patch cache clearing options. Refer to "Site Settings" on page 20.
For custom components only, there is an additional feature available: you can choose which
components should be made available to which sites. Refer to "Map components to specific
sites" on page 336.
Edit or remove a device as a local cache
1. You can remove a local cache in Site Settings. Refer to "Site Settings" on page 20.
2. Alternatively, to either edit or remove a local cache, you can follow steps 1-4 of "Designate a device
as a local cache" on page 35.
3. You can select or deselect any or both of these check boxes:
Cache all Components in this account
Cache Patches (use with a Patch Management Policy)
4. You can select a different drive on which the cached files should be stored.
5. Click Update.
If a local patch cache is removed, the patches cached on that device will be removed almost immediately.
User-Defined Fields
Administrator
Sites > click on a site > Devices > click on a Device > Summary
User-defined fields in Autotask Endpoint Management (AEM) are used for displaying device information that
is not picked up during the device audit. Each device record can have up to 10 user-defined fields. You can
enter the user-defined field information manually on the "Device Summary" on page 119 page or it can be populated by the AEM Agent on Windows devices. Once a user-defined field is populated with information, the
data can be filtered and searched to provide additional targeting criteria for jobs and policies.
Note that user-defined field information can be populated by the AEM Agent on Windows
devices only. It will fail on any other operating system.
For information about how to set up user-defined fields, refer to Account Settings and "Site Settings" on page
20.
How to...
Add user-defined field information manually
In order to manually enter information into the user-defined fields, do the following:
1. Go to Sites and click on one of your sites.
2. Click on the Devices tab and click on one of the device records.
3. On the Device Summary page, click the Edit hyperlink next to the device description.
4. Add the required information into the user-defined fields.
5. Click Save.
For more information, refer to "Device Summary" on page 119.
Populate user-defined field information automatically
Having user-defined field information displayed on the device summary page does not have to be a manual
process exclusively. On Windows devices, user-defined fields can also be populated by the AEM Agent. By
adding entries to the device registry, the Agent will send the data back to the platform and the user-defined
fields will get populated automatically. This makes for an extremely powerful and useful tool, especially when
coupled with the scripting and component mechanisms within AEM. For information on scripting, refer to
"Scripting" on page 306.
You can use either of the two ways described below to add registry entries to your devices.
Use the command line
1. Open the Command Prompt window.
2. To add a registry entry via the command line, use the following syntax:
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage /v CustomField /t REG_SZ /d
"ValueForFieldHere" /f
3. Make the necessary changes in the command line:
Field
What to Enter
CustomField
This will be the string value name once added to the registry. Enter one of Custom1, Custom2, ... Custom10, according to the user-defined field you wish to populate.
Custom1 will populate User-Defined Field 1, Custom2 will populate
User-Defined Field 2, and so on.
ValueForFieldHere
This will be the string value data once added to the registry. Enter the information
you would like to display on the device summary page.
For example, the following command would put the name "Joe Smith" in User-Defined Field
1:
REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage /v Custom1 /t REG_
SZ /d "Joe Smith" /f
4. Click Enter.
Use RegEdit
1. Open the Registry Editor.
2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\CentraStage.
3. Right-click in the right-hand window and select New > String Value.
4. Rename the New Value. Enter one of Custom1, Custom2, ... Custom10, according to the userdefined field you wish to populate.
Custom1 will populate User-Defined Field 1, Custom2 will populate User-Defined Field 2,
and so on.
5. Double-click on the value to edit the string.
6. Enter the Value data. This is the information that will be displayed on the device summary page.
7. Click OK.
Once the Agent connects to the platform, it will send back the data added to the registry and the information
will be displayed on the device summary page in each user-defined field accordingly.
Devices
Devices are the endpoints that are managed in your Autotask Endpoint Management (AEM) account. All
devices are associated with a site.
Devices do not automatically materialize in AEM when you add a site. You must add them to AEM first. The
exact method depends on the type of device (e.g. desktop or mobile), and the operating system of the device.
Refer to "Add a Device to AEM" on page 43.
Once you have gained visibility of all devices you want to manage, you have a number of tools at your disposal to:
l
l
l
l
Take an inventory of the hardware and software installed on a device. Refer to "Audits" on page 106.
Find out how to access details about an individual device or perform actions on multiple devices, refer
to "Manage Devices" on page 115.
Organize your device estate by creating filters and groups that allow you to target policies and jobs at
just the right subset of devices. Refer to "Target Devices with Filters and Groups" on page 129.
For an overview of the Device Summary page, refer to "Device Summary" on page 119.
Add a Device to AEM
Devices do not automatically materialize in AEM when you add a site. You must add them to AEM by using
one of these methods:
l
l
Install an Agent. This method works for desktop and mobile devices that have an operating system.
Manage your device through a network node device. If you cannot install an Agent on your device (e.g.
on your switch, router, printer, ESXi device, or any device that does not have an operating system), a
network node device can manage it for you.
Devices with an Agent installed
Devices that have an operating system become visible to the Web Portal when an Agent is installed that
allows you to audit and manage the device.
About Agents
Agents are lightweight applications that allow you to establish a remote connection between devices. Agents
allow you to collect information about the customer's network, hardware and software, remotely support customers, proactively monitor every endpoint, deploy patches, create alerts, schedule maintenance jobs, and
more. Agents need to be installed on both the device you’re connecting to, and the device you’re doing the
connection from. For more information, refer to The AEM Agent and Agent Browser.
Agents and Operating Systems
Agents are specific to the operating system of the device they are installed on. Autotask Endpoint Management provides Agents for Windows, Mac and Linux operating systems, as well as for iOS and Android
mobile devices. For a feature comparison of the different types of Agents, refer to "Types of Devices" on
page 44.
Types of Agents
There are two types of Agents that differ in functionality: Managed, and OnDemand. Managed gives the service provider a lot more functionality. OnDemand requires that the customer allows the remote takeover.
Which one is deployed depends on the type of site the device is associated with. Refer to Managed and
OnDemand Agents.
For more information about Agents, refer to AEM Agent.
Types of Devices
There are three types of devices that differ significantly with regard to the Agent that is installed on them and
the features that are available.
Server, Desktop and Notebook Devices
AEM supports Windows, Mac and Linux operating systems, but Agent features differ between the different
O/S.
Features of server, desktop and notebook Agents
Features
Windows
Mac
Linux
Monitors
Online status
CPU
Memory
Component
Running processes
Services
Event log
Software log
Security Center
Disk usage
File / folder
Security Management
Datto
Device audit
Software
Hardware
Change log
Disk usage
Features
Windows
Mac
Linux
Remote takeover
To Mac
To Windows
From Mac
From Windows
Proxy settings
Ticket creation
Remote Agent features
File transfer
Remote shell
Privacy mode
Screenshot
Service manager
Shut down / restart
LAN deploy
Task manager
Remote registry
Quick jobs
Event log
Wake on LAN
For information on deploying and installing agents on servers, desktops and notebooks, refer to "Deploy and
Install Agents on Servers, Desktops and Notebooks" on page 50.
Mobile Devices
AEM supports iOS and Android operating systems, but again, Agent features differ between the different
O/S.
Features of Agents for mobile devices
Features
iOS
Android
Device Audit
List device information
List network information
List installed applications
Show device location
Manage device
Erase device and settings
Lock device
Unlock device
Change passcode
Passcode policy
WI-FI credentials
VPN credentials
Password protect against policy removal
*
Restrictions
Allow use of camera
Allow installing apps
Allow screen capture
Allow voice dialing
Allow FaceTime
Allow automatic sync when roaming
Allow Siri
Features
iOS
Android
Allow Siri while locked
Allow Passbook notifications while locked
Allow in-app purchases
Force users to enter iTunes Store password for all purchases
Allow multiplayer gaming
Allow adding Game Center friends
Show Control Center in lock screen (iOS 7)
Show Notification Center in lock screen (iOS 7)
Show Today view in lock screen (iOS 7)
Allow documents from managed apps in unmanaged apps (iOS 7)
Allow documents from unmanaged apps in managed apps (iOS 7)
Allow use of iTunes Store
Disable Safari popup-blocking functionality
Allow use of Safari
Enable Safari autofill
Force Safari fraud warning
Enable Safari javascript
Allow iCloud backup
Allow iCloud document sync
Allow iCloud Keychain sync (iOS 7)
Allow photo stream
Allow shared stream
Features
iOS
Android
Allow diagnostic data to be sent to Apple
Allow user to accept untrusted TLS certificates
Force encrypted backup
Allow automatic updates to certificate trust settings (iOS 7)
Force limited ad tracking (iOS 7)
Allow finger print for unlock (iOS 7)
Allow explicit music and podcasts
Rating Apps
Rating Movies
Rating TV Shows
Show iMessage
Allow app removal
Allow Game Center
Allow Bookstore
Allow Bookstore erotica
Allow UI configuration profile installation
Allow modifying account settings (iOS 7)
Allow AirDrop (iOS 7)
Allow changes to cellular data usage for apps (iOS 7)
Allow user-generated content in Siri (iOS 7)
Allow modifying Find My Friends settings (iOS 7)
Allow host pairing (iOS 7)
*You can apply password protection, but be aware that Apple devices are ultimately in the user's control, who can remove the policy.
For information on deploying and installing agents on mobile devices, refer to "Manage Mobile Devices
(MDM)" on page 78.
Devices without an Agent installed
Network devices and printers
Network devices and printers lack an operating system and therefore do not support the installation of an
agent, but can still become managed devices using SNMP. For further information, refer to "Manage and Monitor SNMP-Enabled Network Devices and Printers" on page 92.
ESXi devices
The AEM Agent cannot run on ESXi devices. To learn how you can manage and monitor them, refer to "Manage and Monitor ESXi Devices" on page 100.
Deploy and Install Agents on Servers, Desktops and Notebooks
About Agents
Agents are lightweight applications that allow you to establish a remote connection between devices. Agents
allow you to collect information about the customer's network, hardware and software, remotely support customers, proactively monitor every endpoint, deploy patches, create alerts, schedule maintenance jobs, and
more. Agents need to be installed on both the device you’re connecting to, and the device you’re doing the
connection from. For more information, refer to The AEM Agent and Agent Browser.
Agents and Operating Systems
Agents are specific to the operating system of the device they are installed on. Autotask Endpoint Management provides Agents for Windows, Mac and Linux operating systems, as well as for iOS and Android
mobile devices. For a feature comparison of the different types of Agents, refer to "Types of Devices" on
page 44.
Types of Agents
There are two types of Agents that differ in functionality: Managed, and OnDemand. Managed gives the service provider a lot more functionality. OnDemand requires that the customer allows the remote takeover.
Which one is deployed depends on the type of site the device is associated with. Refer to Managed and
OnDemand Agents.
Deploying Agents
Since each device must have an Agent installed, one thing you need to think about is how you will get the
Agent onto each device. Refer to "Methods for Deploying Agents" on page 51.
Installing and Uninstalling Agents
Manually installing and uninstalling agents can be necessary with some deployment methods, or as a part of
troubleshooting a problem. Refer to "Install and Uninstall Agents" on page 66.
Use an Agent Policy to Update Agent Settings
To edit the Agent settings, using an Agent Policy is the most elegant way to do it. Refer to "Create an Agent
Policy" on page 74.
Methods for Deploying Agents
When you become an Autotask Endpoint Management (AEM) customer, and every time you on-board a new
customer, the first task is to deploy Agents to all the devices.
This can be a bit of a chicken and egg problem: the very tool you use to deploy software isn't on the device
yet. There are, however, a number of different deployment methods, including using an existing software
deployment mechanism, manual installation either by technicians or end-users, using the startup script functionality built into Windows Group Policy, or using the LAN Deploy tool built into the Agent itself.
To help you figure out the best way to go about it, refer to the following table.
Agent Deployment SituBest Option
ation
You are
replacing
another
RMM software with
Autotask Endpoint Management
In this circumstance, the best option is to use the
old RMM to deploy and install AEM Agents to all
devices. When that is done, use AEM to remove
the old RMM's Agent.
The site you
are deploying the
Agents to
has a
domain controller
If you are planning on deploying Agents across a
Windows Active Directory domain, you can use
the startup script functionality built into Windows
Group Policy to do the deployment for you. This
will ensure that the deployment is touching every
device that applies the GPO, with minimal levels of
manual intervention. Refer to "Deploy Agents
Using Active Directory" on page 53.
No Agent on
the network
If this is a new customer and there is no Agent
installed anywhere on the network, you must
email or manually install the Agent on at least one
device. Refer to "Download or Email the
AEM Agent" on page 57.
Another
device on
the network
already has
the Agent
installed
If one device on a LAN already has an Agent
installed and you have the right permissions, you
can deploy this Agent to devices that don't have it
across the LAN. This works for both Windows and
OS X. Refer to "LAN Deployment Using the Agent
Browser (Windows Only)" on page 59 and "LAN
Deployment from the Web Portal" on page 62.
If you are cloning or ghosting a device that has an Agent installed, you must first remove it.
Refer to "Cloning or Ghosting Devices that Have AEM Installed" on page 73.
You cannot install Agents on switches, routers, UPSs, printers, etc., because these devices don't
have an operating system. However, devices that can be managed using Simple Network Management Protocol (SNMP) can still be monitored. Refer to "Manage and Monitor SNMP-Enabled
Network Devices and Printers" on page 92.
The AEM Agent cannot run on ESXi devices, however, a network node device can manage and
monitor them. For further information, refer to "Manage and Monitor ESXi Devices" on page 100.
Deploy Agents Using Active Directory
On Microsoft Servers, a domain controller (DC) is a server that responds to security authentication requests
(logging in, checking permissions, etc.) within the Windows Server domain (source: Wikipedia).
In the Windows 2000 operating system, a Group Policy Object (GPO) is a collection of settings that define
what a system will look like and how it will behave for a defined group of users. Microsoft provides a program
snap-in that allows you to use the Group Policy Management Console (GPMC). The selections result in a
GPO that defines registry-based polices, security options, software installation and maintenance options,
scripts options, and folder redirection options. The GPO is associated with selected Active Directory containers, such as sites, domains, or organizational units (OUs).
How to...
Create the deployment component
1. Download the AEM Agent from a Managed site and rename the installer to CagSetup.exe. Refer to
"Download or Email the AEM Agent" on page 57.
2. Download the component Deploy CAG installation files to server for AD deployment.
3. Click the Components tab.
4. Click Import Component and upload the file into your components library.
5. Scroll down to the Files section and click Add File. Select the CagSetup.exe file.
6. At the top of the page above the General section header, click the star icon so you can use this component in a Quick Job.
7. Click Save. Once that's done, the component will look like this:
The deployment component only needs to be created once. It can be used to target Domain
Controllers in different sites with the same Agent installer as it will dynamically modify its
behavior at run time. The site and site proxy settings of the targeted Domain Controller will
be inherited by any endpoints that receive the deployment GPO.
Run the deployment component on your domain controller
1. Navigate to the Site > Devices page and select the Domain Controller on which you would like to run
the deployment component.
2. Click Run a Quick Job.
3. Select Deploy CAG installation files to server for AD deployment.
4. Leave all the other options at their default settings and click OK to run the job.
5. Confirm that the quick job has completed successfully. You should see that the stdout looks something like this:
Add the startup script to the Group Policy Object (GPO)
To create the required startup script, you must be logged onto the server itself. You can do that either through
an AEM remote session, or directly at the console.
1. Open the GPO you want to add the script to in the Group Policy Management Console (gpmc.msc).
Which GPO you choose will depend on the planned scope of the Agent deployment you
want to carry out. If this Agent will be rolled out across the entire domain, you may want to
use the Default Domain Policy. If you want to target a specific set of devices, you should
use either a policy which only applies to that organizational unit, or which has been filtered
using security filtering to only apply to your subset of devices.
Note that because this is a startup script, it should target machines, not users, and should
be set on a policy which does not have the machine part of policy disabled.
2. In the console tree, click Scripts (Startup/Shutdown).
3. At the details pane, double-click Startup to open the startup script properties. If any startup scripts are
already defined within this policy, they will be shown here.
4. In the Startup Properties dialogue box, click Add.
5. Add the CS_Agent_Deploy.bat file contained in "\\NETLOGON\CentraStage" as your startup script.
The group policy is now set and Agents will be rolled out to the targeted devices at their next startup.
It is advisable to periodically update the component “Deploy CAG installation files to server for AD
deployment" with the latest version of the AEM Agent.
Download or Email the AEM Agent
If you want to deploy an Agent to a device on a network that does not yet have an Agent installed anywhere,
you must download the Agent from the Autotask Endpoint Management (AEM) Web Portal, or email the download link to the user.
This method assumes that you have a login to the Web Portal. This will be the case if you are a staff member
of an MSP company. You will need to install the Agent to be able to use the Agent Browser to support customers remotely.
Customers will not have access to your Web Portal, but you can email them the Agent executable file.
To download or email the Agent:
1. Log into the AEM Web Portal with your username and password.
2. Click the Sites tab and select the site this device will be associated with.
3. In the top left corner, click New Device. A window with links to the Agents for the various supported
platforms will open.
Depending on the type of site you selected and whether you have added the Mobile Device
Management extension to your account, you may see different logos in this window. For further information, refer to "Methods for Deploying Agents" on page 51.
4. Select the operating system for the target device.
The New device window opens.
5. To download the Agent to your own computer, click on the logo in this window.
6. To email the download link to someone else, either enter the email addresses into the box, separated
by a semicolon, or click the send the link from your email client instead link. When you select the
first option, a template email is sent, when you select the second option, you can customize the email
the link is embedded in.
The email field in the AEM Web Portal only accepts the following characters:
a-z, A-Z, 0-9, @, and !#$%&'`*+-|/=?^_{}~.
The user will receive an email with a link that when clicked will download an executable file to their
computer. The name of the executable is AgentSetup_<sitename>.exe.
7. To install the Agent, the user must double-click on the executable file to begin the installation.
When the Agent is installed, it will connect to the platform, and a full hardware and software audit of the
device will be sent back to the Web Portal. You can view this information by clicking on the device. Refer to
"Audits" on page 106.
LAN Deployment Using the Agent Browser (Windows Only)
If one of the devices on the LAN has the Agent installed, the deployment to the remaining devices can be initiated from the Agent Browser and the Web Portal.
For information on deploying from the Web Portal, refer to "LAN Deployment from the Web Portal" on page
62.
Warnings
This method of deployment has prerequisites that weaken the overall security of the environment. It should
only be used if Active Directory deployment is not an option.
In the past, PsExec has been utilized by some viruses to remotely run malicious code. PsExec
itself is not a virus, nor does it run malicious code on its own. Adding a registry key to enable
access to the ADMIN$ share, making exceptions to any A/V product and opening ports is by
definition going to weaken the overall security of the environment. By using LAN Deploy you
acknowledge that you are aware of this.
After you have deployed the Agent, reverse all changes you made to allow LAN deployment.
Prerequisites
Enable remote
access to the
Admin$ share
Starting with Windows Vista, UAC has by default required elevated privileges to
access the administrative shares. Details on this can be found here: Microsoft Support
Article (951016).
You can enable this share either by accessing the Microsoft support article above and
downloading the Fix It to make a Registry entry, or you can copy the following into the
start menu search box:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System/v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
File and printer
sharing
File and printer sharing must be enabled on the devices you wish to deploy to. Ports
445 and 139 Inbound must be open.
Password
You cannot authenticate as a user with a blank password. The user account with the
correct permissions to enable an install must have a password to work using PsExec.
Anti-virus
This process assumes that all anti-virus programs are configured to allow the use of
PsExec, which can stop the use of this program.
How to...
Initiate LAN deploy
1. Connect to a device which is on the local network of the devices you wish to deploy your Agent to.
The Agent Browser window will open.
2. Click on the Agent Deployment icon (the one with the 3 computer screens). The new tab you see will
be split into a top and a bottom pane.
3. Click Device Discovery above the top pane. The scan process will start and list all devices within the
same domain or workgroup.
4. Check all the devices you wish to deploy to.
5. Click Deploy.
If you haven't already done so via the Settings button, you will be prompted to enter the credentials for
the deployment.
All devices on the local LAN must have the same username and password, and the user
account must have appropriate permissions to install the Agent.
6. Enter the domain\user and the password and click OK.
This will initiate the deployment to the devices.
Each device the Agent has been deployed to will be listed in the bottom pane. The deployment status
will be updated every 2 seconds.
The results of each device's deployment will be recorded in the Installed, Date and Output columns.
Extended deployment information will appear when you mouse over the Output column.
There is also an option to add device names manually in the lower window. Once the hostname(s) are
entered, click OK and the Agent installation will begin.
LAN Deployment from the Web Portal
If one of the devices on the LAN has the Agent installed, the deployment to the remaining devices can be initiated from the Agent Browser and the Web Portal.
For information on deploying from the Agent Browser, refer to "LAN Deployment Using the Agent Browser
(Windows Only)" on page 59.
The LAN deployment from the Web Portal works for both Windows and OS X. Deployment of a Windows
Agent must be initiated from a device with an existing Windows Agent, and deployment of an OS X Agent
must be initiated from an OS X device with an existing OS X Agent installed.
The device you want to use for deployment must meet the following criteria:
l
l
It must be online, and selected as a network node with network scanning. Refer to "Discover Devices
on the Network" on page 183.
It must have completed a full audit in order to populate the discovered devices list. Refer to "Audits"
on page 106.
To deploy an Agent across a LAN, you need to have a username and password for the device or
devices you're going to deploy to. We recommend that you cache these credentials in the Web
Portal so that you do not have to enter them each time for each device. Refer to "Cache logon
credentials" on page 62.
How to...
Cache logon credentials
You can cache logon credentials (agent deployment credentials) at account or site level. When deploying
from a site, any details entered at site level will be used in addition to those specified at account level, unless
you turn this option off. For further information on how to cache logon credentials, refer to the Agent Deployment Credentials section in Account Settings and "Site Settings" on page 20.
Deploy an Agent to devices
A Windows Agent can only be deployed from a Windows device with a Windows Agent, and the
OS X Agent can only be deployed from an existing OS X device with an OS X Agent installed.
1. Log into the Web Portal.
2. Navigate to the site of the Windows or OS X device you wish to deploy from, and click the Devices
tab.
3. Select the device that has the Windows or OS X Agent already installed.
4. Click the Add/Remove as Network Node icon
Network scanning).
in the action bar and select Network Node (with
5. In the dialog box, click OK.
The page will refresh, and the icon if front of the hostname column will show a green symbol indicating
that the device has been nominated as a network node.
6. Select your device again and click Request device audit(s) to force an immediate scan of the network the device is a part of, and confirm the action in the dialog box.
Allow 10-15 minutes for the audit results to come through.
7. Click the Manage tab and make sure the Network Management radio button is selected.
8. Expand the Discovered Devices section and click the Windows radio button to filter devices with a
Windows operating system. If you are deploying OS X Agents, click All to make sure OS X devices
are displayed.
9. Select all devices you want to install the Agent on. You can click the check box in the header row to
select all devices on this page.
10. Click the Manage Device icon in the Action bar.
A modal window will open.
11. Click the Windows or OS X symbol. Another window will open.
12. If you selected more than one device to be managed, and the devices got discovered by different network node devices, you will be able to select which network node device the Agent should be
deployed from. Choose the correct network node device from the drop-down list on the top of this window.
13. Next, you must enter credentials for the target devices. You have two options.
The first is Admin Logon Credentials. When you select this option, you must enter the relevant
Username and Password for the devices you wish to deploy to.
The second is to Use Account/Site Agent Deployment Credentials. These can be cached, so you
don’t have to enter them manually every time. Refer to "Cache logon credentials" on page 62.
14. Click Deploy.
The deployment request will be submitted.
15. To view the progress of the deployment, click on the hostname hyperlink. This will open the Activity
Log for the device.
16. To view the details of the deployment, click the icon in the Results column.
Install and Uninstall Agents
With most deployment methods, the Agent is installed automatically on the targeted devices. Manual installation is only necessary if the automated installation fails, or the Agent was emailed to a device. In that case,
the installer must be launched manually.
Uninstalling and reinstalling the Agent can become necessary as part of troubleshooting a device. The process is different depending on the operating system of the endpoint. Refer to:
l
"Install or Uninstall the Agent on Windows" on page 67
l
"Install or Uninstall the OS X Agent" on page 70
l
"Install or Uninstall the AEM Agent on Linux" on page 72
l
"Manage Mobile Devices (MDM)" on page 78
l
"Install or Uninstall an Android Agent" on page 80
l
"Install or Uninstall an iOS Agent" on page 82
If you intend to permanently remove a device from a site and your account, uninstalling the Agent
from the devices is not enough. You must first delete the device from the site, and then from the
Deleted Devices site. Refer to "Delete Devices" on page 127.
Install or Uninstall the Agent on Windows
Administrator
How to...
Install the Agent on Windows
1. Go to the Sites tab and click on the name of the site you want to add your device to.
2. Click on the New Device button in the top left corner of the page. A window with links to the Agents
for the various supported platforms will open.
3. Click on the Windows logo. Another popup will appear.
4. Click the Windows logo to download the agent onto your computer, or enter an email address to email
the agent to another device.
5. Open the downloaded or emailed file and install the Agent. The installer is silent so you will not see
any progress bar or indicator.
Once the agent has been installed, the AEM icon will be displayed in the system tray of your computer.
Uninstall the Agent on Windows
Occasionally, the fastest way to resolve certain problems with the agent is to fully remove the agent from a
device and then reinstall it.
1. On your computer, navigate to Start > Control Panel > Programs and Features.
2. Select the CentraStage application and click Uninstall.
The Agent will disappear from the list of programs.
3. Delete the following directories on the Windows device:
l
C:\Program Files (x86)\CentraStage
l
C:\Programdata\centrastage
l
C:\Users\[USERNAME]\Appdata\Local\Centrastage
l
C:\Windows\System32\config\systemprofile\AppData\Local\CentraStage
The Agent has now been fully removed from the Windows device.
Microsoft .NET Framework Repair Tool
The AEM Agent runs on top of Microsoft .NET Framework, so any issues with this will affect the smooth running of the Agent. For more information, refer to Detailed Windows requirements.
If the .NET Framework is not installed or is malfunctioning on your device, you are likely to get a JIT (just-intime) error message, even after a complete uninstall and reinstall of the Agent:
Microsoft has released the .NET Framework Repair Tool that in most cases fixes the issue described above.
For further information, refer to Microsoft .NET Framework Repair Tool.
Once you have run the repair tool, it is advisable that you uninstall and reinstall your Agent.
Install or Uninstall the OS X Agent
Administrator permissions on the device
How to...
Install the Agent on a Mac
1. Go to the Sites tab and click on the name of the site you want to add your device to. The site must be
a Managed site.
2. Click on the New Device button in the top left corner of the page. A window with links to the Agents
for the various supported platforms will open.
3. Click on the OS X icon. Another pop-up will appear.
4. Click on the OS X icon to download the Agent onto your computer, or enter an email address to email
the Agent to another device.
5. Open the downloaded or emailed file and unpack the .zip file.
6. Open the AgentSetup folder and double click the file called CAG.pkg.
7. Complete the wizard to install the Agent.
Once the Agent has been installed, the AEM icon will be displayed in the menu bar of your computer.
Uninstall the Agent from a Mac
1. Open Terminal.
2. Run the following command:
sudo bash /Applications/AEM\ Agent.app/Contents/Resources/uninstall.sh
3. The Agent will now be uninstalled from the device.
Completely remove the Agent from the device
If you have problems reinstalling the Agent on a Mac, it may be necessary to completely remove the Agent
from the device. After uninstalling the Agent using a local script, use one of the following methods:
Terminal
1. Open Terminal.
2. Enter the following commands, entering your password where prompted:
sudo rm -rf /usr/local/share/Centrastage
and
sudo rm -fr /var/root/mono/registry/CurrentUser/software/centrastage
Finder
1. If your preference is to use Finder, ensure you have enabled root. You can do so by following the
instructions in this article.
Using the instructions for Lion will also work for later versions.
2. Once the root user is enabled, type the following into Terminal to show all files in Finder:
defaults write com.apple.finder AppleShowAllFiles
and then
killall Finder
3. If you are using Mavericks 10.9 or later, add -boolean true to the end of the first command so it looks
like this:
defaults write com.apple.finder AppleShowAllFiles -boolean true
4. Delete the following directory:
l
/usr/local/share/Centrastage
l
/var/root/mono/registry/CurrentUser/software/centrastage
Install or Uninstall the AEM Agent on Linux
Linux Agents run on the MONO framework, the open source version of .NET for UNIX O/S. When you install
the Agent, a full version of MONO will be installed.
If a previous version of MONO is already installed on the device, it may have to be removed
prior to re-installation by the Agent. Refer to I have troubleshooting issues with Mono in Linux.
How to...
Install the Agent on Linux
For information about supported Linux versions, refer to Supported Operating Systems and Requirements for
the Agent.
To install the Linux Agent:
1. Download the Linux Agent from the Web Portal. Refer to "Download or Email the AEM Agent" on page
57.
The Linux Agent setup file will have a .sh extension (AgentSetup_Managed.sh).
2. Open your Terminal app.
3. Change the directory to the folder that contains the .sh file: cd[folder containing the AEM .sh file]
4. Type sudo sh AgentSetup_[filename].sh and enter your password when prompted.
The Agent will be installed.
5. Close the terminal window when you are able to type text into the window again.
Your device should now appear in the AEM Web Portal.
Uninstall the Agent on Linux
If you are uninstalling the Linux agent from Redhat, make sure your username is included on
the sudoers list. If it is not, please see this guide which will explain how to do so.
1. Open a Terminal session.
2. Type:
sudo /opt/CentraStage/uninstall.sh
3. A script will run that will uninstall the Agent.
Cloning or Ghosting Devices that Have AEM Installed
Each endpoint in AEM uses a unique device ID to identify itself correctly to the AEM Web Portal. This ID is
stored locally in the registry on each device.
If you need to clone or ghost a device with an AEM Agent installed, you must remove the ID before you clone
or ghost to avoid duplicate devices (multiple devices with the same ID) appearing in your AEM Web Portal.
Incorrectly editing the registry can cause issues on your devices. We recommend that you back up
the registry before editing.
1. Disconnect the device from the Internet.
2. Open the Registry Editor (regedit.exe) from the Start menu search.
3. Navigate to HKEY_LOCAL_MACHINE/Software/CentraStage.
4. Delete the DeviceID and everything else in the CentraStage folder.
5. Clone your device.
Create an Agent Policy
Permission to manage Policies at Account and/or Site level
Account > Policies
Sites > select a site > Policies
What is an Agent policy?
Agent policies deploy settings to affect the operation and configuration of the Autotask Endpoint Management (AEM) Agent. They may affect Privacy Mode, the Agent installation and service, security, or the
Agent Browser mode. For information about the Agent, refer to AEM Agent.
How to...
Specify the Policy Details for an Agent policy
1. Agent policies can be set up in the Web Portal at both account and site level. Refer to "Add a policy"
on page 251.
2. On the Policy page, click New account policy... or New site policy....
3. Give the policy a Name.
4. Select the type Agent.
5. To copy an already existing policy to use it as a template, choose it from the Based on drop-down list.
To create a new policy, select New Policy.
6. Click Next.
7. Click on Add a target... to target your devices through a specific filter or group. If you want to target
more than one filter or group, add another target to the policy. For more information, refer to "Filters" on
page 130 and "Groups" on page 142.
Devices of "unknown" device type will not be targeted by the policy.
8. Click Add.
9. Choose one or more of the following options:
Field
Description
Privacy Mode Options
Activate Privacy Mode
Automatically turns on Privacy Mode for all devices targeted by the policy and will require end user permission
when connecting to a targeted device. Once Privacy
Mode is enabled on a device, the AEM Administrator
cannot disable this setting. Privacy Mode can only be disabled by the end user on the device itself. For further
information, refer to Privacy Mode.
Allow connections when no user is logged in
Allows you to connect to a device when no user is
logged in but Privacy Mode is active on the device.
Only require endpoint permission for restricted tools
Allows you to configure Privacy Mode in a way that end
user permission is only required when the following
tools are used: VNC, RDP, Splashtop, Screenshot.
Service Options
Install Service only
No system tray icon or Start menu shortcuts will be
installed. It is only available for Windows devices. Refer
to "Hide the AEM Agent Icon" on page 76.
Field
Description
Disable incoming jobs
Prevents the Agent from running jobs. For information on
what kind of components can be installed if this feature
is enabled, refer to How to run a user task from the
Agent.
Disable incoming support
Prevents remote access to a device from another device.
Disable audits
Prevents the Agent from submitting audits to the platform.
Agent Policy Options
Disable Privacy options
Removes access to the Privacy Mode Options in the
Agent.
You cannot disable Privacy Mode in the
Agent using this setting if Privacy Mode had
already been activated. Once Privacy Mode
is enabled on a device, it can only be disabled by the end user.
Disable Settings menu
Removes access to the Settings menu in the Agent.
Disable Quit options
Removes the option for the user to exit the Agent.
Disable Tickets tab
Removes the option for the user to log a ticket through
the Agent.
Agent Browser Mode
Disabled
Prevents any access to the Agent Browser window.
User - No access to Support tab
Allows the user to open the Agent Browser window but
prevents them from logging in. For more information,
refer to Log into the Agent Browser.
Admin - can log into Support tab
Allows full access to the Agent Browser window. Refer to
Agent Browser.
This is the default option.
10. Click Save. The window will close, and you will be returned to the policy list page.
11. Click Push changes to activate the policy.
Hide the AEM Agent Icon
This functionality is only available for Windows devices.
Sometimes you may want to hide the Autotask Endpoint Management (AEM) icon in the system tray or menu
bar because you do not want your end users to access all the options it offers (for example, the option to create a ticket), or because you want to prevent the users from stopping the Agent or turning on Privacy Mode.
To hide the Agent icon from the end user, check Install Service Only.
The changes will be pushed instantly if the Agent is online or as soon as it checks in to the platform. Once the
change has been applied on the Agent, the AEM Agent icon will be hidden on the local device.
Manage Mobile Devices (MDM)
The Mobile Device Management component must be downloaded from the ComStore so that you
can manage mobile devices in the Web Portal.
The Autotask Endpoint Management (AEM) Mobile Device Management (MDM) service gives AEM administrators the ability to enroll and manage mobile devices from within the AEM Web Portal.
For supported Android and iOS versions, refer to Supported Operating Systems and Requirements for the
Agent.
For a feature comparison of iOS and Android Agents, refer to "Mobile Devices" on page 45.
MDM features in the Web Portal
Once the MDM Agent has been installed on the device, it will appear in the Web Portal under the associated
site and display audit information including:
l
Hardware - Manufacture, Model, IMEI, Serial number
l
Software - OS and version plus installed apps with version
l
Performance - Storage
l
Usage - User, Operator, Number, Location
Mobile devices will automatically update their audit information once every 24 hours or on demand.
Mobile devices have a number of extra buttons available in the standard Action bar:
Icon
Name
Description
Remote
Wipe
Perform a remote factory reset of the device. Warning: this will remove all user data.
Remote
Lock
Lock a device.
Remote
Unlock
Unlock a locked device and strip the passcode. This will force the user to add a new
passcode within 60 minutes.
Passcode
Policy
Will force the user to create a simple 4 digit passcode.
How to...
Enable the Mobile Device Management extension
1. In the Web Portal, click the ComStore tab and select Extensions.
2. Click on Mobile Device Management.
3. On the window that opens, click Add to my Component Library.
Once downloaded, the extension will add the Apple Push Certificate section to Setup > Account
Settings. For further information, refer to Account Settings.
Install the MDM Agent on a mobile device
To install an MDM profile on a mobile device use the following guides:
"Install or Uninstall an iOS Agent" on page 82
"Install or Uninstall an Android Agent" on page 80
Manage Passcode rules, VPN setup, WiFi credentials and restrictions on iOS devices
Refer to "Create an iOS Mobile Device Management Policy" on page 86.
Control the applications that can be downloaded to an iOS device
Refer to "iOS Software Management" on page 189.
Install or Uninstall an Android Agent
Before you can roll out Agents to mobile devices, you must go to the ComStore and download the
Mobile Device Management Extension. Refer to "Manage Mobile Devices (MDM)" on page 78.
Administrator
ComStore > Mobile Device Management Extension
The Autotask Endpoint Management (AEM) Mobile Device Management (MDM) service gives AEM administrators the ability to roll out (enroll) and manage mobile devices from within the AEM Web Portal.
Enrolling an Android device requires either the execution of the device enrollment file (enclosed with the enrollment email), or scanning of the necessary site’s QR code.
Before starting, make sure to download the Mobile Device Management component from the ComStore.
Refer to "Manage Mobile Devices (MDM)" on page 78.
In case you choose to enroll your Android device through the enrollment email, ensure that you
have a native Android mail client installed on the device.
Supported versions
For information on supported Android versions, refer to Supported Operating Systems and Requirements for
the Agent.
How to...
Install the Agent using the QR code (preferred method)
1. Download and install the CentraStage app from Google Play.
2. Launch the AEM Web Portal.
3. Open the site the device will be associated with.
4. Click on the site QR Code icon
will display.
found to the right of the site name (top right corner). The QR code
5. Open the CentraStage app on the mobile device.
6. Select Activate.
7. Click the cog icon.
8. Click Open Scanner.
9. Hover the camera over the QR code until the code is read successfully.
The device will be added to the site and audited automatically.
Install the Agent using the enrollment file
1. In the Web Portal, navigate to the Sites tab and click on a site.
2. Click New Device and choose the Android icon.
The Android icon is only visible if you have downloaded the Mobile Device Management
Extension. Refer to "Manage Mobile Devices (MDM)" on page 78.
1. Add an email address to send the site's Agent to. For multiple addresses, separate the addresses with
a semicolon.
2. On the Android device, using the Android mail client, open the Centrastage Agent Download
Instructions email.
3. Click the Google Play link in the email.
4. Click Install.
5. On the app permissions page, click Accept. Wait for the install to complete. Don't open the app
from Google Play.
6. Go back to the e-mail and tap on the cs-config.mdm attachment (this may appear at the top or bottom
of the email depending on your mail client).
7. Complete the action using Device Enrollment.
8. Confirm that you want to activate the Device Administrator, which will allow remote management of
your device, up to and including erasing all data.
9. Click Activate to launch the CentraStage MDM app.
An automatic audit will start and the device will appear in the Devices tab in the site.
Uninstall the Android Agent
1. Remove the device from the site in the Web Portal. It will be placed into the Deleted Devices site until
the remote Agent disconnects and uninstalls. To force immediate deletion, click Manage Deletions,
select the device and click Delete device(s).
2. On the device, tap Menu/All Apps > Settings and scroll down to Security.
3. Tap Device administrators and uncheck CentraStage MDM.
4. Tap Deactivate and then back to Menu/All Apps to locate the app.
5. Tap Remove App/Uninstall and then tap OK to confirm that you want to uninstall the app.
Install or Uninstall an iOS Agent
Before you can roll out Agents to mobile devices, you must go to the ComStore and download the
Mobile Device Management component. Refer to "Manage Mobile Devices (MDM)" on page 78.
Administrator
ComStore > Mobile Device Management Extension
Setup > Account Settings > Apple Push Certificate
The Autotask Endpoint Management (AEM) Mobile Device Management (MDM) service gives AEM administrators the ability to roll out (enroll) and manage mobile devices from within the AEM Web Portal.
Enrolling an iOS device requires either the execution of the device enrollment file (enclosed with the enrollment email), or scanning of the necessary profile’s QR code.
Before starting, make sure to download the Mobile Device Management component from the ComStore.
In case you choose to enroll your iOS device through the enrollment email, ensure that you have a
native iOS mail client installed on the device.
Enrolling an iOS device is a two-stage-process:
1. In the first stage, you need to enable the Apple Push Certificate in your account. Refer to "Set up the
Apple Push Certificate" on page 82.
2. In the second stage, you need to install the enrollment profile on your device. Refer to "Install the
Agent using the QR code (preferred method)" on page 84 and "Install the iOS Agent via email" on page
84.
Supported versions
For information on supported iOS versions, refer to Supported Operating Systems and Requirements for the
Agent.
How to...
Set up the Apple Push Certificate
1. Once the MDM extension has been downloaded, navigate to Setup > Account Settings in the AEM
Web Portal.
2. Scroll down to the Apple Push Certificate section and download your Certificate Signing Request
by clicking on *_Apple_CSR.csr.
3. Click on the Apple Push Certificate Portal link.
4. Sign in with an Apple ID.
Remember to make a note of the Apple ID used in the Apple Push Certificates Portal as you
will need this ID when renewing your certificate.
5. Click on the Create a Certificate button.
6. If you have read and agreed to the terms and conditions, select the check box and click Accept.
7. Click on Choose file to browse the Certificate Signing Request that you downloaded in step 2.
8. Click Upload to create your new Apple Push Certificate.
9. You will now see a confirmation message. Click on the blue Download button to save the Apple Push
Certificate to your computer.
10. Go back to the AEM Web Portal and in the Apple Push Certificate area, click on Choose file and
browse to the Apple Push Certificate (.pem file) that you downloaded in step 9.
11. Click Upload.
12. Once you have successfully uploaded the Apple Push Certificate, a confirmation message will be displayed on the top of the page in the Web Portal confirming that you can now start enrolling your device.
Renew an expired Apple Push Certificate
Always renew your Apple Push Certificate in the Apple Push Certificates Portal. Do not replace
it in the AEM Web Portal as it will cause device re-enrollment.
1. In the AEM Web Portal, navigate to Setup > Account Settings.
2. Scroll down to the Apple Push Certificate section.
3. Select the check box to renew your certificate and download your Certificate Signing Request by
clicking on *_Apple_CSR.csr.
4. Click on the Apple Push Certificate Portal link.
5. Sign in with the Apple ID used at the time of creating your original Apple Push certificate.
6. Click on the blue Renew button.
7. Click on Choose file to browse the Certificate Signing Request that you downloaded in step 3.
8. Click Upload to renew your Apple Push Certificate.
9. You will now see a confirmation message. Click on the blue Download button to save the Apple Push
Certificate to your computer.
10. Go back to the AEM Web Portal and in the Apple Push Certificate area, click on Choose file and
browse the Apple Push Certificate (.pem file) that you downloaded in step 9.
11. Click Upload.
12. Once you have successfully uploaded the Apple Push Certificate, its expiration date will be updated in
the Apple Push Certificate section.
13. A confirmation message will be displayed on the top of the page confirming that you can now start
enrolling your device.
Install the Agent using the QR code (preferred method)
1. Download and install the CentraStage MDM app from the App Store.
2. Launch the AEM Web Portal.
3. Open the site the device will be associated with.
4. Click on the site QR Code icon
will display.
found to the right of the site name (top right corner). The QR code
5. Open the CentraStage app on the mobile device.
6. Click the cog icon.
7. Click Open Scanner.
8. Hover the camera over the QR code until the code is read successfully.
The device will be added to the site and audited automatically.
Install the iOS Agent via email
1. In the AEM Web Portal, go to Sites and select one of your sites.
2. Click New Device in the top left and choose the iOS icon.
The iOS icon is only visible if you have downloaded the Mobile Device Management Extension. Refer to "Manage Mobile Devices (MDM)" on page 78.
3. In the next window, you can send out an enrollment email. If you would like to send the email to more
than one person, separate the email addresses by a semicolon. Alternatively, you can download the
mdm.mobileconfig file for use when mass-enrolling iOS devices with Apple Configurator.
4. Once you have received the email on the iOS device, click the App Store link to install the CentraStage MDM app.
5. Once it has been installed, go back to the email, tap and hold the cs-config.mdm attachment from the
email, tap Open in CentraStage and install the profile.
6. To confirm the profile installation, tap the CentraStage MDM app (not the CentraStage app!) icon from
the home screen and tap the cog to show the account and profile information.
7. The iOS device will now appear in the AEM Web Portal under the respective site.
Uninstall the iOS Agent
1. Go to the home screen of your iOS device.
2. Tap Settings > General > Device Management.
3. Locate the AEM site and tap Remove.
Apple give any user the ability to remove MDM profiles from any iOS device.
1. Log into the AEM Web Portal.
2. Go to Sites and select the site in question.
3. Go to the Devices tab and locate the iOS device.
4. Select the device and click the Delete device(s) icon from the Action bar.
5. Go to Sites and click Manage Deletions.
6. Select the iOS device and click the Delete device(s) icon from the Action bar to completely remove it
from your account.
Create an iOS Mobile Device Management Policy
Before you can configure iOS devices to use a policy, you must download the Mobile Device Management Extension from the ComStore, and deploy agents to your mobile devices. Refer to "Manage Mobile Devices (MDM)" on page 78.
Permission to manage Policies at account and/or site level
Account > Policies
What is an iOS Mobile Device Management Policy?
iOS Mobile Device Management policies allow you to configure a number of iOS device settings and push
them over the air to the targeted devices.
Only one MDM policy can be active at any one time.
The following settings can be configured:
l
Passcode rules
l
Restrictions
l
VPN setup
l
WiFi credentials
This feature is currently not available for Android devices.
Mobile device management policies can be created at account or site level. However, since VPN
and WiFi credentials are customer-specific, you would typically set up an MDM policy at site level.
Refer to "Add a policy" on page 251.
How to...
Specify the Policy Details for an iOS MDM policy
1. On the Site > Policies page, click New site policy...
3. Select the type Mobile Device Management.
5. Click Next.
6. Complete the following fields:
Field
Description
Removal
policy
By default, Allow users to remove this policy is selected. Click the drop-down and
select Require password to remove this policy if you want to make sure that the settings are applied to all targeted devices.
Password
Only displayed if Require password to remove this policy is enabled. Enter the password.
Targets
For MDM policies, you cannot enter multiple targets or use groups and filters, because there
can only be one iOS policy per device. If there are multiple policies (for example, at account
and site level), only one of them can be switched on at any one time.
7. Click Add a setting...
The Add a Mobile Setting window will open.
8. Select a mobile setting type.
9. Click Next.
10. Depending on the setting type, complete the following fields:
Field
Description
Passcode
Passcode strength
If Allow Simple Value is checked, the use of repeating,
ascending, and descending character sequences is permitted.
If Require Alphanumeric Value is check, passcodes
must contain at least one letter.
Minimum Passcode Length
Smallest number of passcode characters allowed.
Minimum Number Of Complex Character
Smallest number of non-alphanumeric characters
allowed.
Maximum Passcode Age
Days after which passcode must be changed (1-730
days, or none).
Auto Lock
Maximum allowed auto-lock value. Supported values:
2/5/10/15 minutes or never for iPads, 1-5 minutes or
never for iPhones. If you seek to target both iPhones and
iPads, select a value of 2 or 5 minutes.
Passcode History
Number of unique passcodes before they can be reused
(1-50, or none).
Maximum Number Of Failed Attempts
Number of passcode entry attempts allowed before all
data on device will be erased.
Restrictions
iOS restrictions, Application access, iCloud
Services, Security and Privacy, Content ratings, iOS supervised restrictions
To remove a restriction, uncheck the box.
Field
Description
VPN
Connection Name
Display name of the connection (displayed on the
device).
Connection Type
Click the drop-down and select L2TP (Layer 2 Tunneling
Protocol), PPTP (Point-to-Point Tunneling Protocol) or
IPSec (Internet Protocol Security).
Server
Hostname or IP address for server.
Shared Secret
Some companies require the use of an additional security field. Enter the Shared Secret for the connection.
User Authentication
Select whether the user can authenticate using a password or must use RSA Two-factor Authentication.
Account
Enter the username required to authenticate to the VPN.
Send all traffic
When this check box is selected, all network traffic is
routed through the VPN connection.
Proxy Type
If your organization uses a proxy server, select the appropriate type.
Field
Description
Wifi
SSID
Enter the name of the wireless network you want to join.
Auto join
Check to have the device automatically join the target network.
Hidden network
Enable if the target network is not open or broadcasting.
The network will then be listed under Hidden Networks.
Security
Select the type of encryption that is being used on the network: Any (Personal), WEP (Personal), WPA/WPA2 (Personal) or None.
Password
Select None, Manual or Auto.
Proxy Type
If your organization uses a proxy server, select the appropriate type.
Proxy URL (Auto)
If you select Auto, the proxy settings will be stored in a
Proxy URL. Just enter the URL.
Server and Port (Manual)
If the Proxy Type is manual, enter the hostname or IP
address and the Port number.
Authentication (Manual)
Enter the username required to authenticate against the
proxy server
Password (Manual)
Enter the password.
11. Click Submit. The setting type is added to the list of mobile settings. To add another setting, repeat
the process.
12. After all required settings have been added, click Save. The window will close, and you will be
returned to the policy list page.
The MDM policy will initially be disabled. Turning on an MDM policy automatically turns off
any others that are enabled, to make sure that only ever happens as part of a conscious
decision on your part, rather than (for example) creating a new policy just to view some of
the settings. To avoid confusion over which policy takes precedence for a site, MDM
policies must be explicitly turned on once created.
Disable a MDM policy
1. Navigate to the Policies tab.
2. Toggle the Enabled for this site setting to OFF.
Manage and Monitor SNMP-Enabled Network Devices and
Printers
Permission to manage Sites and manage Devices
Sites > open a site > New Device
Sites > open a site > Manage > Network Management > Discovered Devices
There are times when you would like to manage and monitor certain devices or services but you cannot install
an Agent on them to make them a fully Managed device. For example, you may want to know when the
memory usage of a switch port goes over a certain threshold or if the battery in your UPS starts discharging
or whether you need to change your printer's toner but you cannot install an Agent on either your switch or
UPS or printer.
In these instances, a fully Managed network node device can connect to and manage your network active
devices like switches, routers, UPSs, printers, etc., using Simple Network Management Protocol (SNMP).
This document will walk you through the process of adding an SNMP-enabled network device as a Managed
network device to your account either manually or with the help of a network node device. We will also discuss how to monitor your SNMP devices.
Requirements
If you are not familiar and comfortable with the concepts, terminology and technology around SNMP, we
strongly recommend some background reading before you start with SNMP monitoring. There are a number
of useful guides on the subject but here are a few examples that we've looked at and liked:
l
Introduction to SNMP
l
SNMP Tutorial
l
Wikipedia Page for SNMP
How to...
Add a network device as a Managed network device
To be able to monitor your SNMP-enabled network devices, you need to add them as Managed network
devices to one of your Managed sites. If the network scanning of SNMP devices is disabled for your account
or if you find it easier and quicker to add a device manually, follow these steps:
1. Click the Sites tab and open one of your Managed sites that you want to add the device to.
2. Click New Device.
3. In the next window, you are asked what sort of device you are trying to add. Click the Network or the
Printer icon as required.
4. You will now be prompted with the Add a Network Device or Add a Network Printer window as per
your selection in step 3.
5. Fill in the following details:
Field
What to Enter
IP Address
Enter the IP address of your device.
Name
Give your device a meaningful name.
Description
Manufacturer
Enter the name of the manufacturer of your device.
Model
Enter the model of your device.
New SNMP Credentials
Enter the SNMP credentials of your device. For information on what to
enter, refer to the SNMP Credentials section in Account Settings and "Site
Settings" on page 20.
Use Account/Site SNMP
Credentials
Choose this option if you have SNMP credentials stored at account or site
level. The site SNMP credentials will be used in addition to the SNMP credentials specified in Account Settings unless this option is disabled in Site
Settings. For information on how to store the SNMP credentials for the
entire account or at site level, refer to the SNMP Credentials section in
Account Settings and "Site Settings" on page 20.
6. Click Save. Your network device is now added as a Managed network device.
To save time and make things easier, you can also have a fully Managed network node device discover other
devices on the local subnet for you. For further information, refer to "Discover Devices on the Network" on
page 183.
Monitor a Managed network device
Once a device becomes a Managed network device, you can apply monitoring to it.
SNMP monitoring (that is, the monitoring available for Managed network devices) falls into 2 categories:
l
l
Offline monitoring - Sends an alert if the network device goes offline.
Network monitoring - Sends an alert if specific threshold values are breached. The threshold is set
up in a network monitor component, therefore, you need to download or create your network monitor
component first in order to be able to set up a network monitor. For details on configuring a network
monitor component, refer to "Download or Create Network Monitor Components" on page 96.
Both of these monitor types can be added to a single device only. They cannot be applied in a
Monitoring Policy at either site or account level.
For information on how to configure an SNMP monitor, refer to "Manage Monitors" on page 239.
Before applying an SNMP monitor to your Managed network devices, you may want to test the
functionality using the Agent Browser. For more information, refer to Test SNMP Monitoring in
the Agent Browser.
Download or Create Network Monitor Components
Permission to manage Components
Components > New Component
About Network Monitors
Autotask Endpoint Management (AEM) allows you to add devices to your account that a network node
device discovers using Simple Network Management Protocol (SNMP). Once they become Managed network devices, you can start monitoring them. Monitoring could mean being alerted when the memory usage
of a switch port goes over a certain threshold or if the battery in your UPS starts discharging or if you need to
change your printer's toner.
In order to apply consistent monitoring across all of your Managed network devices, you can create a network
monitor component or download one from the ComStore and you can then apply it to as many devices as you
want. Your network monitor component will have a certain threshold and if a device breaches it, the monitor
will alert you.
Requirements
You should be familiar with the process of how to nominate a device as a network node device and how your
network devices can be discovered and managed by a network node. For further information on this, refer to
"Discover Devices on the Network" on page 183.
If you are not familiar and comfortable with the concepts, terminology and technology around SNMP, please
refer to the guides we collected in the topic referenced above. This document assumes that you know the
SNMP OIDs (Object Identifiers) that you want to monitor, and the thresholds / values that you want to monitor for. You may find out more about the SNMP OIDs from the device vendor or from the device documentation.
How to...
Use network monitor components from the ComStore
There are a number of network monitor components in the ComStore that you can download and apply in your
network monitors. In order to download them:
1. Click the ComStore tab and select Network Monitors.
2. Click any of the network monitor components and click Add to my Component Library to download
it.
3. To locate the downloaded component, navigate to your Component Library by clicking on Components > Network Monitors.
4. Hover over the component entry and click on the Copy icon
on the right of your browser window.
5. Click OK in the pop-up window to be able to edit and/or save the copy of your component.
6. You will now see a component edit dialogue with the contents of the component you chose to copy,
allowing you to make any necessary modifications or changes.
7. Once you have finished editing the component, click Save.
Note that the OIDs used on specific devices may vary across hardware builds or firmware
versions, and as a result, we cannot guarantee that the values we have populated in the component will match exactly what is expected by your network devices. Therefore, we would
always recommend testing these components on a selection of devices and confirming the
results look as you expect before pushing them out across your entire estate.
8. Once you have your component downloaded and the changes applied, you can apply the component
through a network monitor. For further information, refer to "Apply the network monitor component" on
page 99.
Create a network monitor component
In order to create your own network monitor component:
1. Click the Components tab and click New Component in the top left.
2. From the Category drop-down, select Network Monitors.
3. Give it a Name and Description.
4. Click Save.
5. You will now see the component details.
Field
Description
General
• Category: defaults to Network Monitors and cannot be edited.
• Type: defaults to SNMP and cannot be edited.
• Name: the name of your network monitor.
• Description: the description of your network monitor.
• ID: unique identifier of your network monitor. It cannot be edited.
• Component Level: determines which users can access this component. Refer to
Users.
• Created: the date and time of the creation of your component. It also shows the name
of the user who created it in brackets.
• Modified: the date and time the component was last modified. It also shows the name
of the user who last modified it in brackets.
• Change image: click on the hyperlink to change the image of your component. You
can select an image from your image library or from your device. The image must be a
48x48 PNG, JPG or GIF file.
Sites
Select:
• All sites - This will make the component available in all of the sites.
• Selected sites - Once you have selected this option, you will be able to include or
exclude sites to access this component.
Field
Description
SNMP Settings
Click the green plus icon
to add a new SNMP monitoring entry. In the Add
SNMP Settings window, fill in the following details:
• Name: give a name to your SNMP monitoring entry (e.g. FE0/0 port utilisation on
Cisco 2950).
• OID: enter the OID for the setting or value that you want to monitor (e.g.
1.3.6.1.2.1.2.2.1.10).
• Operator: select one of the operators from the drop-down list (Equal, Not Equal, Less,
Less or Equal, Greater than, Greater or Equal, Contains, Starts with, Ends with). This
will be used together with Default value.
• Default value: specify the threshold for raising an alert. This will be used together with
the Operator selected. (E.g. Greater Than – 94371840 or Less than – 95)
• Description: give a meaningful description to your SNMP monitoring entry.
6. Click Add to add this SNMP setting to your network monitor.
Add a new SNMP monitoring entry for each OID that you want to monitor on your devices.
This allows you to build a single monitor per device type that is querying multiple SNMP values. For example:
• A switch monitor that checks bandwidth usage, ports that are unexpectedly “down”, CPU
temperature, and changes to the firmware version.
• A virtualization host monitor that checks for CPU and memory usage.
• A network attached storage monitor, checking the disk space, temperature and uptime.
7. Finally, click Save. This will add this network monitor component to your component list.
Apply the network monitor component
For details on how to apply your network monitor components, refer to "Monitor a Managed network device"
on page 95.
Manage and Monitor ESXi Devices
Sites > open a site > New Device
About VMware ESXi
VMware ESXi (also known as VMware vSphere Hypervisor) is a purpose-built hypervisor operating system
that runs on bare metal and incorporates VMware’s virtualization technologies. ESXi can be configured to
manage virtual machines that run within the ESXi core and that are monitored by it. Virtual machines running
on an ESXi server will be allocated a share of the resources of the host system.
The ESXi hypervisor operating system does not permit application installation per se, making installation of
the Autotask Endpoint Management (AEM) Agent impossible. Servers running ESXi must therefore be managed as network devices, facilitating the use of network nodes for device discovery, monitoring and management.
Supported versions
The following ESXi builds are supported: 4.1, 5.0, 5.5 and 6.0.
Requirements
We highly recommend some background reading on VMware vSphere Hypervisor if you are not familiar with
the concepts, terminology and technology around ESXi and virtualization. For information, refer to
https://www.vmware.com/uk/products/vsphere-hypervisor.
For a robust network, we recommend the use of at least two network nodes in any site monitoring ESXi servers.
To learn about Agent requirements for ESXi monitoring, refer to Network node requirements for
ESXi monitoring.
How to...
Add an ESXi device as a Managed device
To be able to monitor your ESXi devices, you need to add your ESXi devices as a Managed devices to your
account. You can do it manually, or you can have a fully Managed network node device discover the ESXi
devices for you.
If you add your ESXi device manually, make sure that you have a network node device in the same
site to perform ESXi monitoring.
To add an ESXi device manually, follow these steps:
1. Click the Sites tab and open one of your Managed sites that you want to add the device to.
2. Click New Device.
3. In the next window, you are asked what sort of device you are trying to add. Click the ESXi Host icon.
4. You will now be prompted with the Add an ESXi Hostwindow.
5. Fill in the following details:
Field
What to Enter
IP Address
Enter the IP address of your device.
Name
Give your device a meaningful name.
Description
Manufacturer
Enter the name of the manufacturer of your device.
Model
Enter the model of your device.
New ESXi Credentials
Enter the ESXi credentials of your device. For more information, refer to
the ESXi Credentials section in Account Settings and "Site Settings" on
page 20.
Use Account/Site ESXi Credentials
Choose this option if you have ESXi credentials stored at account or site
level. The site ESXi credentials will be used in addition to the ESXi credentials specified in Account Settings unless this option is disabled in
Site Settings. For information on how to store the ESXi credentials for the
entire account or at site level, refer to the ESXi Credentials section in
Account Settings and "Site Settings" on page 20.
6. Click Save. Your ESXi device is now added as a Managed device to your account.
You can also have one of your fully Managed network node devices scan the network for you to discover your
ESXi devices. It will check for devices listening on port 902 and if a device responds, it will be listed as an
ESXi device in the discovered devices list. For further information, refer to "Discover Devices on the Network" on page 183.
Monitor an ESXi device
Once an ESXi device has been added to your account as a Managed device, you can apply monitoring to it.
ESXi monitoring is performed through a network node in the site that the device is added to. ESXi monitoring
can only be applied as part of a policy at account and site level. ESXi monitors are not available at device
level.
The following ESXi monitor types are available:
l
ESXi CPU Monitor
l
ESXi Memory Monitor
l
ESXi Data Store Monitor
l
ESXi Temperature Sensor Monitor
l
ESXi Fan Monitor
l
ESXi Disk Health Monitor
l
ESXi PSU Monitor
You can also apply the following non-ESXi-specific monitor:
l
Online Status Monitor
For information about the monitor types, refer to "Types of monitors" on page 232.
For information on how to apply ESXi monitoring, refer to "Create an ESXi Policy" on page 104.
Create an ESXi Policy
Account > Policies
What is an ESXi policy?
An ESXi policy allows you to apply one or more ESXi monitors to one or more devices in a site or the entire
account using filters or groups. An ESXi policy lets you monitor the performance, datastore, temperature and
hardware status of your ESXi devices.
ESXi policies can be set up in the Autotask Endpoint Management (AEM) Web Portal at both account and
site level. Refer to "Add a policy" on page 251.
How to...
Specify the ESXi policy details
1. On the Policy page, click New account policy... or New site policy....
3. Select the type ESXi.
5. Click Next. You are now presented with the policy details.
Add a target
You can target your devices with the policy using filters and groups. To find out more, refer to "Add a target"
on page 257.
Add a monitor
When creating an ESXi policy, you can apply ESXi monitors to your devices. For information on the ESXi
monitor types and how to add a monitor, refer to "Add a monitor" on page 257.
Save the policy and push the changes
Once you have added your ESXi monitor, you are re-directed to the policy details page. Here, you need to
save and push the changes so that they can be applied. For further information, refer to "Save the policy and
push the changes" on page 258.
Edit the policy
For information on how to edit your policy, refer to "Edit the policy" on page 258.
Audits
Permission to access the Audit tab at Account and/or Site level and permission to access Devices
Account > Audit
Sites > click on a site > Audit
Sites > click on a site > Devices > click on a device > Audit
About Audits
An audit is an inventory of the hardware and software installed on a device as taken by the AEM Agent. As
consecutive audits are performed, changes to the hardware and software are tracked in a change log. The
data is stored on the device and added to the device record in the Web Portal.
Audit data is available at account, site and device level.
More...
l
l
l
l
When viewed at device level, the Audit tab answers the question: "What hardware and software are
currently installed on this particular device, what's the status of the installed services and what
changes have been made to the device over time."
When viewed at site level, the Audit tab answers the question: "What hardware and software is
installed on the devices associated with this site, including quantity and version information."
When viewed at account level, the Audit tab answers the question: "What hardware and software is
installed on the devices associated with all sites in my account." It provides a list of all hardware and
software you are managing, including quantity and version information.
Additionally, at both account and site level, you are able to monitor the number of devices a software
package is installed on. This allows you to manage site or team licenses. You will receive an alert
when you exceed the maximum number of devices.
Full and Delta Audits
l
A full audit is a complete inventory audit of the device taken at the time the Agent is installed. This is
the only time a full audit is performed automatically.
However, a full audit of a device can be initiated manually at any time if you need up-to-date information on a particular device. Refer to "Perform a manual audit" on page 107.
l
A delta audit is a list of the changes to the audit information on the device since the last audit. Delta
audits are performed automatically on a regular schedule.
Auditing frequency
Type of
Agent
Frequency of full audits
Frequency of delta audits
Managed
Right after Agent installation, and anytime manually
Every 24 hours, and upon the
successful completion of a job or
patch update
OnDemand
Right after Agent installation, and then once every seven
days or where the OnDemand Agent has been activated
by the end user.
N/A
How to...
Perform a manual audit
1. Navigate to the list of your devices and select one or multiple devices.
2. Click the Request device audit(s) icon
and confirm that you want to perform the audit.
If you selected a single device, a full audit will be performed.
If you selected multiple devices, a delta audit will be performed.
View audit data at device level
1. Navigate to Sites > click on a site > Devices > click on a device. The Device Summary page will
open.
2. Click the Audit tab.
Depending on your device type, the Audit tab or some sections under the Audit tab may not
be available.
At the top of the page, on the right-hand side, you will see the following radio buttons:
Radio button
Description
Hardware
This is the default view. It shows the complete hardware audit information for this
device.
Software
Shows all software installed on the device and indicates the version. A search field, a
toggle for number of entries on one page and a .CSV export option are also available.
Radio button
Description
Services
Shows the following information about the services installed on your Windows device:
• Display Name
• Service Name
• Status at the last audit
• Startup Type
Sort by any of the columns by clicking on the column header.
A search field, a toggle for number of entries on one page and a .CSV export option are
also available.
Change Log
Shows 3 drop-downs:
• System Changes - This shows changes made at system level on the device, such as
the last boot time, changes to usernames etc., along with the time it occurred.
• Software Changes - This shows any software that has been added or deleted, along
with the version and the date this occurred.
• Hardware Changes - This shows any hardware changes that have been made, such
as screen resolution or hard drives added or removed, as well as the date it occurred
View audit data at account or site level
1. Navigate to Account > Audit OR Sites > click on a site > Audit.
At account level, click the Click here to load the hardware list for this account or the Click here
to load the software list for this account link.
At site level, expand the Managed Devices or Unmanaged Devices section.
2. At the top of the page, on the right-hand side, you will see the following radio buttons:
Radio button
Description
Hardware
This is the default view. It shows the complete list of hardware models, and the number of
devices of this model. A search field, a toggle for number of entries on one page and a .CSV
export option are also available.
To see a list of devices that belong to a model, click the hyperlink.
Software
Shows all software applications associated with the account or site, their versions, and the
number of devices each application is installed on. A search field, a toggle for number of
entries on one page and a .CSV export option are also available.
To see a list of devices that have this software and version installed, click the hyperlink.
Licensing
Allows for monitoring of software licenses to alert when the number of devices the software
package is installed on exceeds a set threshold. Refer to "Enable monitoring of software
licenses " on page 108.
Enable monitoring of software licenses
1. Navigate to Account > Audit OR Sites > click on a site > Audit and click the Licensing radio button.
2. On the Actions row, click the Manage account package (account level) or the Manage package (site
level) icon .
3. If you are at account level, proceed to the next step.
At site level, a pop-up window will open. If you have already created a software package before, it will
be listed in the window. If this is the first time that you create a software package for licensing, the window will be empty. Click New Package....
4. The New Package page will open.
5. Enter the following information:
Field
Description
Name
The name you will save this search under.
Search
Enter a keyword or search string, then click Search.
All
If you check this radio button, the check boxes will be disabled and all results will be added to
the software package.
Specific
If you check this radio button, the check boxes will be enabled, and you can select specific versions or products to add to the package.
6. Click Save. The window will close, and you will be returned to the licensing page.
7. At account level, you will be presented with the name of the software package, the number of items
in the package and the quantity across devices.
If you are at site level, click the Manage package icon again.
8. Check the check box next to your software package and click Select.
The new software package will now appear on the list.
9. In the Alert column, click on Click to set and enter the maximum number of licenses so that you can
be notified when the threshold is reached.
Troubleshoot
If you think you are having issues with the audit information coming through on a device, please refer to I
think that the audit information is corrupted / missing. What can I do?
Administrator
Sites > click on a site > Settings > Local Caches
What is a local cache?
a patch cache to store patches.
A component cache stores a local copy of all downloaded components in your Autotask Endpoint Management (AEM) account and then distributes the components to other devices in the same site without the
need to pull them from the AEM Amazon cloud platform.
A patch cache downloads and stores patches from Windows Update to serve them for devices in the same
site through a patch policy. The patch cache will continuously download new patches as the need for them
arises.
Using a local cache for downloading either components or patches reduces bandwidth usage and drastically
improves efficiency when deploying components and conducting patching operations.
A local cache is not the only way to avoid downloading a component multiple times. If the
same component is scheduled to be installed on another device in the same AEM site, the target device will query other nodes on the network to see if the file exists locally. If the file is available only on a local device that is not a local cache, the Agent will download the component
from that location. This is known as peer sharing. Peer sharing is only used if the component is
not cached locally.
Local cache type
Component cache
Windows
Patch cache
For more information on supported versions of the above operating system, refer to Supported Operating Systems and Requirements for the Agent.
Requirements
l
Only desktops, servers, and laptops with up-to-date audit information may be nominated as local
caches.
l
l
Local caches need to have adequate hard drive space to store the components and/or patches.
For component caches, port 13229 must be available for inbound communications, and accessible to
all devices on the local network.
A local cache should preferably be a device that is always left on, e.g. a server.
Default location for cached components and patches
Your cached components and patches will be stored in the following locations by default:
Type
Location*
Cached components
Drive:\ProgramData\CentraStage\Packages
Cached patches
Drive:\ProgramData\CentraStage\Patches
* You can specify the drive when nominating the cache. Refer to "Designate a device as a local cache" on page
112.
How to...
Designate a device as a local cache
We recommend restricting individual sites to a single geographical area for the smoothest possible operation with local caches.
1. Navigate to a site and click on the Devices tab.
2. Click the check box next to the device you wish to select as a local cache. You can select more than
one device.
3. Click the Add/Remove as local cache icon
in the Action bar.
4. A pop-up window will appear listing all devices you have selected. You can collapse or expand each
device.
5. Select any or both of these check boxes:
Cache all Components in this account - It will nominate the device as a component cache. The
device will receive all components that have been downloaded to your Component Library. Additionally, it will sync with your Component Library when a component is created, edited or deleted.
Refer to "Download a component" on page 269.
Cache Patches (use with a Patch Management Policy) - It will nominate the device as a patch
cache. Ensure that you have at least one active patch management policy. Refer to "Create a Patch
6. Select a drive on which the cached files should be stored. Refer to "Default location for cached components and patches" on page 112.
A local cache will stop downloading patches if the selected drive's free disk space falls
below 1 GB.
7. Click Save.
8. Your local caches will now be listed in Site Settings where you can re-arrange their order of priority,
and you can also specify patch cache clearing options. Refer to "Site Settings" on page 20.
For custom components only, there is an additional feature available: you can choose which
components should be made available to which sites. Refer to "Map components to specific
sites" on page 336.
Edit or remove a device as a local cache
1. You can remove a local cache in Site Settings. Refer to "Site Settings" on page 20.
2. Alternatively, to either edit or remove a local cache, you can follow steps 1-4 of "Designate a device
as a local cache" on page 112.
3. You can select or deselect any or both of these check boxes:
Cache all Components in this account
Cache Patches (use with a Patch Management Policy)
4. You can select a different drive on which the cached files should be stored.
5. Click Update.
If a local patch cache is removed, the patches cached on that device will be removed almost immediately.
Manage Devices
Permission to manage Sites > Devices
Sites > click on any filter or group
A list of the devices you manage in Autotask Endpoint Management (AEM) can be accessed from the site, filter or group they are associated with. For information about sites, refer to "Sites" on page 7. For information
about filters and groups, refer to "Filters" on page 130 and "Groups" on page 142.
To view all devices you are managing, navigate to Sites and click the device filter called All
Devices. Many other device filters are also available.
Devices lists provide basic information about each endpoint you have in the same site, filter or group.
Depending on whether the site is Managed or OnDemand, some features may not be available.
For further information about site types and to find out how to move devices from one site to another, refer to
"Manage Sites" on page 13.
By default, the following information is displayed:
Field
Description
Hostname
The name of your device. This can be edited in the device itself, or if it's a network device, it can be
edited on the "Device Summary" on page 119 page.
Description
The description of your device that can be edited on the "Device Summary" on page 119 page.
IP Address
The IP address of your device.
Ext IP Addr
The external IP address of your device.
Last User
The user that last logged into this device.
Field
Description
Operating
System
The operating system of your device.
Views
Field
Description
Column Chooser
columns to re-arrange their order in the results view. Click Save to apply the
changes or Cancel to discard them.
Show entries
It lets you select to show 25 / 50 / 100 entries per page.
Filter (on Site > Devices
only)
Choose one or more of the following device types to filter the results:
• All
• Desktops
• Laptops
• Servers
• Network
• ESXi Host
• Unknown
Shortcut for actions
An arrow pointing towards right in each row, just to the left of the first column. Once
you click on it, you will see a few icons displayed. These icons provide a shortcut for
actions that you can do in the devices. For further information about these shortcuts,
see the list of Action bar icons below.
Select pages / Next
Click a page number or click Next to jump to the next page of results.
Action bar icons
Icon
Name
Description
Move device(s) to different site
Move the selected device(s) to a different site. Refer to "Move
Devices to Another Site" on page 123.
Add device(s) to group
Add the selected device(s) to a group. Refer to "Groups" on
page 142.
Edit description of selected devices
Edit the description of the selected device(s). Refer to "Device
Summary" on page 119.
Toggle device(s) as favorite
Mark or unmark the selected device(s) as favorite.
Delete device(s)
Delete the selected device(s). For further information, refer to
"Delete Devices" on page 127.
Icon
Name
Description
Request device audit(s)*
Request an audit for the selected device(s). For further information, refer to "Audits" on page 106.
Schedule a job*
Schedule a job for the selected device(s). Refer to "Deploy Components Using Jobs" on page 319.
Run a quick job*
Run a component through a quick job for the selected device
(s). Refer to "Deploy Components Using Jobs" on page 319.
Export to CSV
Allows you to export a list of the selected devices in .CSV
format. Make sure to select the columns you want to include in
the export.
Add/Remove as local cache*
Add or remove the selected device(s) as local cache. For further
information, refer to "Designate a Local Cache" on page 111.
Add/Remove as Network Node*
Add or remove the selected device(s) as network node. For further information, refer to "Discover Devices on the Network" on
page 183.
Turn privacy on*
Turn on privacy mode for the selected devices. For further
information, refer to Privacy Mode.
Send a message to the selected
devices*
Send a message to the selected device(s). The message will
pop up on the devices once they are online.
Note: It usually takes a few minutes for the message to appear.
Refer to "Messages" on page 124.
Schedule selected reports
Schedule one or more reports for the selected device(s). Refer
to "Schedule and Run a Report" on page 476.
Run Security Management
Command*
This button becomes available once Kaspersky Endpoint Security has been downloaded from the ComStore. Click the button to
perform a number of actions on the selected device(s). Refer to
"Kaspersky Endpoint Security Integration" on page 208.
Run Security Management
Command*
This button becomes available once Webroot Endpoint Security
has been downloaded from the ComStore. Click the button to
perform a number of actions on the selected device(s). Refer to
"Webroot Endpoint Security Integration" on page 218.
Refresh
Refreshes the current view. This will show your devices' most
up-to-date status.
Summary
Shortcut. It directs you to the "Device Summary" on page 119
page.
Audit
Shortcut. It directs you to the device's Audit tab. Refer to "Audits"
on page 106.
Manage
Shortcut. It directs you to the device's Manage tab.
Monitor*
Shortcut. It directs you to the device's Monitor tab.
Support*
Shortcut. It directs you to the device's Support tab.
Report
Shortcut. It directs you to the device's Report tab.
Icon
Name
Description
Policies*
Shortcut. It directs you to the device's Policies tab.
Remote takeover icons
Icon
Name
Description
Connect to Device*
Initiate a connection to the device. This will log you in to the Agent
Browser. Once you are connected to the device, you will be presented
with a list of actions you can perform on it, including remote takeover
connections. For further information, refer to Agent Browser Tools.
Remote Takeover (RDP)*
Initiate a Remote Desktop Protocol (RDP) connection to the device.
For further information, refer to Remote takeover tools.
Remote Takeover (VNC)*
Initiate a Virtual Network Computing (VNC) connection to the device.
For further information, refer to Remote takeover tools.
Splashtop*
Initiate a remote takeover session via Splashtop. For further information, refer to Splashtop Remote Screen Share Integration.
*Will not display for offline machines, printers, mobile devices, network devices or devices with an inappropriate operating system. In
some cases they do not display at all, e.g. due to incomplete audit.
If you experience issues launching the Agent Browser when clicking on the above icons in the
Web Portal in Google Chrome, refer to I can't launch the Agent Browser from the Web Portal in
Chrome. Why is that?
Device Summary
Permission to view Sites > Devices
Sites > click on a site > Devices > click on a Device > Summary
The devices that you manage through Autotask Endpoint Management (AEM) are grouped together in your
Managed and OnDemand sites. In order to see detailed information about a device:
1. Go to Sites.
2. Click on the name of one of your sites.
3. Click the Devices tab.
4. Click on the name of one of your devices.
This will bring you to the Device Summary page where you'll see a summary of the device, including operating system, service pack, serial number, IP addresses, and lots more.
Depending on the device type, some information or sections on this page may not be available
for your device.
Device summary
In the top area of the page, you can see the following information:
Field
Description
Description
The description of your device. To change it, click on Edit.
Power Rating
The power rating of your device. This number provides the basis for your device's energy
usage calculation. The field becomes editable once you click on Edit next to the Description field. For further information, refer to the Power Rating section in Account Settings
and "Site Settings" on page 20.
User-defined fields
1-10
These fields only become visible if you entered some information here. The fields become
editable once you click on Edit next to the Description field. To find out more about
user-defined fields, refer to "User-Defined Fields" on page 38, Account Settings and "Site
Settings" on page 20.
Groups
It lists any groups that the device is part of. By clicking on the hyperlink, you will be directed to the group itself. For further information, refer to "Groups" on page 142.
Version
The version of the Agent installed on this device.
You can update your device information by following these steps:
1. Click Edit next to the device description field.
2. Update the information in any of these fields: Description, Power Rating, User-Defined Fields 110.
3. Click Clear or Clear User-Defined Fields to remove the information.
4. Click Save to save your changes or Cancel to discard them.
Actions
You can perform various actions on your device. For further information, refer to "Action bar icons" on page
116.
System
This area provides basic audit information about the device including hostname, ID, device type, domain, last
user, Hyper-V version (for Hyper-V-enabled devices), status, last seen, last reboot, last audit date, create
date, IP addresses, credentials (for ESXi and network devices), manufacturer, model, operating system, service pack, architecture, serial number, security, Guest machine information (for ESXi and Hyper-V devices),
and more.
You can connect to the device or take a screenshot of its current status by clicking on one of these icons on
the right of the screen:
Icon
Name
Description
Refresh*
Refreshes the current view of your device. This will show a thumbnail view of a screenshot taken of your device at the moment.
New Screenshot*
Allows you to take a screenshot of your device. It will be opened in a
new window.
Connect to Device*
Refer to "Remote takeover icons" on page 118.
Splashtop*
If you experience issues launching the Agent Browser when clicking on the connect icon or any
of the remote takeover tools in the Web Portal in Google Chrome, refer to I can't launch the
Agent Browser from the Web Portal in Chrome. Why is that?
Notes
This section lists all the notes that have been added to this device. To add a note:
1. Click Add Note.
2. Enter your note.
3. Click Add to save it.
4. Once it has been saved, you can edit or remove it by clicking on the pencil or delete icons.
You can also add a note to the device through the Agent Browser. For further information,
refer to Connect to a device.
Activity log
This area lists activities that have been carried out on the device. To see all of the activities, click on More.
Refer to "Device Activity" on page 372.
Performance
Under Performance, you will see the following information:
l
CPU usage (%)
l
Memory usage (%)
l
Disk capacity (used %)
l
Device uptime
The scale can be changed from 24 hours to one week or one month.
Move Devices to Another Site
There are times when you want to free up your Managed licenses as you no longer need to have unattended
access to those devices. On occasion, however, you need to be getting more regular audit information of certain devices and the ability to run jobs on them, therefore, you would need to move them to a Managed site.
Switching devices between Managed and OnDemand sites is possible in both directions as long as you have
enough free licenses available of whichever site type you are trying to convert to, otherwise the device will
stay in its original site.
You cannot have a site that mixes OnDemand and Managed devices. Everything in the site is
defined by the site type. To find out how to create a new site, refer to "Add a Site" on page 9.
To move a device from one site to another, follow these steps:
1. In the AEM Web Portal, click on the Sites tab, and select the site from which you would like to move
your device(s).
2. Click on the Devices tab and select the device(s) you want to move by clicking the check box next to
their name.
3. Click the Move device(s) to different site icon
from the action bar.
4. Click on the site that you want to move the device to. You will receive a warning message to inform
you about how this will affect billing.
5. Click on OK and Move.
Once the device has been moved, the Agent will switch over the next time it connects to the platform.
l
l
When Managed devices are converted to OnDemand, it should happen within a matter of minutes.
When OnDemand devices are moved to a Managed site, it could take up to a week (since OnDemand
Agents only connect every 7 days to update their audit data). You can speed this up if you open the
Agent Browser on the device you want to convert and click the Connect button.
For billing purposes, devices will retain their site type until they connect to the server. In other
words, if you are at your purchased Managed device limit and move some Agents to an OnDemand
site to free up Managed device licenses, those licenses won't be available for use by new devices
until the Agents you moved have finished checking in to the platform.
Messages
Permission to manage Setup > Messages
Setup > Messages
On the Devices lists, you can select one or multiple devices and click the Send a message to the selected
devices icon.
A popup will open.
Populate the Message field, and optionally the Subject, and check the Expire this message after ...
minutes check box if needed.
The message will appear on the selected devices, if they are online, as well as on your Setup > Messages
tab.
When the issue is taken care of, you can click the Delete icon in the Actions menu.
Suspended Devices
Administrator
Account > Suspended Devices
You may occasionally suspend monitoring while you perform maintenance on a device or devices, to stop
false alerts from being generated. You can suspend your devices individually or through a Monitoring Maintenance Window Policy. For further information, refer to "Suspend or unsuspend monitoring" on page 247.
How to...
Suspend or unsuspend devices
To learn how to suspend/unsuspend your devices, refer to "Suspend or unsuspend monitoring" on page 247.
View suspended devices
To view all the devices that have been suspended manually, navigate to Account > Suspended Devices. A
suspended device displays the following device icon:
Devices targeted by a Monitoring Maintenance Window policy will not be listed under Account >
Suspended Devices.
A way to use the Suspended Devices list is to suspend all devices you want to do maintenance
on, and then work directly from the Suspended Devices list. As you complete the work on each
device, click the Unsuspend this device icon. Refer to "Suspend or unsuspend monitoring" on
page 247.
Automatic suspension of a device can occur if the platform receives multiple monitor alerts from
the same device within one minute. The purpose of the automatic suspension is to prevent a device
from "spamming" the platform with multiple alerts. The current threshold is set to 100 alerts per
minute.
Note that muting the alerts will not stop automatic suspension. It only means that you don't see the
alerts in the Web Portal, however, they are still raised and sent to the platform. If the Agent sees
that the threshold has been breached, automatic suspension of the device will occur.
Delete Devices
Permission to manage Sites
Sites > Deleted Devices
Sometimes you need to remove a device or multiple devices from your sites in Autotask Endpoint Management (AEM) because you no longer support these devices or perhaps they no longer exist. Any user with
the permission to manage a site may delete a device from it.
Only Administrators can access and manage the Deleted Devices page.
How to...
Delete a device
In order to delete a device, follow these steps:
1. In the Web Portal, click Sites.
2. Click on the name of the site that contains the device you want to delete.
3. Click on the Devices tab.
4. Select the device(s) you would like to delete.
5. Click on the Delete device(s) icon
from the Action bar.
Manage deleted devices
Only Administrators can access and manage the Deleted Devices page.
When a device is deleted, it will be removed from its current site and placed into the Deleted Devices site
with a flag set on the database to uninstall the Agent from the device.
You can find the Deleted Devices page by following these steps:
1. Click Sites.
2. Click Manage Deletions in the top left.
If the device is online at the time of deletion, it will recognize that it has been placed into the Deleted Devices
site and uninstall the Agent from the device automatically.
If the device is offline at the time of deletion, it will remain in the Deleted Devices site. The Agent will be uninstalled when it next connects to the database.
You do not get charged for devices in the Deleted Devices site. They are also ignored from reporting or filtering.
Restore accidentally deleted devices
If you delete a device from the Deleted Devices site, it will automatically be re-added to its original site when
the Agent connects to the platform again.
The device's original site may not be the site it was deleted from if the device had been moved to a
different site after the Agent installation.
When the device is re-added, its original record will be purged and it will be treated as a completely new
install.
Target Devices with Filters and Groups
Filters and groups are fundamental for getting visibility and control of your devices, allowing you to apply jobs
or monitors to a targeted subset of your device estate.
Filters
Filters are dynamic and work independently of sites so you can have a filter that looks for devices with specific criteria across all sites. As device attributes change, the filters will automatically be updated, and only
the devices that match the current filter criteria will be displayed in the filter results. Refer to "Filters" on page
130.
Groups
Similarly to filters, groups work independently of sites. This means that you can group devices from many
sites together. However, unlike filters groups are static, which means that adding or removing devices or
sites to or from groups is a manual activity that is carried out in the Web Portal. Also, groups cannot be
shared with other security levels within the account. Refer to "Groups" on page 142.
And then there are sites...
Both filters and groups target specific attributes of a device. The association of a device with a site, however,
is permanent (at least until a device is moved to a different site). Typically, the site represents the business
unit the device belongs to, such as a company, location or department. Refer to "Sites" on page 7.
Filters
All users
Sites > Device Filters or Custom Device Filters
Sites > click on a site > Device Filters or Site Device Filters
Getting Started with Autotask Endpoint Management, Part 2
About filters
A filter in Autotask Endpoint Management (AEM) is a tool that is used to sort through a large number of
devices. Filters rely on the device audit data and are available at both account and site level. A filter can
be configured with certain criteria to target specific attributes of a device. It can even be set up to locate
devices with specific software.
Filters are dynamic and work independently of sites so you can have a filter that looks for devices with specific criteria across all sites. As device attributes change, the filters will automatically be updated and all the
devices that match the filter criteria will be displayed in the filter results.
Filters are a fundamentally critical part of AEM as they can effectively target the right devices with reports,
monitors, jobs, patch management, etc. If your servers go offline, for example, you can target an online
status monitor at your servers with the help of a filter.
To see how filters work in a policy, refer to "Managing Policies" on page 250.
Device Filters
There are a set of Device Filters available in every account in AEM by default. You can use them to filter
through all of the devices in your account or just in one particular site.
1. To filter through all of the devices in your account, click Sites and locate the Device Filters area in the
left navigation pane.
2. To filter through one site only, go to Sites > click on one of your sites and locate the Device Filters
area in the left navigation pane.
3. The following filter categories will be displayed:
Category
Description
Application
Contains filters for applications, such as Adobe Flash, Java, Microsoft Office.
Category
Description
Backup solution
Contains filters for backup solutions, such as Autotask Endpoint Backup,
Backup Exec, Veeam.
Compliance
Contains filters for devices that need your attention as they run out of memory,
their anti-virus is disabled, they need a reboot, etc.
Operating system
Contains filters for operating systems, such as Linux, Windows, Mac.
Role
Contains filters for servers, such as DNS servers, domain controllers,
SQL servers.
Security software
Contains filters for security software, such as ESET, Kaspersky, Webroot.
Status
Contains filters for device status, such as network node, offline, online.
Type
Contains filters for device types, such as all devices, ESXi devices, local
caches.
4. Expand a category to be able to see the various filters within it.
The Device Filters provided by AEM cannot be edited or deleted. To understand how these
default filters are configured, refer to "Device Filter definitions" on page 131.
5. Click on any of the filters to be directed to the list of devices that meet the filter requirements.
6. You can also use the dynamic search above the filter categories. Start typing in the Search field and
you'll be presented with the filters that match your query.
Without having to use your mouse, the Search field can be brought into focus by hitting Ctrl
+ / on your keyboard.
Device Filter definitions
The default Device Filters provided by AEM have been configured the following way:
Application
Filter Name
Field
Qualifier
Adobe Flash
Criteria
Operator
Notes
Adobe Flash Player
Box.Net
Begins
with
Dropbox
Box Sync
Dropbox
Google Chrome
Google
Chrome
Java
Does not
contain
Java
Software
package
Microsoft
Office
AND
Frame, Helper
Begins
with
Mozilla Firefox
Microsoft Office 365, Microsoft Office
Professional, Microsoft Office Home,
Microsoft Office Standard, Microsoft
Office Basic, Microsoft Office Small,
Microsoft Office Ultimate, Microsoft
Office Enterprise
Mozilla Firefox
SQL Server
SQL Express
AND
Contains
Express
Backup solution
Filter Name
Field
Qualifier
Acronis
TrueImage
Operator
Acronis True, Acronis Backup,
Acronis\\u00C2 True\\u00C2
Begins
with
Ahsay
Autotask Endpoint Backup
Criteria
Software
package
Notes
Last query:
to support
mishandled
UTF-8 encoding
Ahsay A-Click Backup, AhsayOBM,
AhsayACB
Autotask Endpoint Backup
Backup Exec
Symantec Backup Exec
StorageCraft
Contains
StorageCraft ShadowProtect, ShadowSnap
Veeam
Begins
with
Veeam Backup, Veeam Endpoint,
Veeam Hyper-V
Compliance
Filter Name
Field
Qualifier
Criteria
< 2GB Free
Space
Disk capacity
Less
than
2G
Operator
Notes
Application
Filter Name
Field
Qualifier
Criteria
< 2GB Memory
Memory
Less
than
2G
Anti-Virus
Boolean
Equals
False
Device type
Contains
Desktop, Laptop
Software
package
Does not
contain
Microsoft Office
Device type
Contains
Desktop, Laptop
Software
package
Does not
contain
Splashtop Streamer
Device Type
Contains
Desktop, Laptop
Reboot
Required
Reboot
required
Boolean
Equals
True
Suspended
Devices
Status - Suspended
Boolean
Equals
True
Filter Name
Field
Qualifier
Criteria
All Desktop
O/S
Device type
Does not
contain
Smartphone, ESXi host, Printer
Antivirus Disabled
No MS Office
No Splashtop
Streamer
Operator
Notes
AND
AND
AND
Operating system
Operator
Notes
OR
Application
Filter Name
Field
Qualifier
Criteria
Operator
Notes
Server, iOS, Android, ESXi
AND Is
not
empty
All Server O/S
Contains
Server
Apple iOS
iOS
Google
Android
Android
Linux
Equals
Linux
MS Win XP
XP
MS Win Vista
Vista
Windows 7
MS Win 7
Operating
system
AND
Does not
contain
Server
OR
Mac
MS Win 8
Windows 8
MS Win 10
Microsoft Windows 10
MS Win Server
2003
2003
MS Win Server
2008
2008
Equals
MS Win Server
2012
Windows Server 2012
MS Win Server
2016
Server 2016
Mac OS X
OS X
Role
Filter Name
Field
Qualifier
Criteria
Operator
Notes
Application
Filter Name
Field
Qualifier
Criteria
DHCP Servers
Begins
with
DHCPServer
DNS Servers
Equals
DNS
Domain Controllers
NTDS
Exchange
Servers
MSExchange
Hyper-V Servers
IIS Webservers
Service
name
(not "Service
display
name")
Begins
with
Operator
Notes
Typically,
you cannot
select
"Equals"; this
is bespoke.
wmms
w3svc
SQLServer
SQL Servers
SQLExpress
SPAdminV
SharePoint
Servers
Begins
with
SPTimerV
OR
SPTraceV
Osearch
WSUS Servers
Contains
WSUSService
Qualifier
Criteria
Security software
Filter Name
Field
Operator
Notes
Application
Filter Name
Field
Qualifier
AVG
Criteria
Operator
Notes
AVG 20, AVG Anti, AVG Free
Avira
Begins
with
Avira AntiVir, Avira Antivirus, Avira Endpoint, Avira Free, Avira Internet, Avira
Professional, Avira Server
ESET
AND
ESET
Contains
Cyber, Antivirus, Security
Kaspersky
Kaspersky Anti-Virus, Kaspersky Endpoint, Kaspersky Internet, Kaspersky
PURE, Kaspersky Total Security
McAfee
McAfee All, McAfee Anti, McAfee Endpoint Protection, McAfee Internet,
McAfee LiveSafe, McAfee Multi,
McAfee Security, McAfee Total,
McAfee Virus
Panda
Software
package
Begins
with
Sophos
Panda Cloud Antivirus, Panda Cloud
Office, Panda Cloud Cleaner, Panda
A, Panda Endpoint Protection, Panda
Free, Panda Global, Panda Gold,
Panda Internet
Sophos Anti, SophosAnti
Symantec
AND
Symantec
Endpoint, Antivirus
Contains
Trend Micro
Begins
with
Worry-Free, Antivirus, Client, Server,
Inter, Max, OfficeScan, Security,
Titanium
OR
Trend Micro
Webroot
AND
Webroot
Contains
SecureAnywhere, AntiVirus
Criteria
Status
Filter Name
Field
Qualifier
Last Seen > 30
Days
Last seen
date
Older
than 30
days
Operator
Notes
Application
Filter Name
Field
Network Node
Network
node
Boolean
Offline Devices
Online
Devices
Status Online/Offline
Boolean
Offline > 1
Week
Last seen
date
Self-explanatory
Boolean
Equals
Offline
Desktop O/S
Qualifier
False
False
Does not
contain
Smartphone, Printer, ESXi Host
Contains
Server
Boolean
Equals
False
Does not
contain
Server, iOS, Android, ESXi
Online
Desktop O/S
Device type
AND
iOS, Android, Server, ESXi
Operating
system
Operating
system
AND
Is not
empty
AND
Does not
contain
Smartphone, Printer, ESXi Host
Equals
True
Operating
system
Contains
Server
Last reboot
Older
than 30
days
Filter Name
Field
Qualifier
All Devices
No filter
Online Server
O/S
Reboot > 30
Days
Boolean
Notes
True
Device type
Offline Server
O/S
Operator
True
Equals
Operating
system
Criteria
AND
Type
Criteria
Operator
Notes
Application
Filter Name
Field
Qualifier
Criteria
All Laptops
Device type
Laptop
Operating
system
iOS
All Mobiles
Operator
OR
Android
All Network
Devices
NetworkDevice
Device type
All Network
Printers
Contains
Printer
ESXi
Operating
system
Local Cache
Local Cache
Equals
True
Manufacturer
Does not
contain
VMWare, Citrix, Microsoft, Parallels,
InnoTek
Operating
system
Contains
Server
Manufacturer
Contains
Microsoft, Citrix, Xen, VMWare, Parallels, InnoTek
Physical Servers
Virtual
Machines
Notes
ESXi
ESX devices
are unsupported. This
filter will not
display them.
OR
Custom Device Filters and Site Device Filters
AEM's Device Filters are useful in many cases but you probably want to create your own filters to make the
most of this functionality. Custom filters allow you to apply jobs, monitors or patches to a carefully selected
subset of your estate. Any user can create filters that can be applied at both account level (Custom Device
Filter) and site level (Site Device Filter). You can filter on any bit of information that is pulled back and visible
in the device audit which is updated at least once a day for Managed devices and at least once every 7 days
for OnDemand devices.
How to...
Create a Custom Device Filter
1. Go to Sites and locate the Custom Device Filters area in the left navigation pane.
2. Click the green plus icon
to add a new filter.
3. Specify the filter criteria in the New custom device filter window.
Field
What to Enter
Name
Give your filter a descriptive name, such as "PDF reader and 20 GB disk
space" (see "Example: create a Custom Device Filter" on page 140
below).
Criteria
Use the drop-down menu to select the criteria you want to filter on. The
drop-down menu will list a set of criteria collected through the device
audits. You can specify more than one criterion in the filter by clicking on
the green plus icon either at the end of the row or underneath a row. You
can also define whether these criteria should be treated as "AND"
(where the devices must match every criterion) or as "OR" (where
devices will be included if they match any of the criteria).
Select devices in all of my
sites.
Select this option if you want the filter to contain devices from every site.
Only select devices in the following sites.
Select this option if you want the filter to contain devices from selected
sites only. Hold the Ctrl / Cmd key for multiple selections and click on
Include or Exclude accordingly.
Share this filter with users in
the following security level(s).
By default, only the filter creator can see a custom filter, however, you
can specify here if you want to share it with other security levels within
the account. Hold the Ctrl / Cmd key for multiple selections and click on
Include or Exclude accordingly.
Note: The users with whom you shared the filter will only be able to view
the results of the filter but won't be able to edit or see the criteria it uses.
4. Once the above fields are filled in, click on Save.
5. Under Custom Device Filters, click on the newly created filter to see which devices match the criteria.
Create a Site Device Filter
1. Go to Sites and click on a site.
2. Locate the Site Device Filters area in the left navigation pane.
4. Specify the filter criteria in the New filter for site window.
Field
What to Enter
Name
Give your filter a descriptive name.
Criteria
Use the drop-down menu to select the criteria you want to filter on. The dropdown menu will list a set of criteria collected through the device audits. You can
specify more than one criterion in the filter by clicking on the green plus icon
either at the end of the row or underneath a row. You can also define whether
these criteria should be treated as "AND" (where the devices must match every
criterion) or as "OR" (where devices will be included if they match any of the criteria).
Add this filter to my
other sites
Select this option if you want this filter to be available in all of your sites.
Field
What to Enter
Share this filter with
users in the following security level
(s).
By default, only the filter creator can see a custom filter, however, you can specify
here if you want to share it with other security levels within the account. Hold the
Ctrl / Cmd key for multiple selections and click on Include or Exclude accordingly.
Note: The users with whom you shared the filter will only be able to view the results of the filter but won't be able to edit or see the criteria it uses.
5. Once the above fields are filled in, click on Save.
6. Under Site Device Filters, click on the newly created filter to see which devices match the criteria.
Edit or delete a filter
The Device Filters provided by AEM cannot be edited or deleted, however, custom filters can be edited or
deleted by their creator. Users with whom a filter has been shared will only be able to view the results of the filter but won't be able to edit or see the criteria it uses or delete the filter.
To edit or delete a custom filter:
1. Go to Sites > Custom Device Filters OR Sites > click on one of the sites > Site Device Filters.
2. Hover over the filter you want to edit or delete.
3. Click on the pencil icon to edit the filter or the red X to remove it.
Example: create a Custom Device Filter
In our example, we will filter for devices that have a software installed that can open PDF files, such as
Adobe Reader or Foxit Reader and have 20 GB of free disk space available. This filter will be applied for the
entire account.
1. Go to Sites > Custom Device Filters and click the green plus icon
2. Give your filter a Name, such as "PDF reader and 20 GB disk space".
3. In the criteria section, specify "Software package contains Adobe Reader".
this section.
at the end of the row (not the one underneath) to add an additional value in
5. Enter Foxit Reader as a new value.
6. Make sure to set the blue and/or button to OR to see any devices that have either Adobe Reader or
Foxit Reader.
underneath to add a new section.
8. Make sure to set the blue and/or button to AND to see devices that match the criteria of the first and
second set.
9. In the new section, specify "Disk free space is greater than 20G".
10. Leave the rest of the options at their default selection.
11. Click Save.
12. Under Custom Device Filters, click on the name of the newly created filter to see a list of all the
devices that fit these two sets of requirements.
Groups
All users
Sites > Device Groups or Site Groups
Sites > click on a site > Site Device Groups
Getting Started with Autotask Endpoint Management, Part 2
About groups
In Autotask Endpoint Management (AEM), groups are used to group specific devices or sites in situations
where you cannot or choose not to use filters. Sites can be grouped at account level, while devices can be
grouped at both account and site level. All groups can be used as the target for monitors, reports and jobs.
Similarly to filters, groups work independently of sites. This means that you can group devices from many
sites together. However, as opposed to filters, groups are static, which means that adding or removing
devices or sites to or from groups is a manual activity that is carried out in the AEM Web Portal. Also, groups
cannot be shared with other security levels within the account.
There are three types of groups within AEM:
Name
Definition
Access Path
Device Groups
Devices grouped at account
level
Sites > Device Groups
Site Groups
Sites grouped at account level
Sites > Site Groups
Site Device Groups
Devices grouped at site level
Sites > select a site > Site Device Groups
How to...
Create Device Groups
1. Under the Sites tab, locate the Device Groups area in the left navigation pane.
to add a new group.
3. Give it a name and click Save.
4. To be able to add one or more devices to this group, locate your devices by clicking on the name of the
site they are added to and clicking on the Devices tab.
5. Select the device(s) and click on the Add device(s) to group icon
in the Action bar.
6. Select the Device Group that you want to add your device(s) to and click Add.
7. Repeat steps 4-6 in each site that has any device that you wish to add to your group.
Alternatively, you can use the filter All Devices and select the devices you want to add to
your group. Refer to "Filters" on page 130.
8. Go back to Sites > Device Groups.
9. Click on the name of the group you have created to see the device(s) that you have added to it.
Create Site Groups
1. Under the Sites tab, locate the Site Groups area in the left navigation pane.
to add a new group.
4. To be able to add one or more sites to this group, locate your sites under the Sites tab.
5. Select the site(s) and click on the Add site(s) to site group icon
in the Action bar.
6. Select the Site Group that you want to add your site(s) to and click Add.
7. Click on the name of the group you have created to see the site(s) that you have added to it.
Create Site Device Groups
1. Under the Sites tab, click on the name of one of your sites.
2. Locate the Site Device Groups area in the left navigation pane.
to add a new group.
5. To be able to add one or more devices to this group, locate your devices by clicking on the Devices
tab.
6. Select the device(s) and click on the Add device(s) to group icon
in the Action bar.
7. Select the Site Device Group that you want to add your devices(s) to and click Add.
8. Click on the name of the group you have created to see the devices(s) that you have added to it.
A Site Device Group is only visible under the site you created it for.
Edit or delete a group
1. Locate the group you would like to edit or delete.
2. Hover over the group and click on the pencil icon to edit it or the red X to remove it.
Example: edit a Site Group
In our example, we are going to remove a site from one of our Site Groups.
1. Go to Sites and in the left navigation pane, locate the Site Group that you would like to edit.
2. Hover over the group and click on the pencil icon.
3. Select one of the sites under the Include column and click Exclude.
4. Click Save.
5. Go to Sites > Site Groups and click on the name of your group to see that the site we have just
removed is no longer listed in the group.
Manage Your Endpoints
Account > Manage
Sites > select a site > Manage
Sites > select a site > Devices > select a device > Manage
At device level, the Manage tab is only available for desktops and laptops.
About your management options
Autotask Endpoint Management (AEM) helps you maintain peak performance at critical technology endpoints, such as servers, desktops, laptops, smartphones and other devices. It can automate deployment of
applications, software, patches and configuration regardless of device location, domain or network, which
provides you with powerful device management capability through a single platform.
The Manage tab is available at the Account, Site, and Device level. Once you have located the tab, you
have the following options to choose from:
Account
level
Name
Description
Patch Management
Patch Management lets you manually select and approve the patches
you wish to install on a single device, a set of devices in a site or all
your devices in your account. Refer to "Patch Management" on page
147.
Site
level
Device
level
Network Man- When you cannot install an Agent to your network devices such as
agement
switches, routers, etc., Network Management allows you to manage
these devices. Refer to "Network Management" on page 178.
Software
Management
Available for iOS devices only. Software Management allows you to
create a policy to target your iOS devices with a list of applications
that you previously added to your Component Library from the
iOS App Store. Refer to "iOS Software Management" on page 189.
Backup Management
It becomes available once the Datto Integration has been downloaded and configured for your site and a Datto device has been associated with a site in AEM. You will then be able to see information and
statistics about your Datto protected devices. Refer to "Backup Management" on page 198.
Name
Account
level
Description
Site
level
Device
level
Security Man- It becomes available once the Kaspersky Endpoint Security Integagement
ration or the Webroot Endpoint Security Integration has been downloaded and configured for your account. You will then be able to
report on the current status of your device estate protected by Kaspersky Endpoint Security or Webroot. Refer to "Security Management" on
page 205.
Patch Management
Refer to "Permissions" on page 148.
Account > Manage > Patch Management
Sites > select a site > Manage > Patch Management
Sites > select a site > Devices > select a device > Manage > Patch Management
The AEM 2016-3 Release Overview video will walk you through patch management policies, LAN
caching, patch dashboards, and patch reporting.
What is patch management and patch policies?
AEM patch management allows you to both control and automate the deployment of software patches to your
devices. The main objective of patch management is to create a consistently configured environment that is
secure against known vulnerabilities in operating system and application software.
Patch management is controlled through policies at the Account and Site level, while individual patch installations can be configured at the Device level, permitting exclusions or tolerances for individual patches
without needing to alter entire policies.
Only Windows Managed Agents support patch management. Refer to Managed and OnDemand
Agents.
Patch management workflow
1. Disable Automatic Windows Update
If you would like to use a patch management policy to install only the patches you have approved, and to
make sure that the patch management process is not interfered with, you need to disable Automatic Windows Update on your devices. We recommend that you create a Windows Update Policy in AEM to achieve
this. For more information, refer to the "Disable Automatic Windows Updates" on page 176 section of "Create
a Windows Update Policy" on page 174.
2. Set up a patch management policy
You can then set up a patch management policy to ensure that you install the necessary patches on your
devices. Refer to "Create a Patch Management Policy" on page 160.
With an active patch management policy, the AEM patch management process works in the following manner:
1. Devices submit their audit data to the platform. The information includes patches that Windows
Update requires.
2. The platform runs the devices' required patches as defined by Windows Update through the patch
management policies that target the devices. These policies can be Account- or Site-level policies
(including Site-level overriding of Account-level policies). The policy filters will define which patches
get approved or disapproved. Refer to "Create a Patch Management Policy" on page 160.
3. Individual patch installations (approvals or disapprovals) at the Device level are also taken into consideration. Refer to "Patch management at the Device level" on page 156.
4. The final approval list is sent back to the devices, which then either download the patches directly or
contact the Local Cache(s) for the patches during the defined patch policy window.
Permissions
Depending on the patching operation you would like to initiate at either the Account, Site, or Device level, various permissions are required. For further information, refer to the tables below.
To learn how to configure the permissions, refer to Security Levels.
Account-level permissions
Policies tab
Activity
Permissions
Notes
Create or Edit an Accountlevel patch policy
Account >
Policies:
Users without Manage permission who are viewing Account-level
patch policies will see everything, but all configurable options will
be disabled. It is for reference only.
The Save button at the bottom of the policy is not displayed.
Manage
View an Account-level
patch policy
Account >
Policies:
View
Policies tab
Activity
Permissions
Notes
Push the changes of an
Account-level patch policy
from the Policies tab
Account >
Policies:
Without permission to manage Policies: Push changes... button
is not displayed.
Manage
Manage tab
Activity
Permissions
Notes
Push the changes of an
Account-level patch policy
from the Manage tab
• Account >
Policies:
• Without permission to manage Policies: Push changes... button is not displayed.
• Without permission to manage Manage: Push changes... button is not displayed.
• Without permission to view Manage: Manage tab is not displayed.
Manage
• Account >
Manage:
Manage
View Account-level
policies, regardless of
whether Site-level overrides are active
• Account >
Policies:
View
• Account >
Manage:
• Without permission to view Policies: Patch Management section is not displayed on the Manage tab.
View
Toggle what policies the
pie chart shows (Pie Chart
toggle icon )
• Account >
Policies:
View
• Account >
Manage:
View
View historical patching
data (Hourglass icon )
• Account >
Policies:
View
• Account >
Manage:
View
View approved pending
patches (Calendar icon
• Account >
Policies:
)
View
• Account >
Manage:
View
Enable or disable a policy
• Account >
Policies:
Manage
• Account >
Manage:
Manage
• This also applies to the per-site options when clicking on the Target icon.
• Without permission to manage Policies: Enabled toggle is
grayed out.
Policies tab
Activity
Permissions
Notes
Run a policy now (Run
now icon )
• Account >
Policies:
• Without permission to manage Policies: Run now icon is
grayed out.
Manage
• Account >
Manage:
Manage
From either the Policies or the Manage tab
Activity
Permissions
Notes
View applicable sites or
devices (Target icon
)
• Account >
Policies:
Permissions to view and manage Manage are only required when
performing actions from the Manage tab. The user can conduct
the same actions via the Policies tab without those permissions.
View
• Account >
Manage:
View
Configure applicable sites
or devices (Target icon
)
• Account >
Policies:
Manage
• Account >
Manage:
Manage
Account-level policies shown at the Site level will require Manage permissions on the Account level
to edit, and View permissions to view, regardless of where they are being seen from. This applies to
both the Manage and Policies tab.
Site-level permissions
Policies tab
Activity
Permissions
Notes
View an
Account-level
policy that is
being overridden
at the Site level
Sites >
Policies:
The Override/Edit Override button here reverts to View Override if the
user only has view permission. Policy options in this case will be visible but
disabled. Users here are not editing the Account-level policy so do not
require permission to manage Account > Policies.
Edit an Accountlevel policy that
is being overridden at the
Site-level
Sites >
Policies:
View
Manage
View an independent patch
policy (that is not
overriding an
Account-level
policy)
Sites >
Policies:
Edit an independent patch
policy (that is not
overriding an
Account-level
policy)
Sites >
Policies:
Push the
changes of an
Account- or Sitelevel patch policy
• Sites >
Policies:
All configuration options are set but disabled, and the Save button is not displayed.
View
Manage
Manage
• Sites > Manage: Man-
• Without permission to manage Manage: Push changes... button is not
displayed. (Pushing the changes from the Policies tab may be possible.)
• Without permission to manage Policies: Push changes... button is not displayed. (Pushing the changes from the Manage tab may be possible.)
age
Manage tab
Activity
Permissions
Notes
All restrictions specified at the Account level apply here as well.
View the status
of Patch Management
• Sites >
Policies:
View
• Sites > Manage: View
Push the
changes of an
Account- or Sitelevel patch policy
Sites >
Policies:
• If the user has no permission to view Policies or Manage, the Patch Management section is not displayed. When clicking on the Manage tab, the
user will be redirected to Network Management.
• If the user has permission to view Account > Policies but does not have permission to view Sites > Policies, the Site Policies section is not displayed
at the bottom of the page. The section called 10 Most vulnerable devices
in terms of Approved Pending Changes is always displayed on the
top right of the page and will show policy names.
• If the user has permission to view Sites > Policies but does not have permission to view Account > Policies, only independent Site Policies are
shown at the bottom of the page. The section called 10 Most vulnerable
devices in terms of Approved Pending Changes is always displayed
on the top right of the page and will show policy names.
Without permission to manage Policies: Push changes... button is not displayed.
Manage
From either the Policies or the Manage tab
Activity
Permissions
Notes
View policy
status for individual devices
(Target icon
)
• Sites >
Policies:
Amend policy
status for individual devices
(Target icon
)
• Sites >
Policies:
View
Permissions to view and manage Manage are only required when performing actions from the Manage tab. The user can conduct the same
actions via the Policies tab without those permissions.
• Sites > Manage: View
Manage
• Sites > Manage: Man-
age
Sites tab
Activity
Permissions
Notes
Nominate a
Refer to "Designate a Local Cache" on page 111.
device as a
Local Patch
Cache, or re-configure nomination settings
Settings tab
Activity
Permissions
Configure Local
Cache priority
and deletion settings
Sites > Settings: Man-
Notes
age
Device-level permissions
Manage tab
Activity
Permissions
Notes
View a device's approved or
unapproved patches
Sites > Manage >
Approve or unapprove a patch
at the Device level
Sites > Manage:
View device activity
Refer to "Device Activity" on page 372.
View policies pertaining to this
device
• Sites > Policies:
View
Manage
Without permission to manage Manage: the user cannot
perform actions on the page.
View
• Sites > Manage:
View
Run a policy pertaining to this
device
• Sites > Policies:
Manage
• Sites > Manage:
Manage
Patch management dashboard
The Patch Management page can be accessed through the Manage tab at the Account, Site, or Device level.
While the dashboard looks similar at the Account and Site level, the interface at the Device level is slightly different.
Patch management at the Account and Site level
The Manage tab at the Account and Site level will allow you to see:
l
Configured patch management policies
l
A list of devices most demanding of attention
l
A pie chart detailing how many devices are fully compliant with the patch policies
Field
Description
Pie chart
(All devices
/ Workstations /
Servers)
By default, the chart shows All Policies for All devices. To see data for individual patch
policies, click the small Pie Chart toggle icon next to any of the policies at the bottom of the
page. The chart will then show device compliance with the approved patch list. Patches not
approved are not reported as missing. Compliant devices neither missing patches, nor reporting
failures are displayed as green. Devices with approved, pending patches are displayed as red.
Consult the table for each policy at the bottom of the page for a list of all missing and unapproved
patches.
Select any of the radio buttons to see the required device type (All devices / Workstations /
Servers) and hover over the chart to see the number of devices of that device type and their
status. Percentage numbers are also displayed in brackets.
Field
Description
10 Most vulnerable
devices in
terms of
Approved
Pending
Patches
A list of your ten most vulnerable devices in terms of approved pending patches. The device with
the highest number of approved pending patches will be listed first. The data displayed here is
based on the last audit information. You will see the following details:
• Hostname (Description) - The name of your device. This can be edited in the device itself.
You will also see the description of your device in brackets. The latter can be edited in "Device
Summary" on page 119. Clicking on the Hostname (Description) hyperlink will direct you to the
Manage tab at the Device level. Refer to "Patch management at the Device level" on page 156.
• Site - The site that the device is added to. This field is only visible at the Account level. Refer to
"Sites" on page 7.
• Policy - The name of the policy that targets the device.
• Last Run - The last run time of the policy.
• Next Run - The next run time of the policy. Policies with an overriden schedule show the overridden data, not the original data.
• Last Audit Date - The last time the device was audited.
• Approved Pending Patches - The total number of approved pending patches for each device.
The data is gathered from patch policy filters and approval lists.
Field
Description
Account
Policies /
Site
Policies
This section displays the list of patch management policies created at the Account or Site level.
The list of Account-level policies appears both at the Account and Site level, while the list of Sitelevel policies only appears at the Site level. You can collapse or expand each list, and you will
see the following details:
•
- This icon only appears if the Account-level policy in question is
Override active icon
overridden at the Site level. To edit the override, locate the policy at the Site level. Refer to "Override Account-level patch policy options at the Site level" on page 167.
• Name - The name of the policy. Clicking on the hyperlink will direct you to the policy details.
Refer to "Create a Patch Management Policy" on page 160.
• Targets - The targets of the policy.
•
Pie Chart toggle icon - Clicking on this icon will toggle what is shown in the (big) pie chart
above the list of policies and in the section of "10 Most vulnerable devices...". The icon toggles
between an All Policies overview and the data for the policy in question, showing the policy
name over the pie chart. Clicking the Pie Chart toggle icon will make it glow to indicate that it has
been toggled on.
• Push changes... - Click Push changes... to immediately push any policy changes to all
devices targeted by the policy. The target icon
changes color
when changes are being
pushed.
•
Hourglass icon - Allows you to view results from the last time the policy ran. If the policy has
not been run, the icon will be disabled and not clickable. Clicking on the icon will open a pop-up
window showing the last run time and the following patch information: Patch Description,
Size, Targeted Devices, Successes, Failures. You can click on the hyperlinked number under
Successes and Failures.
If you are viewing an Account-level policy, then the Successes/Failures hyperlink will direct you to
the list of affected sites. You can expand each site to see the results for the targeted devices. If you
are viewing a Site-level policy, then the hyperlink will direct you to the list of targeted devices. On
the Successes and Failures page, you can control the items per page view and you can
search for your devices. You can also filter by Desktops, Laptops, Servers, or All devices.
Field
Description
•
Calendar icon - Allows you to see what patches would be installed if the policy was run
now. Clicking on the icon will open a pop-up window showing the Approved Pending Patches as
per the last audit data. You can expand or collapse each patch to see further information. You can
control the items per page view and you can search for your devices.
•
Target icon - Clicking on this icon will open a pop-up window to show included and
excluded sites and/or devices targeted by the policy. The
Override active
icon
will be dis-
played in front of sites that override the Account-level policy options. You can filter by All Sites,
Included Sites, and Excluded Sites in the case of Account-level policies, and you can also filter by All Devices, Included Devices, and Excluded Devices in the case of both Accountand Site-level policies. You can turn the policy on or off for your sites and devices by toggling the
Enabled button to ON or OFF, and you can push the changes by clicking on the Push
changes color
when changes are being pushed.
changes... button. The target icon
•
Run now icon - Clicking on this icon will display a dialog box where you can confirm
whether you want to run the policy now, outside of its schedule. If the policy has been deactivated,
the icon will be disabled and not clickable.
If you have just made changes to your policy, we recommend that you wait five
minutes before you click on the Run now icon to ensure that the changes are
applied.
• Enabled/Enabled for this site - A toggle to turn the policy ON or OFF.
Patch management at the Device level
You can configure individual patch installations at the Device level, permitting exclusions or tolerances for
individual patches without needing to alter entire policies.
Compared to the Manage tab at the Account and Site level, the layout of the Manage tab at the Device level
is different:
Field
Description
Operating
System
The operating system of the device.
Service
Pack
The Service Pack Installed on the device.
Policies
The policies that target the device.
• Name - The name of the policy.
•
Run Now - Click on the icon to run the policy on this device now, outside of its schedule. If the
policy has been deactivated, the icon will be disabled and not clickable.
If you have just made changes to your policy, we recommend that you wait five
minutes before you click on the Run now icon to ensure that the changes are
applied.
It is not recommended to have more than one patch policy targeting a device.
Field
Description
Operating
System
Patches
This section has three drop-down lists: Approve, Installed, and Do Not Approve. The following
options are available in each list:
• Filter - You can filter by Priority, May Require Reboot, and May Require User Input. For
more information on Priority, refer to "Filter patches" on page 168.
• Search - As you type into the dynamic search field, the search results are narrowed to match your
search string.
• Sort - You can sort the patches by clicking on any of the following columns: Title, Priority, Size,
Reboot.
• Hyperlinked patch title - Clicking on the patch title will lead you to a page showing all devices
for which this patch has been approved / that have this patch installed / for which this patch has
been denied (when clicking from the Approve / Installed / Do Not Approve list, respectively).
• Click for more information - Clicking on the information icon
will display further information about the patch.
Further details of each list are discussed below.
Approve
This drop-down denotes patches which have been marked for approval on this device by the Siteand/or Account-level policies targeting it. The number of patches is displayed in brackets next to the
list name. The list is only updated following a device audit.
Patches that are approved are pushed to the device during the policy schedule window, and following their installation, are moved to the next list called Installed. This schedule and other settings can be changed in the patch management policy. Refer to "Create a Patch Management
Policy" on page 160.
You can perform the following action in this list:
•
Remove from list - Hover over the patch and click on this icon to move the patch to the Do
Not Approve list.
Installed
This drop-down denotes patches historically approved for this device, either by policy or as a result
of user intervention. The number of patches is displayed in brackets next to the list name. The list is
only updated following a device audit.
Do Not Approve
Field
Description
This drop-down denotes patches that have been approved by the policy targeting the device, but
that have historically been excluded from being installed on this particular device. The number of
patches is displayed in brackets next to the list name.
You can add patches to this table by clicking on the Remove from list icon next to a patch in the
Approve list. To remove the patch from a device and stop it from re-installing, it must be excluded
here and then removed manually using the Uninstall Windows Update by KB Number component from the ComStore. Refer to "List of components" on page 270.
You can perform the following action in this list:
•
Remove from list - Hover over the patch and click on this icon to move the patch to the
Approve list.
If you have a device with no patch policies targeting it, all patches that Windows
Update required in the last patch scan will be listed in the Do Not Approve dropdown. This is the expected behavior as no policy was able to approve these patches.
If you then target this device in a patch policy, the device will need to be re-audited
before the patches can move to the Approve list. To learn about the frequency of
audits and how you can perform a manual audit, refer to "Audits" on page 106.
Patch reporting
To see detailed information on patch installations, check the device activity log and the Site-level patch management reports. Refer to "Device Activity" on page 372 and "Reports at Site Level" on page 382
Create a Patch Management Policy
Refer to "Permissions" on page 148.
Account > Policies
What is a patch management policy?
With a patch management policy, you are pre-approving patches to be installed on your Windows devices on
an ongoing basis, based on conditions you define. A patch management policy can not only manage the
patches made available in Windows Update, but it also gives you much more control, lowers your work load
and increases the security of your device estate. You can set up an Account-level or Site-level policy that can
target multiple devices, define the patch window, patch location, automatic approval rules and special
options such as reboot behavior. You can even apply Site-level overriding of Account-level patch policy
options.
We recommend that you create at least two patch policies: one for workstations and one for
servers.
Only Windows Managed Agents support patch management. Refer to Managed and OnDemand
Agents.
For detailed information on patch management, refer to "Patch Management" on page 147.
How to...
Create a patch management policy
1. If you would like to use a patch management policy to install only the patches you have approved, you
need to disable Automatic Windows Update on your devices. We recommend that you create a Windows Update Policy in AEM to achieve this. For more information, refer to the "Disable Automatic Windows Updates" on page 176 section in "Create a Windows Update Policy" on page 174.
2. You can then create a patch management policy at the Account or Site level. For information on how
to create a policy, refer to "Add a policy" on page 251.
Account-level policies can be overridden at the Site level to alter only the most necessary elements for
a smaller subset of devices. For more information, refer to "Override Account-level patch policy
options at the Site level" on page 167.
Specify the Policy Details for a patch management policy
1. On the Policy page, click New account policy... or New site policy...
3. Select the type Patch Management.
You can only use an Account- or Site-level policy as a template, that is, you cannot base
your policy on a Site-level override of an Account-level policy. For information of Site-level
overrides, refer to "Override Account-level patch policy options at the Site level" on page
167.
5. Click Next.
7. Choose one or more of the following options:
Field
Description
TIMING OPTIONS
Schedule
Ensure that all of your devices are on the latest Agent version.
Click the Click to change... button to set the schedule when you want the policy to run.
Select one of the following:
• At selected date and time - Defaults to the current date and time, but can be changed in
the Start field. The policy will run once at the selected date and time.
• Daily - The policy will run every day at the time indicated in the Start field.
• Weekly - The policy will run every week on all selected days at the time indicated in the
Start field.
• Monthly - The policy will run in the selected months on the selected days.
• Monthly day of week - The policy will run in the selected months on the specified occurrence of the selected days of the week.
• Yearly - The job will run on the selected day (1 - 366) each year.
Once you click OK , the selected schedule is displayed next to the Click to change... button.
Time zones will be taken into account at run times. For example, if the policy is
set to run at midnight and is applied to two devices in different time zones, one
UTC and one PST, then the policy will run at midnight UTC on the UTC device
and at midnight PST on the PST device.
Duration
Allows you to put a time limit (1-24 hours) on running the policy.
PATCH LOCATION
Field
Description
TIMING OPTIONS
Local
Cache
The following options are available:
• Download patches from Windows Update - The targeted devices will contact Windows
Update directly to download patches.
• Use a Local Cache to download and distribute updates to targeted devices - The
targeted devices will contact the Local Cache(s) of their site for updates.
• Permit devices to contact Windows Update for patches the Cache is unable to
provide - This option becomes available and is selected by default if the "Use a Local
Cache..." option has been selected. It allows the targeted devices to contact Windows Update
for patches in case the Local Cache(s) are unable to provide them.
Make sure that the sites your targeted devices reside in do have a nominated
patch cache if you want to use the Local Cache option in your policy. To learn
how to use a Local Cache for patching, refer to "Designate a Local Cache" on
page 111. To learn about patch cache clearing options, refer to "Site Settings"
on page 20.
If the Local Cache option is enabled in a policy that targets a site without a
Local Cache nominated, a line of text (a warning or an error) will appear in
the Agent log file. To locate the Agent log file, refer to How do I find the AEM
log files?.
PATCH APPROVAL
Approve
these
patches
Allows you to configure approval filters. Refer to "Filter patches" on page 168.
Field
Description
TIMING OPTIONS
Do not
approve
these
patches
Allows you to configure disapproval filters, that is, you can set conditions that override your
approval above. These filters take precedence over approval filters. Refer to "Filter patches"
on page 168.
Configurations such as “Approve critical security patches, but do not approve
critical security patches with ‘Defender’ in the title” are entirely possible.
Field
Description
TIMING OPTIONS
Configure
individual
patches
This section has three drop-down lists: Available, Approve, and Do Not Approve. The following options are available in each list:
• Filter - You can filter by Priority, May Require Reboot, and May Require User Input.
For more information on Priority, refer to "Filter patches" on page 168.
• Search - As you type into the dynamic search field, the search results are narrowed to
match your search string.
• Sort - You can sort the patches by clicking on any of the following columns: Title, Release
date, Priority, Size, Reboot, User input.
• Hyperlinked patch title - Clicking on the patch title will lead you to a page showing all
devices that are missing this patch / for which this patch has been approved / for which this
patch has been denied (when clicking from the Available / Approve / Do Not Approve list,
respectively).
• Click for more information - Clicking on the information icon
will display further
information about the patch.
• Select - You can select your patches individually by checking the selection box in front
of them. You can also select all of the patches listed by checking the Select All check box
just in front of the Available / Approve / Do Not Approve drop-down.
•
Export all patches to CSV - Allows you to export all patches of the respective list in
.CSV format. It is not possible to select only certain patches for the export. Once you click on
the Export all patches to CSV button, make sure to select the columns you want to include
in the export.
If you have just moved patches from the Available list to the Approve or Do
Not Approve list and want to export the updated list to a .CSV file, make
sure to save the changes first and then click on the Export all patches to
CSV button. This will allow you to see the updated number of patches in
each list's export.
Other configuration options specific to each list are discussed below.
Available
This drop-down lists all patches that have been submitted to the platform but have not yet
been processed. The number of patches is displayed in brackets next to the list name. The
patches are collected from the audit data of all of the devices in the entire account/site, that is,
they are not filtered by the criteria defined in the approval and disapproval sections above.
This section allows you to configure individual patches regardless of any previous filters.
You can, for example, approve a patch here that would have been excluded
through a disapproval filter above.
Once you have selected the required patches, you can perform the following actions that will
override the approval and disapproval filters defined above:
•
Approve - Approving a patch will remove it from the Available list and place it in the
Approve list.
•
Do Not Approve - It will remove the patch from the Available list and place it in the Do
Not Approve list.
Approve
Field
Description
TIMING OPTIONS
This drop-down lists all patches that have been approved through the Available list. The number of patches is displayed in brackets next to the list name.
Once you have selected the required patches, you can perform the following actions:
•
Remove from list - It will remove the patch from this list and push it into the Available
list again, where it can be approved or disapproved by the filters above it.
Do Not Approve
This drop-down lists all patches that have been denied through the Available list. The number
of patches is displayed in brackets next to the list name.
Once you have selected the required patches, you can perform the following actions:
•
Remove from list - It will remove the patch from this list and push it into the Available
list again, where it can be approved or disapproved by the filters above it.
POWER
Boot
The following option is available:
• Wake all targeted devices 10 minutes before policy is due to start - You must have
a network node device in the same site as your targeted devices to use this feature. (Local
Caches can also be nominated as network nodes.) If multiple network nodes are nominated,
all will send requests. Be aware that Wake-on-LAN must be enabled in BIOS/EFI and typically
only works for laptops when they have an active mains connection. For more information,
refer to Wake-On-LAN and "Assign a device to be a network node" on page 183.
Reboot
• Power down devices after patch window has concluded - it will shut down the targeted devices after the patch schedule window.
• Reboot devices, if required, once policy concludes - If necessary, it will reboot the targeted devices after the policy has run.
• Permit rebooting if a USB Mass-Storage Device is connected at scheduled
reboot time - This option becomes available if the "Reboot devices..." option has been selected. Do not select this option if you want to cancel reboots when USB sticks are inserted. This
will stop servers from rebooting into a LiveUSB.
You can always search for devices requiring a reboot using a default Device
Filter. Refer to "Device Filter definitions" on page 131.
• Do not reboot devices after patch window has concluded - This option is selected by
default. It will stop the targeted devices from rebooting after the patch schedule window.
• But show Endpoint a branded reboot reminder every X hour/day - This option
becomes available if the "Do not reboot devices..." option has been selected. It allows you to
show a branded reboot reminder to the end user every 1-12 hours/1 day/2 days. The
reminder will be displayed on the screen until the end user dismisses it. The reminder can be
dismissed indefinitely.
• Permit a maximum of X dismissals, after which time reminders will persist on
screen - This option becomes available if the "But show Endpoint..." option has been selected. It lets you configure how many times (maximum two-digit integer) the end user is allowed
to dismiss the reboot reminder, after which they will no longer be able to dismiss it. If this
option is enabled but no value is set, then the default value of 1 will be used, that is, the end
user will be able to dismiss the reminder only once and the second reminder will persist on
the screen. The branding for the reminder is taken from the Patch Reboot Window image on
the Branding page. Refer to Branding.
9. To activate the policy, click Push changes.
Override Account-level patch policy options at the Site level
Account-level patch policies can be overridden at the Site level. This allows you to change settings at the
Site level without modifying the master (Account-level) policy.
1. Navigate to any of your sites and click on the Policies tab. You will be presented with both Account
and Site Policies.
2. Locate your Account-level patch management policy and click on the Override button, or on the Edit
Override button if the patch policy in question already has an active override. An active override is
also indicated by the Override active
button in front of the policy.
A patch management policy that is only active at the Site level will not have an Override button (and any Override sections within the policy).
3. This will open the patch management policy as configured at the Account level, and you will have the
following options:
Field
Description
Name
These fields cannot be edited.
Policy type
The targets of the policy are inherited from the Account-level policy.
Created
Modified
Targets
TIMING OPTIONS
Override
Turn it ON to be able to edit the settings below. If you turn it OFF again, the settings
will revert.
Schedule
These sections become available as soon as the Override button is turned ON.
For information on the configuration options, refer to "TIMING OPTIONS" on page
162.
Duration
Field
Description
Name
These fields cannot be edited.
Policy type
The targets of the policy are inherited from the Account-level policy.
Created
Modified
Targets
TIMING OPTIONS
PATCH LOCATION
Override
will revert.
Local Cache
This section becomes available as soon as the Override button is turned ON.
For information on the configuration options, refer to "PATCH LOCATION" on page
162.
PATCH APPROVAL
Add Rule
will revert.
Approve these
patches
These sections become available as soon as the Add Rule button is turned ON.
For information on the configuration options, refer to "PATCH APPROVAL" on page
163.
Do not approve
these patches
Configure individual patches
POWER
Override
will revert.
Boot
These sections become available as soon as the Override button is turned ON.
For information on the configuration options, refer to "POWER" on page 166.
Reboot
You can also configure individual patch installations at the Device level, permitting exclusions or tolerances for individual patches. Refer to "Patch management at the Device level" on page 156.
Filter patches
Your patch management policy can use filtering criteria to determine the patches that should be installed on
the targeted devices.
You can filter by the following criteria:
Field
Description
All
This selection will include all patches.
Category
Select a category, such as Critical Updates or Drivers.
Use any of the following qualifiers: Contains, Does not contain, Is empty, Is not empty,
Begins with, Does not begin with, Ends with, Does not end with.
Description
Allows you to filter by the description of the patch.
Download size
You can limit the download size of the patch to a certain number of gigabytes, megabytes, kilobytes, or exact number of bytes.
Use any of the following qualifiers: Less than, Less than or equal to, Equal to, Greater
than or equal to, Greater than, Between.
KB number
Allows you to search for a specific Microsoft Knowledge Base article number the patch
is associated with.
Priority
Allows you to filter by priority, that is, "severity" as specified in Microsoft Security Bulletins. Select any one of Critical, Important, Moderate, Low, Unspecified.
AEM patch management policies reference the severity of the Security
Bulletin classification, not the one in Windows Update. Refer to "A
Note about Microsoft Update Classifications" on page 170.
Reboot behavior
Select from Never reboots (0), Always requires reboot (1), and Can request
reboot (2). It allows you to avoid pushing changes that require a reboot during business hours.
Release Date
Allows you to filter for patches released before or after a certain date, or older than 30,
60 or 90 days.
Request user input
Select either May require, or Does not require.
If you filter for patches that may require user input, schedule them to
install during business hours.
Title
Allows you to filter by the name of the patch.
Type
Allows you to filter by patch type. Select either Software or Driver.
You can filter by multiple criteria. Just click the plus sign
to add another one. Clicking the minus sign
will remove the criterion.
When you add a second criterion, you must select the correct Boolean operator. If both conditions
must be true for the patch to be included in the search results, select AND. If either one must be
true, select OR. Note that when you add additional criteria, you cannot combine AND and OR; the
selection you made below the first criterion is repeated for the subsequent ones.
A Note about Microsoft Update Classifications
Microsoft uses two different security classification systems for their knowledge base articles.
Windows Update references a KB number:
When you click the link from within Windows Update, an article opens up that references a Microsoft Security Bulletin number:
When you click on that link, a page in the Security TechCenter opens:
The importance in Windows Update is shown as Important, but on the Security Bulletin, it is
shown as Critical. AEM uses the Security Bulletin classifications from the Security TechCenter
library, not the ones from Windows Update.
Error 0x8024a204
We have identified a peculiarity involving Microsoft’s handling of patching which results in endpoints displaying the following error when they have installed patches via a local cache (and not sourced them directly
from Microsoft):
This error only appears when endpoints access the Windows Update section of the Settings menu, which
should no longer be a necessary step as updates are delivered automatically without needing the involvement
of Microsoft’s own patch management routines.
We have sourced the issue to the particular method we use to place patches in the update cache directory of
Windows. While thoroughly tested and 100% functional in all cases, it triggers this issue. The error is mean-
ingless, and can be dismissed without concern. Re-checking for updates will clear it from this interface.
Patches that trigger this error will have been installed without issue.
Until Microsoft fix this issue, the error will be shown when endpoints look for it. We apologize for any inconvenience this may cause.
Create a Windows Update Policy
Account > Policies
What is a Windows Update Policy?
The AEM Windows Update Policy is designed to allow AEM to control the Windows Update settings found in
the Control Panel of Windows devices. Setting up a Windows Update Policy allows you to control these settings on multiple devices in multiple sites, instead of just one.
Windows Update policies can be created at account or site level. Refer to "Add a policy" on page 251.
Windows Update Policies and Patch Management Policies
With Windows Update enabled, you allow Microsoft to control the installation of patches.
However, if you are using a patch management policy to install only the patches you have selected, you do
not want the automatic settings of Windows Update installing patches you have not approved. Therefore, you
must first disable Automatic Windows Updates. Refer to "Disable Automatic Windows Updates" on page
176.
How to...
Create a Windows Update policy
Windows Update policies can be created at account or site level. Refer to "Add a policy" on page 251.
Specify the Policy Details for a Windows Update policy
3. Select the type Windows Update.
5. Click Next.
7. Choose one or more of the options under Windows Update Policy Options.
Field
Description
Patch Management Policy
Select one of the following options:
• Automatically detect recommended updates for my computer and install
them.
• Download updates for me, but let me choose when to install them.
• Notify me of updates, but do not automatically install them.
• Turn off Automatic Updates. - When this option is selected, the rest of the configuration options, except for WSUS, will be disabled and unchecked. For more information, refer to "Disable Automatic Windows Updates" on page 176.
Install new
updates
Allows you to select on which day and at what time you want to install the updates.
Recommended
updates
You can select this option:
• Give me recommended updates the same way I receive important updates.
Who can install
updates
• Allow non-Administrative Endpoint Accounts to receive update noti-
fications.
Microsoft
Update
• Give me updates for Microsoft products and check for new optional
Microsoft software when updating Windows.
Field
Description
Restart behavior
You can select any of the following options:
• No auto-restart with logged on users for scheduled Automatic Updates
installations. - If this setting is unchecked, Automatic Updates will notify the user that
the computer will automatically restart in 5 minutes to complete the installations. If
checked, Automatic Updates will wait for the computer to be restarted by any user who
is logged on, instead of causing the computer to restart automatically.
• Re-prompt for restart with scheduled installations. # minutes (max 30) - If
this setting is unchecked, the default delay of 10 minutes will be used. If the setting is
enabled, the restart will occur the specified number of minutes after the previous
prompt for restart was postponed.
• Delay restart for scheduled installations. # minutes (max 1440) - If this setting is unchecked, the default delay of 15 minutes will be used. If the setting is enabled,
the restart will occur the specified number of minutes after the installation is complete.
WSUS
If you have set up a Windows Server Update Services (WSUS) server, it will act as a
location for other Windows devices to pull updates from, rather than each device having to download Windows updates separately. It acts like a local cache, but only for
Windows patches.
• Use custom WSUS Server - Once this option is selected, the rest of the options
will become available. Enter the WUServer address, e.g. http://www.yourwsus.com or
http://192.168.1.1
• Do not allow any connections to Microsoft for Patching or Searching
when using a WSUS Server. - This option becomes available if the "Use custom
WSUS Server" option has been selected.
• Enable Client-side targeting - It specifies the target group name(s) that should be
used to receive updates from an intranet Microsoft update service. If this setting is
enabled, you can enter a target group name or names separated by semicolons (if
the intranet Microsoft update service supports multiple target groups). The specified target group information is then sent to the intranet Microsoft update service which uses it
to determine which updates should be deployed to the device.
Disable Automatic Windows Updates
If you are using an AEM patch management policy to install only the patches you have selected, you do not
want the automatic settings of Windows Update installing patches you have not approved.
The most elegant way to do that is to create a Windows Update Policy to disable Automatic Windows
Update on the devices you want to patch.
1. Create a new Windows Update Policy. Refer to the steps specified above.
2. Under Windows Update Policy Options > Patch Management Policy, select Turn off Automatic
Updates.
3. Leave the rest of the options unchecked.
You can then set up a patch management policy to ensure that you install the necessary patches
on your devices. Refer to "Create a Patch Management Policy" on page 160.
Network Management
At account level, permission to view or manage Account > Manage. At site level, permission to
view or manage Sites > Sites and to manage Sites > Audit.
Account > Manage > click the radio button for Network Management
Sites > select a site > Manage > click the radio button for Network Management
The Network Management page displays the results of a network node scanning the network for active IP
addresses. At the top of the list, you can see network devices that are already managed.
You can then review newly discovered devices, and select the ones you want to add as Managed devices,
and hide devices you don't want to manage.
Network Management is available at account and site level.
Page description
You will see the following areas on the page:
Field
Description
Network
devices
status
A pie chart showing the number of:
• Discovered Network Devices
• Managed Network Devices
• Managed Network Devices with unresolved alerts
Percentage numbers are also displayed in brackets if you hover over the chart.
Field
Description
Top 10
devices
with the
most monitor alerts
unresolved
A list of devices with unresolved monitor alerts. The device with the highest number of unresolved
monitor alerts will be listed first. You will see the following details:
• Site - The site that the device is added to. Refer to "Sites" on page 7.
• Hostname - The name of the device. This can be edited in the device itself.
• Description - The description of the device that can be edited in "Device Summary" on page 119.
• Type - The type of the device.
• Total - The total number of unresolved monitor alerts for each device.
Managed
Network
Devices
The list of your network devices that are managed by a network node device or have been added
manually. Expand the list and you will see the following information displayed by default:
• IP Address - The IP address of the device.
• Ext IP Addr - The external IP address of the device.
• MAC Address(es) - The MAC address(es) of the device.
• SNMP Credentials - The SNMP credentials of the device. Refer to SNMP Credentials.
You can use the Search field and adjust the Show number of entries option towards the top of
the Managed Network Devices section to help you with your selection to perform an action. For
further information, refer to "Action bar icons" on page 181.
Field
Description
Discovered
Devices
(site level
only)
The list of your network devices discovered by one or more network node devices. For further
information, refer to "Discover Devices on the Network" on page 183. Expand the list and you will
see the following information displayed by default:
• NIC Vendor - The name of the vendor of the device.
• Model - The model of the device.
• SNMP v1/v2 Public - A green check mark
indicates if the device's SNMP credentials are v1/v2c
and if the community string is set to public.
To filter your results, use one of the following radio buttons:
• All - Shows all the devices.
• Windows - Shows Windows devices only, flagged with a Windows icon
in the logo column.
• Other - Shows all the devices that have not been identified as Windows devices.
If the devices have been discovered in various subnets, you can group them by turning on the
option Group by Subnet. This will group the devices and an additional blue row will display further information about the subnet (External IP Address, Network, Subnet Mask). You can collapse
or expand the subnet groups as required.
You can use the Search functionality and the Show number of entries at the top of this window
to help you with your selection to perform an action. For further information, refer to "Action bar
icons" on page 181.
Choose the Last Seen By option in the column chooser to see which network
node device last discovered the device.
Field
Description
Hidden
Discovered
Devices
(site level
only)
A list of your hidden discovered network devices. Expand the list and you will see the following
information displayed by default:
• NIC Vendor - The name of the vendor of the device.
• Model - The model of the device.
• SNMP v1/v2 Public - A green check mark
indicates if the device's SNMP credentials are v1/v2c
and if the community string is set to public.
To filter your results, use one of the following radio buttons:
• All - Shows all the devices.
• Windows - Shows Windows devices only, flagged with a Windows icon
in the logo column.
• Other - Shows all the devices that have not been identified as Windows devices.
If the devices have been discovered in various subnets, you can group them by turning on the
option Group by Subnet. This will group the devices and an additional blue row will display further information about the subnet (External IP Address, Network, Subnet Mask). You can collapse
or expand the subnet groups as required.
You can use the Search functionality and the Show number of entries at the top of this window
to help you with your selection to perform an action. For further information, refer to "Action bar
icons" on page 181.
The devices will be flagged with either the Windows logo
, the ESXi logo
, or the Printer logo
once identified. If it has not been possible to identify the device type, the logo column will remain
blank.
Action bar icons
Icon
Name
Description
Export to CSV
Allows you to export a list of the selected devices in .CSV format. Make sure to
select the columns you want to include in the export.
Delete device(s)
Delete the selected device(s).
Refresh
Refreshes the current view. This will show your devices' most up-to-date status.
Manage device
Manage your discovered device. Refer to "Discover Devices on the Network" on
page 183.
Hide discovered
devices
Hide your discovered device if you don't want it to appear in the Discovered
Devices section.
Unhide discovered devices
Unhide your device if you want it to appear in the Discovered Devices section
again.
Icon
Name
Description
Column Chooser
view. You can click on All or None to select or deselect all the options, and you
can restore the default view by clicking on Restore Defaults. Drag and drop any of
the columns to re-arrange their order in the results view. Click Save to apply the
changes or Cancel to discard them.
For information about how to get started with managing network devices in AEM, refer to "Discover Devices
on the Network" on page 183.
To learn about other endpoint management options, refer to "Manage Your Endpoints" on page
145.
Discover Devices on the Network
Adding devices to your AEM account manually can be time-consuming, however, if one of your fully Managed devices is designated as a network node device, it can discover devices on the network for you. The discovered devices can then be added as Managed network devices to your account and you can start
monitoring them.
By default, Agents in Autotask Endpoint Management (AEM) do not interrogate the local network for devices
that are capable of being managed. In order to find those, you’ll need to assign a single device, which has a
Managed Agent installed, as a network node. It is recommended that this is a device that has a high uptime,
for example a server.
Requirements to nominate a device as a network node
l
l
Only desktops, servers, and laptops with up-to-date audit information may be nominated as network
nodes.
The following operating systems are supported: Windows, Mac, Linux
For more information on supported versions of the above operating systems, refer to Supported Operating
Systems and Requirements for the Agent.
How to...
Assign a device to be a network node
1. Click Sites and click on one of your Managed sites.
2. Click Devices.
3. Select the device that you want to designate as a network node.
4. Click the Add/Remove as Network Node icon from the action bar. A drop-down will appear to let
you choose if you are adding or removing a network node.
5. Select Network Node (with network scanning).
6. Click OK on the pop-up window to proceed or click Cancel to stop the action. Once you click OK, the
device is configured to act as a network node to carry out scanning of its local subnet.
Note that the icon for the designated network node device has now changed to green
to
indicate that it has been nominated as a network node.
When a device is elected as a network node, an Online Status Monitor will automatically be
assigned to it. If the device is offline for 5 minutes, the monitor will raise a Critical alert and
send a notification to the default email recipients. For information on how to change the monitor settings, refer to "Create a monitor" on page 239.
You can assign more than one device to be a network node.
7. Select your network node device again and click the Request device audit(s)
bar to force an immediate scan of the network the device is part of.
icon in the Action
8. Click OK to confirm the audit or click Cancel to stop the action.
Allow 10-15 minutes for the audit results to come through.
View the discovered devices
Once a network node has been configured, it will interrogate the local subnet for any active IP addresses. If it
receives a response, it will then attempt to determine the device type and a few other details based on how
that device responds.
To see the devices that have been discovered by the network node, and the information it has collected:
1. Click Sites and click on the Managed site in which you configured your network node device.
2. Click on the Manage tab.
3. Make sure that the Network Management radio button is selected.
4. Scroll down and you'll see three sections:
l
Managed Network Devices
l
Discovered Devices
l
Hidden Discovered Devices
5. Expand the Discovered Devices section to see the devices that the network node has found on this
subnet. The list will show all the information that the network node has been able to find based on the
devices' responses, including logos.
ESXi devices need to listen on port 902 so that a network node device can list them as ESXi
devices. If they are not listening on port 902, they can still be discovered but no ESXi logo
will be displayed for them.
Discovered Devices will be flagged with either the Windows logo
the Printer logo
, the ESXi logo
, or
once identified. If it has not been possible to identify a discovered device
type, the logo column will remain blank.
6. If the network node device moves between networks frequently, you may find that it discovers
devices in a number of different subnets. In order to keep this list organized and orderly, you can
choose to group those devices by IP subnet by turning the Group by Subnet switch to ON at the top
of the list.
By selecting any or all discovered devices, you can export a list by clicking on the Export to CSV
button in the Action bar. You can then select the columns you want to include in the export.
For additional information about the Network Management page, refer to "Network Management"
on page 178.
If the network node has not been able to find any of your SNMP-enabled network devices or printers, network scanning of SNMP devices may have been disabled for your account. For further
information, refer to "Disable network scanning of SNMP devices" on page 188.
Add a discovered device as a Managed network device
Once you have found the device(s) you want to monitor in the Discovered Devices list, they will need to
become Managed network devices in order to be able to have monitors applied. To add a Managed network
device, do the following:
1. In the Discovered Devices list, find the device(s) that you want to manage.
2. Select the device(s) and click the Manage Device icon in the Action bar.
In case you would like to add a printer or an ESXi device as a Managed device, you can also
click on their icon and skip step 3.
3. In the pop-up window, you are asked what sort of device you are trying to add. Click the required icon.
4. You are now prompted for the credentials of the device(s) as these credentials will allow the network
node to connect to them. Enter the credentials manually or select from the ones saved at account or
site level.
If you selected the printer icon in step 2, the screenshot below may be slightly different.
Windows / OS X:
Network device / printer:
ESXi host:
If you select credentials saved at account or site level, the site credentials will be used in
addition to the credentials specified in Account Settings unless this option is disabled in Site
Settings. For further information on what to enter and how to store the credentials for the
entire account or at site level, refer to the Agent Deployment Credentials,
SNMP Credentials, and ESXi Credentials sections in Account Settings and "Site Settings"
on page 20.
5. If you want to manage more than one Windows or OS X device, and the devices got discovered by different network node devices, you will be able to select which network node device the Agent should
be deployed from. Choose the correct network node device from the drop-down list on the top of the
window.
6. Finally, click Deploy or Save. The device(s) will now be listed as Managed devices.
A device listed as Managed device will use an AEM Managed license. This should be considered
when planning for licensing and Agent numbers.
Disable network scanning of SNMP devices
There may be cases when you do not want the Agents to scan for SNMP-enabled network devices. It is possible to stop network scans, however, by doing so you will only be able to add network devices to your
account manually. For information on how to add a network device manually, refer to "Manage and Monitor
SNMP-Enabled Network Devices and Printers" on page 92.
In order to disable network scanning:
1. Click Setup > Account Settings.
2. Scroll down to Custom Agent Settings.
3. Select Use alternative settings for Agent.
4. In the Network Subnet Limit field, set the value to 0 to disable network scanning for the entire
account.
5. Click Save.
You can enable / disable network scanning of SNMP devices for the entire account. It is not possible to do this at site level only.
iOS Software Management
Before you can configure a Software Management policy for an iOS device, you must download the
Mobile Device Management Extension from the ComStore, and deploy an agent to your device.
Permission to view or manage Account > Manage or Sites > Manage AND permission to manage
Policies at account and/or site level
Account > Manage > Software Management
Sites > select a site > Manage > Software Management
About Software Management
Software management is currently available for iOS devices at account and site level. It allows you to create
a policy to target your iOS devices with a list of applications that you previously added to your Component
Library from the iOS App Store.
Software management is currently unavailable for Android devices.
To access the Software Management page in Autotask Endpoint Management (AEM), navigate to:
l
Account > Manage > click the radio button for Software Management or
l
Sites > select a site > Manage > click the radio button for Software Management
Field
Description
Noncompliant
devices
targeted
by the
policy
A pie chart showing which devices are not compliant with your Software Management policy and
need further administrative attention. The devices displayed here have failed to install the applications that the policy attempted to push out. To resolve the issue, refer to "Apply the Software Management policy to non-compliant devices" on page 195.
10 least
compliant
devices
A list of your non-compliant devices. The device with the highest number of apps waiting to be
installed will be listed first. You will see the following details:
• Hostname - The name of your device. This can be edited in the device itself.
• Description - The description of your device that can be edited in "Device Summary" on page 119.
• Type - The type of your device.
• Total - The total number of apps waiting to be installed for each device.
• Quick Fix - Allows you to manually push out the policy to this device. Refer to "Apply the Software
Management policy to non-compliant devices" on page 195.
Account
Policies /
Site
Policies
Expand this section to see the list of Software Management policies created at account or site level.
The list of account policies appears at both account and site level, while the list of site policies only
appears at site level. Once the list is expanded, you will see the following details:
• Name - The name of the policy. Click on the name to edit the policy. Refer to "Edit or remove a Software Management policy" on page 197.
• Targets - The list of targeted devices. A Software Management policy can currently target iOS
devices only.
• Type - Indicates the type of policy. Refer to "Types of policies" on page 237.
• Push changes... - Click Push changes... to immediately push any policy changes to all devices
targeted by the policy. The target icon
changes color
•
Target icon - Clicking on this icon will open a pop-up window to show included and excluded
sites and/or devices targeted by the policy. In the case of Account-level policies, you can filter by
Site Exclusions and Site Manually Enabled, and you can also filter by All Devices, Included
Devices, and Excluded Devices in the case of both Account- and Site-level policies. You can turn
the policy on or off for your sites and devices by toggling the Enabled button to ON or OFF, and you
can push the changes by clicking on the Push changes... button. The target icon
changes color
• Enabled / Enabled for this site - A toggle to turn the policy ON or OFF.
•
Delete - Hover over a row and click this icon to delete the policy.
Field
Description
New
account
policy
Available at account level only. Click on New account policy... to create a new policy. Refer to
"Create a Software Management policy" on page 193.
New site
policy
Available at site level only. Click on New site policy... to create a new policy. Refer to "Create a
Software Management policy" on page 193.
Requirements to create a Software Management policy
Before starting, ensure that your devices are enrolled through the AEM Mobile Device Management (MDM)
service. For further information, refer to "Manage Mobile Devices (MDM)" on page 78.
Make sure you have downloaded the required iOS apps to your Component Library. Refer to "Download iOS
apps" on page 191.
How to...
Download iOS apps
1. Click the ComStore tab and locate the App Store section on the left.
next to Add iOS App to download an application from the iOS App Store.
3. Type the name of the app you wish to download in the Search field and choose a Country from the
drop-down list for the relevant app version.
Instead of the name of the app, you can also enter the bundle ID or app ID in the Search
field. Hover over the blue question mark to the right of the search box to find out more
about the bundle ID or app ID.
4. Click Search. All the applications that contain the string entered will be populated.
5. Once you have found the app you were looking for, click on Add.
6. You will now be able to review the details of the app.
7. Select the option Remove with MDM to allow for the automatic removal of the app from the device,
should the device's MDM profile be removed. For further information about how to remove the
MDM profile of an iOS device, refer to "Uninstall the iOS Agent" on page 85.
8. Click Confirm to download the app.
9. You will now be redirected to the list of your mobile app components.
Create a Software Management policy
Once you have downloaded the required apps from the iOS App Store, you will be able to create a Software
Management policy to push out the apps to your iOS devices. You can create the policy at both account and
site level.
1. Navigate to
Account > Manage or
Sites > select a site > Manage.
2. Click the Software Management radio button.
3. Click New account policy... OR New site policy....
4. Enter a policy Name.
The policy Type will default to Software Management.
If at this point the policy type appears blank and you click on Next, you will not be able to
continue and you will get the following message: Please specify the policy type. In order
to continue, make sure to enable the Mobile Device Management extension. For further
information, refer to "Manage Mobile Devices (MDM)" on page 78.
5. If you would like to copy an already existing policy, you can choose it from the Based on drop-down
list. To create a new policy, select New Policy.
6. Click Next.
If at this point you have not yet downloaded any app from the iOS App Store, you will see the
following information displayed on the top of the page.
In order to continue, make sure you have downloaded your iOS apps to your Component
Library. Refer to "Download iOS apps" on page 191.
7. To target your devices with the policy, click Add a target.
8. From the O/S drop-down, select Apple iOS.
9. Select Device Filter as Target Type.
10. Choose the required filter(s) and click Add.
Filters will present you with a list of the device filters that are in every account and any custom filters you've created yourself.
11. Under Policy Options, click on Add an app... to add the required iOS app(s) to your Gold List.
Your Gold List should contain components you wish to install on all targeted devices.
12. Select the app(s) you wish to push out to the targeted devices. You can use the Search field and
adjust the Show number of entries option at the top of this window to help you with your selection if
necessary.
13. Click Save.
14. You will now be redirected to the policy details window.
15. If any of your apps is a paid one, click on the pencil icon next to your app to add a Redemption
Code. If it's a free app, you do not need to enter a code. Once you have entered the redemption code,
click Save.
16. Review your policy and click Save. This will save the changes you made to the policy which will be
confirmed through a pop-up window on the top of the page.
17. You will now see your list of policies. Click Push changes next to the newly created policy.
The changes will be pushed instantly if the device is online. To learn how to push out the
policy to offline devices, refer to "Apply the Software Management policy to non-compliant
devices" on page 195.
Apply the Software Management policy to non-compliant devices
Once you push out the Software Management policy, the changes will be applied instantly if the device is
online. In case the device is offline at that time, the communication to apply the changes will fail and the
device will be displayed as non-compliant with the policy.
1. In order to continue, you need to make sure the device comes online again so that you can manually
push out the policy.
2. Locate the device in the non-compliant devices list under Software Management. Refer to "About
Software Management" on page 189.
3. Click on the Quick Fix icon next to the device. This will allow you to manually push out the policy
to this device. The following message will be displayed in the Web Portal:
4. Click OK.
5. The following message will be displayed on the device for each app to install:
6. Click Install. The app will now be installed.
If the device has been supervised using Apple Configurator, the user will not see this dialogue and the app will install automatically. They may, however, be prompted to insert their
Apple ID credentials.
7. Once the policy has been pushed to the device and all the apps have been installed successfully, the
device will no longer be displayed in the non-compliant devices list in the Web Portal.
If an app deploy was unsuccessful, you will see the entry populated in the non-compliant
devices list. A pie chart will also appear showing which devices require further administrative attention.
Edit or remove a Software Management policy
1. Locate the policy by navigating to Account > Manage > Software Management OR Sites > select
a site > Manage > Software Management and click on its name.
2. On the Update Software Management Policy page, you can edit the name of the policy and the app
list.
3. Once you have finished editing, click Save. The change will be confirmed through a pop-up window on
the top of the page.
4. You will now see your list of policies. Click Push changes next to the policy you have modified.
The changes will be pushed instantly if the device is online. To learn how to push out the
policy to offline devices, refer to "Apply the Software Management policy to non-compliant
devices" on page 195.
5. To remove the policy, click the Remove Policy icon
next to the policy.
To learn about other policy types in AEM, refer to "Managing Policies" on page 250.
145.
Backup Management
In order to be able to see the Backup Management page, you will need to configure the Datto Integration and associate at least one Datto device with a site in AEM. For further information, refer to
"Datto Backup Integration" on page 202.
Permission to view or manage Account > Manage or Sites > Manage
Account > Manage > Backup Management
Sites > select a site > Manage > Backup Management
About Backup Management
The Backup Management functionality becomes available in Autotask Endpoint Management (AEM) once
the Datto Integration is downloaded and configured for your site. In order to do that, you will need at least one
Datto device and its associated API key. Once the Datto device is associated with a site in AEM, you will be
able to see information and statistics about your protected devices via Backup Management. For more information about Datto and how to configure the integration refer to "Datto Backup Integration" on page 202.
Backup Management is available at account and site level. Navigate to:
l
Account > Manage > click the radio button for Backup Management or
l
Sites > select a site > Manage > click the radio button for Backup Management
Field
Description
Actions
Click the
icon to download a summary of your protected devices in an Excel file. It will display:
• Name of the protected device
• Number of backups
• Date and time of the last backup
• Whether a screenshot was taken successfully
• Whether an offsite backup took place in the last 24 hours
• How much data (GB) is protected
• Name of the Datto device
• Name of the site the Datto device is linked to
Field
Description
Datto
Device
Details
The following details will be displayed of your Datto device:
• Hostname
• Serial Number
• Model
• Internal IP
• External IP
• Last Seen
• Uptime
• Disk Usage (Used / Free / %)
• Offsite Usage (GB)
• Throughput (Rx / Tx)
• Upload Limit (KB/s)
• History - Click the View History icon
to view information about disk usage (GB), throughput
(KB/s) and agent errors.
• Launch Remote Web - Click the hyperlink to log into your Datto account and manage your Datto
device.
Add Addi- Click the link to choose another Datto Device to link to this site in order to see aggregated backup
tional
status. Select your Datto device from the drop-down list and click Save.
Datto
Device
Protection
Status
A pie chart showing the number of protected and not protected devices. Percentage numbers are
also displayed in brackets if you hover over the chart.
Field
Description
Local
Storage
A pie chart showing the used and free space (GB) of the local storage. Percentage numbers are also
displayed in brackets if you hover over the chart.
Devices
Protected
Shows the following information about the devices protected by the Datto device:
• Hostname - The name of the protected device.
• Latest Backup - The time when the last backup took place.
• Latest Sync - The time when the last sync took place.
• Latest Offsite - The time when the last offsite data protection took place.
• Latest Screenshot - Hover over the entry to see the screenshot taken of the protected device.
• Oldest Backup - The time of the oldest backup.
• Free Space (GB)
• Protected Space (GB)
• Datto Usage (GB)
• Device - The name of your Datto device.
•
- Indicates that the backup failed.
•
- Indicates that the Datto device was unable to start a backup because the agent service is
stopped.
•
- Indicates that the action (backup, screenshot, etc.) was performed successfully.
You can use the Search field and adjust the Show number of entries option to help you find your
devices.
145.
Datto Backup Integration
Administrator
Setup > Integrations > Datto
About Datto
Datto is a hybrid cloud backup and recovery service. A Datto device on a local network will perform a snapshot of targeted systems and then back them up to storage in the cloud.
AEM backup management enables AEM to integrate with Datto NAS and view information and statistics
about the backed up devices via the AEM Manage tab.
Prerequisites
You will need at least one Datto device and its associated API key. The API key is available from Admin
> Integrations in the Datto cloud. If this page is not accessible, please contact Datto directly to obtain your
key.
How to...
Download the Datto Integration and enter the API key
To enable the integration, you must download the Datto Integration component from the ComStore and enter
the API key.
1. Click the ComStore tab.
2. Search for and select Datto Integration and click Add to my Component Library to add it to your
account.
3. Navigate to Setup > Integrations and scroll to the Datto section.
4. Enter your Datto API key and click Save.
5. Turn on the Datto integration by sliding the Enabled button to ON.
The Datto integration is now enabled in AEM.
Associate a Datto device with a site in AEM
The next step is to associate a Datto device with a site in AEM. The Datto device must be installed on the
local area network associated with the site.
1. Click on a site and click Manage.
2. Click the Backup Management radio button.
3. Choose a Datto device from the drop-down list to link to this site. This will allow you to see backup
statistics and feedback.
4. Click Save and OK.
5. You have now successfully associated your Datto device with a site in AEM. Sites associated with a
Datto device will display the Datto icon
in the Sites list.
6. The Backup Management page will now display your Datto device details and the protection status of
your devices protected by the Datto device.
For information on what is displayed on the Backup Management page, refer to "Backup
Management" on page 198.
Create a monitor for endpoints backed up by Datto
You can create a monitoring policy in AEM to alert you if any Datto backup incidents occur. Backup alerts will
be delivered at device level via the AEM Agent.
You can create the policy at either account or site level. Refer to "Create a Monitoring Policy" on page 256.
The monitor will alert upon receiving an error feedback from the Datto app on the endpoint.
To manage the backup incident, you will need to access the Datto management screen on the
Datto device.
To learn how to see information and statistics about your Datto protected devices in AEM, refer
to "Backup Management" on page 198.
Security Management
In order to be able to see the Security Management page, you will need to configure the Kaspersky
Endpoint Security (KES) Integration or the Webroot Endpoint Security Integration. For further
information, refer to "Kaspersky Endpoint Security Integration" on page 208 and "Webroot Endpoint
Security Integration" on page 218.
Permission to view or manage Account > Manage or Sites > Manage
Account > Manage > Security Management
Sites > select a site > Manage > Security Management
About Security Management
Security Management lets you report on your device estate protected by Kaspersky Endpoint Security (KES)
or Webroot. It allows you to see information and statistics about the current status of your devices and recent
detected threats. Security Management becomes available once you have downloaded and configured the
KES Integration or Webroot Endpoint Security Integration. For more information, refer to "Kaspersky Endpoint Security Integration" on page 208 and "Webroot Endpoint Security Integration" on page 218.
Security Management is available at account and site level. Navigate to:
l
Account > Manage > click the radio button for Security Management or
l
Sites > select a site > Manage > click the radio button for Security Management
Field
Description
All / KES /
Webroot
Depending on whether you have configured KES or Webroot for your account, these radio buttons
in the top right area of the Security Management page let you choose one or all of the security
products.
All devices
/ Servers /
Workstations
A pie chart showing the status of All devices / Servers / Workstations secured by the selected
security product.
Select one of the radio buttons to see the required device type and hover over the chart to see the
number and status of the devices. Percentage numbers are also displayed in brackets.
Click a piece in the pie chart to see statistics about those devices only in the Active threats in the last 30 days chart on the right of the page.
Field
Description
Active
threats in
the last 30
days
A chart showing the number of threats on your devices in the last 30 days. Hover over a date to
see the exact number.
If only KES is selected as security product, the chart will show the following:
• Active threats
• Detected threats
If only Webroot is selected as security product, the chart will show the following:
• Active threats
• Threats blocked
In our example, we selected all the security products:
Select the required device type (All devices / Servers / Workstations) on the left
of the page above the pie chart to see statistics about that device type only.
145.
For information about security management policies, refer to "Create a Security Management
Kaspersky Endpoint Security Integration
Administrator
Setup > Integrations > Kaspersky Endpoint Security
About Kaspersky Endpoint Security
Kaspersky Lab provides IT security solutions and services, such as anti-virus, anti-malware and firewall
applications to protect businesses, critical infrastructure, governments and consumers around the globe. The
company's portfolio includes endpoint protection and a number of security solutions to fight online threats.
The Autotask Endpoint Management (AEM) integration with Kaspersky Endpoint Security (KES) allows you
to manage and administer your KES anti-virus solution from within the AEM Web Portal. With the integration
enabled and a KES security management policy configured, you can:
l
Deploy KES to Windows and Mac devices (refer to "Supported versions" on page 208 for further
information)
l
Keep track of KES licenses and configuration files from within AEM
l
Uninstall incompatible anti-virus solutions or KES from your endpoints
l
l
Monitor your endpoints to be alerted as per the criteria configured in the KES security management
monitor details
Report on the current status of KES throughout your device estate
You no longer need to specify a Configuration File Password when adding your KES configuration file on the KES Integration page. The password is now used during the installation
process and needs to be specified in the KES security management policy. For further information, refer to "Add your KES agent configuration file" on page 211 and "Create a Security Management Policy" on page 227.
Supported versions
Windows
l
KES 10 MR2 - version 10.2.4.674
l
KES 10 MR1 - version 10.2.2.10535
l
KES 10 - version 10.2.2.0
l
KES 10 - version 10.2.1.0
Mac
l
KES 10 MR2 - version 10.0.0.327b
l
KES 8 and later versions
Support is not provided for mobile devices.
Requirements
l
You must be an Administrator in AEM to set up the KES Integration.
l
You must have a valid KES license key.
In order to deploy KES to Mac devices, you need to upload the license key file supplied by
Kaspersky when setting up the integration.
Supported operating systems and incompatible products
Windows
For a full list of supported Windows operating systems, as well as general, hardware and software requirements for KES version 10.2.4.674 for Windows, refer to the following Kaspersky support article:
Kaspersky Endpoint Security 10 for Windows - Version 10.2.4.674: Hardware and Software
Requirements.
Mac
For a full list of supported Mac operating systems, as well as requirements for KES version 10.0.0.327b for
Mac, refer to the following Kaspersky support article:
Kaspersky Endpoint Security 10 for Mac.
List of incompatible products
A number of anti-virus products are incompatible with KES and can be removed when KES is installed if the
corresponding install option is selected in the KES security management policy. Refer to "Create a Security
For a full list of incompatible products, refer to the following Kaspersky support articles:
List of applications incompatible with Kaspersky Endpoint Security 10 for Windows
List of applications incompatible with Kaspersky Endpoint Security 10 for Mac
How to...
Download the Kaspersky component
1. Log into your AEM account and click on the ComStore tab.
2. Search for the Kaspersky Endpoint Security component.
Do not confuse this with the component called “Kaspersky 2011 Internet Security monitor”.
3. Open it and click Add to my Component Library to download it.
As soon as you download KES for your account, a new section will be added to Account Settings
and Site Settings. Refer to Windows Security Center Audit and "Kaspersky Endpoint Security" on
page 25. At the same time, the anti-virus summary will slightly change at both account and site
level. Refer to "Account Dashboard" on page 365 and "Site Summary" on page 16.
Add your license key
1. Navigate to Setup > Integrations.
You will now have a new section on the Integrations page called Kaspersky Endpoint Security.
2. In the Licenses area, click Add license.... The Add new License Key window will open.
Complete the following fields:
Field
Description
Name
Enter a name for the license key.
Description
Enter a description.
Security
Type
Use the radio button to select:
• Upload Key File - This will allow you to upload the key file provided by Kaspersky.
Uploading the key file is mandatory for deploying KES to Mac devices.
• Key - This will allow you to continue without uploading the key file provided by Kaspersky.
To minimize potential errors, we recommend that you upload the .key file
supplied by Kaspersky.
Key
Enter your Kaspersky key.
Upload
Key File
If you selected Upload Key File under Security Type, click the Choose file button to
upload the key file provided by Kaspersky. Uploading the key file is mandatory for deploying KES to Mac devices.
Expiration
Date
Enter the expiration date of your Kaspersky key.
Number of
Endpoints
Enter the number of endpoints secured by this key. The maximum number of endpoints
allowed is 20,000.
AEM does not currently get expiry and endpoint information from Kaspersky. Please provide
accurate information, or the integration will stop working without warning.
3. Click Add.
Your license information will appear on the Integrations page. You can add as many licenses as you
have available by repeating steps 1-2.
The Number of Devices column displays the number of devices targeted by a
KES security management policy. Once a device is added to the policy or removed from it
(by being removed from the target of the policy or by getting excluded from the policy associations), the device count will increase or decrease accordingly.
Add your KES agent configuration file
The KES configuration file is a .cfg file that contains settings for all the installed components of KES (e.g.
scan settings, whitelisting, exclusions, etc.). You can either add your own configuration file or use the
Default Mac Configuration File and Default Windows Configuration File provided on the integration
page.
If you choose to use any of the default configuration files, you still need to download a copy and
upload it to your account using the Add new configuration file... button.
1. To start with any of the default configuration files, locate the Configuration Files area and click the
green Download arrow on the right of a configuration file to save it to your computer. Then click Add
new configuration file....
To use your own configuration file, click Add new configuration file....
Field
Description
Operating
System
Select the operating system of the endpoint device the Kaspersky agent will be monitoring.
Name
Enter a name for the configuration file
Description
Enter a description for the configuration file.
Configuration
File
To upload either your own configuration file or any of the default configuration files downloaded in step 1, click the green Upload the Configuration File arrow.
3. Once you have filled in all the fields and uploaded your configuration file, click Save.
4. You can add as many configuration files as you wish.
The configuration file currently used in a KES policy will display the This Configuration
File is in use icon under the In Use column.
5. To edit the uploaded configuration files, click the pencil icon. Make the changes in the Edit Configuration File window and click Save.
Each time you modify a configuration file, its version number under the Version column will
increase by one.
Each time you modify a configuration file, the Force all associated policy updates icon
will become activated next to it. Clicking on the icon will push any change made to the configuration file to all the devices that are currently using it and the devices will apply the
changes accordingly.
6. To delete a configuration file, click the Remove this Configuration File button
row.
at the end of the
You cannot delete or modify the default Windows and Mac Configuration File.
Prior to KES version 10.2.4.674 (Windows) and KES version 10.0.0.327b (Mac), you had to specify a password when adding a configuration file on the KES integration page. The password
has now been moved from the configuration file and is used during the installation process. All
previous configuration file passwords have been migrated to already existing policies. For further information, refer to "Configure the security management install options" on page 228.
You have now successfully completed the setup of the Kaspersky Endpoint Security Integration. Follow the
steps below to deploy the Kaspersky agent to your endpoints and enable monitoring.
Deploy the KES agent and enable monitoring
Now that you have set up the integration with your license files(s) and configuration file(s), you can use the
power of AEM to push out the Kaspersky Endpoint Security agent.
Set up a Security Management Policy to push out KES to your devices and to raise alerts and tickets as
per the criteria you set in the monitor details. You can create the policy at either account or site level. For further information, refer to "Create a Security Management Policy" on page 227.
Use the KES security management commands
Once you have downloaded Kaspersky Endpoint Security from the ComStore, the KES Run Security Management Command button
becomes available in the Action bar on the Devices page in each Managed
site. Selecting a device and clicking this button will allow you to run a security command on your device.
The selected device needs to be targeted by a KES security management policy so that you can
run a security management command on it. If a device is targeted by a security management
policy, a security status indicator is displayed next to it. Refer to "Check security status indicators"
on page 216.
1. Navigate to Sites and open a Managed site associated with a KES security management policy. To
learn about KES policies, refer to "Create a Security Management Policy" on page 227.
3. Select one or more of your devices targeted by the security management policy, and click the KES
Run Security Management Command button in the action bar.
4. The following commands will become available:
Command
Description
Activate Security Management
Re-activates the site's KES security management policy on the
selected device(s) either by including the device(s) in the policy
target again or by re-activating a disabled policy.
This action will only take place if the selected
device has previously been targeted by a KES
policy.
Deactivate Security Management
Excludes the selected device(s) from the site's KES security
management policy.
Reset Security Status KES
Resets the security management status on the device and triggers a deployment of KES if it's not installed on it.
For example, if the installation of KES had been
unsuccessful on your device through a KES policy
but you managed to solve the issue on your device
in the meantime, running this command will
attempt to install KES on your device again.
5. Once you have selected a command, click OK and the requested action will be performed.
Uninstall KES
To be able to uninstall KES from your endpoints, you must ensure the Kaspersky Endpoint Security Integration is enabled and set up for your account and your endpoints are targeted with a KES security management policy. To uninstall KES from these devices:
1. Log into your AEM account and navigate to the account or site policy which targets the devices you
want to uninstall KES from.
2. Remove the required devices from the list of target devices.
3. Make sure that the Uninstall KES from the devices that are removed from the list of target
devices option is selected in the Security Management Install Options area.
4. Click Save and click Push changes.
If Allow force reboot is checked in the Security Management Install Options, the device
will automatically reboot after KES has been uninstalled.
Check statistics and report
Click Download KES Installation CSV Report on the KES Integration page to have a quick overview of
the number of KES installations in each site of your AEM account.
After downloading the KES component, you will have access to a KES report at account level. Refer to
"Reports at Account Level" on page 412.
To learn how to see information and statistics about your devices with the KES agent installed, refer to
"Security Management" on page 205.
You can also create a custom filter to search for devices with a specific security management status. Refer
to "Filters" on page 130 and "Check security status indicators" on page 216.
Check security status indicators
In the Web Portal, sites with an active KES policy will display the Kaspersky logo
:
If a device is targeted by an active KES security management policy, various security status indicators may
appear next to it.
The same icons are displayed in the AEM Managed Anti-Virus Summary section on the "Site Summary"
on page 16 and "Account Dashboard" on page 365 pages.
AEM relies on the information received from KES and updates a device's security status as soon
as it's updated in KES.
Icon
Description
Installed & Active
Not Installed
Installed, not Active
Reboot Required
Active Threats
Icon
Description
Needs Update
Within 48 hours after deployment OR 30 minutes after the first reboot, KES will
ignore the Needs Update status and alerts. This is because it can take a long and
sometimes varying amount of time for the database to update. In this timeframe, the
delay is designed to stop excessive alerting to take place that tends to overwhelm
MSPs with the Needs Update status, whereas the update is in progress and just taking time.
No Valid License
One device may have more than one security status. In such cases, the highest priority security
status will be shown on device list pages. All other security statuses will be hidden under an arrow
to the right of the first security status. You can open the list by clicking on the arrow.
Webroot Endpoint Security Integration
Administrator
Setup > Integrations > Webroot Security Agent
About Webroot
Webroot provides cloud-based, real-time Internet security against viruses, spyware, and other online threats.
Its SecureAnywhere® suite of security products for endpoints, mobile devices and corporate networks delivers advanced Internet threat protection to customers.
The Webroot Endpoint Security Integration allows MSPs to deploy Webroot's lightweight software, and to
monitor and support the endpoints secured by Webroot directly from the Autotask Endpoint Management
(AEM) interface. With the integration enabled and a Webroot security management policy configured, you
can:
l
Deploy Webroot to Windows and Mac devices
l
Uninstall Webroot from your endpoints
l
Monitor your endpoints to be alerted as per the criteria configured in the Webroot security management
monitor details
l
Run Webroot-specific commands on your endpoints from device list pages
l
Report on the current status of Webroot throughout your device estate
For information about how to set up a security management policy for Webroot, refer to "Create a Security
For an overview of the Webroot Endpoint Security Integration, please watch our training video:
AEM Webroot Integration Overview
Supported versions
l
8.0.4.47 and later versions for both Windows and Mac
Support is not provided for mobile devices.
Requirements
l
l
You must be an Administrator in AEM to set up the Webroot Integration.
You need at least one valid Webroot Site Key to be able to configure the Webroot Integration. You can
obtain it from the Webroot Console once you log into the Console. For assistance, we recommend
that you contact Webroot.
Supported operating systems
Windows
For a full list of supported Windows operating systems, as well as general, hardware and software requirements, refer to the following Webroot article and scroll down to the For PC section:
Webroot SecureAnywhere System Requirements
Mac
For a full list of supported Mac operating systems, as well as general, hardware and software requirements,
refer to the following Webroot article and scroll down to the For Mac section:
Webroot SecureAnywhere System Requirements
How to...
Download the Webroot component
1. Log into your AEM account and click on the ComStore tab.
2. Search for the Webroot Endpoint Security component.
3. Open it and click Add to my Component Library to download it. This will add the Webroot Security
Agent section to Setup > Integrations.
As soon as you download Webroot for your account, a new section will be added to Account Settings and Site Settings. Refer to Windows Security Center Audit and "Webroot Security Agent" on
page 25. At the same time, the anti-virus summary will slightly change at both account and site
level. Refer to "Account Dashboard" on page 365 and "Site Summary" on page 16.
Configure your mapping rules
You can specify mapping rules that will associate a set of characters from the Webroot site name with a set
of characters from the AEM site name. The association of Webroot sites with AEM sites will be performed
automatically upon importing your Webroot Site Keys, so you will not have to manually map the imported Site
Keys.
For example, having the rule to associate "location" with "office" will map your Webroot Site Key
called "Location 1" to your AEM site called "Office 1". For information about importing your Site
Keys, refer to "Add or import your Webroot Site Keys" on page 220.
1. Navigate to Setup > Integrations.
2. Locate Webroot Security Agent.
3. In the Mapping Rules section, click Add New Mapping Rule.
4. In the Add New Mapping Rule window, enter your Webroot variable and AEM site variable and click
Add.
5. The new mapping rule will be added to the Mapping Rules section of the Webroot integration.
You can now import your Webroot Site Key(s) and if a matching variable is found, your corresponding
AEM site(s) will be associated with the Webroot Site Key(s).
Add or import your Webroot Site Keys
In order to be able to create a Webroot security management policy in AEM, you need to add your Webroot
Site Key(s) to the Webroot integration. You have two options to do so: add your Site Keys manually or import
them.
Add your Site Keys manually
1. In the Site Keys section, click Add Webroot Site Key. The Add New Webroot Site Key window
will open.
Field
Description
Name
Enter a name for the Webroot Site Key.
This field has a limit of 255 characters.
Description
Enter a description for the Webroot Site Key.
Site Key
Enter your Webroot Site Key. You can obtain it from the Webroot Console.
Mapping to AEM Site
Click on Manual Mapping to be able to map your selected AEM site
(s) to this Webroot Site Key.
3. Click Add.
4. Should you wish to add more than one Webroot Site Key, repeat steps 1-3.
Import your Site Keys
1. You can also import your Webroot Site Keys to AEM. Click on Download CSV Template, Download XLS Template or Download XLSX Template to the right of the screen, just above the Site
Keys section.
2. Open the downloaded file and add the following information: Name, Description and Site Key. Save
your file.
3.
The Name field has a limit of 255 characters.
4. Click Import Webroot Site Keys in the AEM Web Portal. Browse your saved file and upload it to the
Web Portal. Your Site Key information will now appear on the Integrations page.
5. You have the option to set one of the Site Keys as default by selecting the Default Site Key radio button. If you no longer wish to use this Site Key by default, click on its radio button and the selection will
be cleared.
The default Site Key will be used in Webroot security management policies if there is no Site Key associated with the AEM site that the device belongs to. For further information, refer to "Create a Security
The Number of Devices column displays the number of devices targeted by a Webroot security
management policy. Once a device is added to the policy or removed from it (by being removed
from the target of the policy or by getting excluded from the policy associations), the device count
will increase or decrease accordingly.
To edit a Webroot Site Key, click the pencil icon
next to it and update the information. You can
also update its mapping rule. To delete a Site Key, click the Remove this License Key icon
next to it.
Deploy Webroot and enable monitoring
Now that you have set up the integration, you can use AEM to deploy Webroot to your endpoints.
Set up a Security Management Policy to push out Webroot to your devices and to raise alerts and tickets
as per the criteria you set in the monitor details. You can create the policy at either account or site level. For
further information, refer to "Create a Security Management Policy" on page 227.
Use the Webroot security management commands
Once you have downloaded Webroot Endpoint Security from the ComStore, the Webroot Run Security Management Command button becomes available in the Action bar on the Devices page in each Managed
site. Selecting a device and clicking this button will allow you to perform quick AEM Webroot actions on your
device or run Webroot Console commands on it. The results of the Webroot Console commands will be
shown in your Webroot Console.
1. Navigate to Sites and open a Managed site associated with a Webroot security management policy.
To learn about Webroot policies, refer to "Create a Security Management Policy" on page 227.
3. Select one or more of your devices targeted by the security management policy, and click the Webroot
Run Security Management Command button in the action bar.
4. The following commands will become available:
AEM Webroot Actions
Activate Security Management
Re-activates the site's Webroot security management
policy on the selected device(s) either by including the
device(s) in the policy target again or by re-activating a
disabled policy.
This action will only take place if the selected device has previously been targeted by
a Webroot policy.
Deactivate Security Management
Excludes the selected device(s) from the site's Webroot
security management policy.
Uninstall Security Product
Uninstalls Webroot from the device.
If Webroot was installed on the device outside of AEM
(via an .exe installer) using a password, enter the same
password in the Password field once you have selected the Uninstall Security Product command.
The password field should be left blank in any other
scenarios.
AEM Webroot Actions
Reset Security Status Webroot
Resets the security management status on the device
and triggers a deployment of Webroot if it's not installed
on it.
For example, if the installation of Webroot
had been unsuccessful on your device
through a Webroot policy but you managed
to solve the issue on your device in the
meantime, running this command will
attempt to install Webroot on your device
again.
Webroot Console Commands
Trigger "Agent Poll"
Triggers a poll and program update by forcing the
device to check in to the cloud.
Run a Deep Scan
Runs a deep scan on the device.
Run Full System Scan
Runs a full system scan on the device.
Running a full system scan is slower and
uses more resources than the default
deep scan, therefore, we recommend
you run a default deep scan on your
device(s).
Run Scan With Clean-Up
Runs a scan on the device and automatically removes
any detected infections.
Verify Authenticity of Webroot Services
Forces the device to check in to the cloud to see if Webroot services are authentic.
Trigger a File Scan
Triggers a scan of a specific file or path on the device.
Once the command is selected, you can enter the
required path name.
Enable Realtime Protection
Enables real-time protection if the Webroot agent is offline.
The selected device needs to be targeted by a Webroot security management policy so that
you can run a security management command on it. If a device is targeted by a security management policy, a security status indicator is displayed next to it. Refer to "Check security
status indicators" on page 225.
5. Once you have selected a command, click OK and the requested action will be performed.
Scans performed by the Webroot agent run silently. The Webroot tray icon will not change
when a scan is running.
Uninstall Webroot
To be able to uninstall Webroot from your endpoints, you must ensure the Webroot Endpoint Security Integration is enabled and set up for your account and your endpoints are targeted with a Webroot security management policy. To uninstall Webroot from these devices:
1. Log into your AEM account and navigate to the account or site policy which targets the devices you
want to uninstall Webroot from.
2. Remove the required devices from the list of target devices.
3. Make sure that the Uninstall Webroot option is selected in the Security Management Install
Options area.
4. Click Save and click Push changes.
You can also run the Uninstall Security Product command on your devices. For more information, refer to "Use the Webroot security management commands" on page 222.
Check statistics and report
After downloading the Webroot component, you will have access to a Webroot report at account and site
level. Refer to "Reports at Account Level" on page 412 and "Reports at Site Level" on page 382.
To learn how to see information and statistics about your devices with Webroot installed, refer to "Security
Management" on page 205.
You can also create a custom filter to search for devices with a specific security management status. Refer
to "Filters" on page 130 and "Check security status indicators" on page 225.
Check security status indicators
If a device is targeted by an active Webroot security management policy, various security status indicators
may appear next to it.
The same icons are displayed in the AEM Managed Anti-Virus Summary section on the "Site Summary"
on page 16 and "Account Dashboard" on page 365 pages.
Icon
Description
Installed & Active
Not Installed
Icon
Description
Installed, not Active
Reboot Required
Active Threats
Needs Update
No Valid License
In case your device shows this security status, we recommend that you contact Webroot.
One device may have more than one security status. In such cases, the highest priority security
status will be shown on device list pages. All other security statuses will be hidden under an arrow
to the right of the first security status. You can open the list by clicking on the arrow.
Create a Security Management Policy
In order to be able to create a security management policy, you need to configure the Kaspersky
Endpoint Security (KES) Integration or the Webroot Endpoint Security Integration. Refer to "Kaspersky Endpoint Security Integration" on page 208 and "Webroot Endpoint Security Integration" on
page 218.
Account > Policies
What is a security management policy?
This type of policy is used with the Kaspersky Endpoint Security (KES) Integration and the Webroot Endpoint
Security Integration. Once you have set up any of the two integrations for your Autotask Endpoint Management (AEM) account, you can create a security management policy that will allow you to push out Kaspersky or Webroot to your endpoints and raise alerts and tickets as per the criteria set in the monitor details. You
can create the policy at account or site level.
A device cannot be targeted by two different kinds of security policy. For example, if your
device is targeted by a KES policy, it cannot be targeted by a Webroot policy as well.
How to...
Specify the security management policy details
1. Navigate to Account > Policies or Sites > click on a site name > Policies.
2. Click New account policy... or New site policy....
3. Enter a policy Name.
4. Under Type, select Security Management Policy.
5. You will now be able to select the Security Product that you want to create the policy for. Select KES
or Webroot from the drop-down.
You will only see KES and Webroot in the list, if you have configured the integrations. Refer
to "Kaspersky Endpoint Security Integration" on page 208 and "Webroot Endpoint Security
Integration" on page 218.
7. Click Next and you will be presented with the policy details.
Add a target
To target your devices with the policy:
1. Click on Add a target.
2. Select the required Target type. For information about target types, refer to "Filters" on page 130 and
"Groups" on page 142.
3. Choose the required filter(s) or group(s).
4. Click Add.
5. If you want to add more than one target type, repeat steps 1-4.
Configure the security management install options
In the Security Management Install Options section, you can configure the following options:
Security
product
Install options
KES
• Password - Enter your KES password. If the password entered here is incorrect, the installation will
be unsuccessful.
Prior to KES version 10.2.4.674 (Windows) and KES version 10.0.0.327b (Mac), you had to specify a
password when adding a configuration file on the KES integration page. The password has now
been moved from the configuration file and is used during the installation process. All previous configuration file passwords have been migrated to already existing policies.
If you have an already existing KES policy, make sure that the policy password
matches the password of your existing configuration file. You can request the last
used password of your existing configuration file via email from within the policy.
Refer to "Configure the security management policy options" on page 230.
The password cannot be changed once the policy has been saved.
• Uninstall incompatible products - Uninstalls other anti-virus products from the endpoints.
• Allow force reboot - Allows automatic restart of the computer if it's required after the installation of
the application.
• Microsoft exclusions - Allows adding areas that are recommended by Microsoft to the
KES exclusions.
• Kaspersky Lab Scan exclusions - You can define processes, files, areas on the disk and some
threats as excluded objects which can be added to the trusted zone so that they are excluded from
the scan.
• Kaspersky Security Network - Kaspersky Security Network (KSN) is a special security network
that allows users to get additional protection level, applications' reputation data, websites' reputation
data, and quick reaction on new threats.
• Uninstall KES from the devices that are removed from the list of target devices - If this
option is selected, KES will be uninstalled from the devices if they are removed from the policy's target list.
Webroot
• Webroot Console Group - Allows you to enter a group name or group ID from the Webroot Console so that specific settings can be applied.
• Language - Select any of the following languages from the drop-down: English, Japanese, Spanish, French, German, Italian, Dutch, Korean, Simplified Chinese, Brazilian Portuguese, Russian, Turkish, Traditional Chinese. By default the language is set to English.
• Proxy Settings - Select any of these settings: No Proxy, Auto Proxy, Manual Settings. By default,
it's set to No Proxy. Should you select Manual Settings, you will be required to fill in the following
fields: proxy host, proxy port, proxy username, proxy password and proxy authentication (any, basic,
digest, negotiate, NTML).
• Uninstall Webroot - If this option is selected, Webroot will be removed from the devices if the Webroot policy is removed or the device is removed from the list of targeted devices.
If you already have KES or Webroot installed in your environment, the policy will not attempt to
install the agent again. It will simply monitor that agent according to the policy you set up.
In case of previous compatible KES versions where KES was installed without a password, please
ensure to manually set your password in KES. It must match the password used in the
KES security management policy so that the policy settings can be applied on the targeted device
(s).
Configure the security management policy options
This section is configurable for KES only.
Under the Security Management Policy Options section, you need to select:
l
The KES license you want the device count to go against
l
The Windows / Mac Configuration File you want to use for the KES deployment
If you have an existing KES policy and would like to find out which password was last used for that installation:
1. Open the policy from the policy list at account or site level.
2. Scroll down to the Configuration Files section.
3. Click the Request Password icon
next to the configuration file.
4. An email will be sent to the Account Administrator who registered the account. The email will contain a
list of devices that have applied the configuration file along with the last password.
By clicking on the Manage Licenses and Manage Configuration Files hyperlinks in the Security Management Policy Options area, you will be directed to the KES integration page where
you can edit them.
Add a monitor
When setting up a KES security management policy, a monitor is applied to the policy by default. You can
modify the monitor by clicking on the pencil icon , delete it by clicking on the Remove this monitor icon
, or you can add further monitors.
You can also apply one or more monitors to your Webroot security management policy, and edit or delete
them as required.
For more information, refer to "Create a monitor" on page 239.
Once you have configured your monitor(s), you will be re-directed to the policy details page.
Click Save. This will save the changes you made to the policy which will be confirmed through a pop-up window on the top of the page.
You will now see your list of policies. Click Push changes next to the newly created policy.
The targeted devices will now be notified that a new policy has been applied and you will start to see alerts
(as well as receive them via email if you configured that option) for any device that meets the criteria set in
the policy.
The changes will be pushed instantly if the Agent is online or as soon as it checks in to the
platform. The security product will be installed first (if required). The policy will be pushed out
after the install.
To learn how to view an alert in the Web Portal, refer to "Manage Alerts" on page 346.
Edit the policy
1. Locate your policy on the account or site policy list and click on its name.
2. Edit the policy details.
3. Save your policy and push the changes.
The changes will be pushed instantly if the Agent is online or as soon as it checks in to the platform.
Monitors and Policies
About Monitors
Monitors keep track of attributes, processes and events on devices they are deployed to, and raise an alert
when the device is not operating within specified parameters. They can be created on the Device > Monitor
tab and applied to a single device, or they can be created at account and site level as part of a monitoring
policy, and can target specific filters and groups at either level.
SNMP monitors (that is, the monitors available for Managed network devices) can only be applied at device
level. For further information, refer to "Monitor a Managed network device" on page 95.
ESXi monitors (that is, the monitors available for ESXi devices) can only be applied as part of a policy. For further information, refer to "Create an ESXi Policy" on page 104.
Monitors do not run on mobile operating systems at all.
Types of monitors
Monitors keep track of a great variety of processes, statuses and settings. They fall into one of these groups:
Device health monitors
Monitor Type
Function
Operating system
A device with the Autotask Endpoint Management (AEM) Agent
installed normally checks in with the Web Portal every 90
seconds. If it does not (due to a power or network outage, for
example), AEM will see this device as offline. This is particularly
useful for servers (since they should never really go offline without
you knowing about it).
In the case of ESXi servers, the monitor waits for the device to
come online first. If the device is already online, monitoring will
start immediately. If the device is offline, the monitor will only start
monitoring the device once it has come online and then gone
back offline. Every network node device will try to contact the ESXi
host to see if it responds.
Windows
Mac
Linux
VMware ESXi
CPU Monitor
There may be times when your device runs noticeably slower than
usual. While there may be a number of reasons for this, one can
be the device's high CPU usage. It is normal to have high CPU
usage occasionally, but having it for a longer period of time might
indicate hardware or software problems or may even be a sign of
virus or adware infection. Monitoring your devices' CPU usage
may help you proactively address further issues.
Windows
Mac
Linux
Monitor Type
Function
Operating system
Memory Monitor
There may be times when your device gets slower than usual,
freezes, fails to start certain programs or even restarts while you
are working on it. While there may be a number of reasons for this,
one can be a device's high memory usage. To optimize your
device's memory performance, you may want to use monitoring
which may help you proactively address further issues.
Windows
Mac
Linux
Component Monitor
Component monitors are scripts that regularly run on your devices
and raise an alert if a specific condition is met. You can find and
download a number of pre-configured component monitors from
the ComStore, covering anti-virus packages, backup systems,
CPU temperature, predicted hard drive failures, etc. Refer to
"Download a component to your workstation" on page 334.
When one of these components is run on a device, it will raise an
alert if an issue occurs, for example, if your anti-virus definitions
are out of date or if the anti-virus software is not running.
You can also create and add your own monitoring scripts to your
Component Library if you need to be able to generate alerts
based on specific requirements. To learn how to start writing and
uploading these scripts to your account, refer to "Create a Custom
Component Monitor" on page 338.
Windows
Mac
Linux
Process Monitor
There may be times when you would want to prevent end users
from being able to use certain programs on their devices (e.g. torrent software).
In order to have more control over which programs can run on a
device, you can set up a process monitor and instruct the Autotask
Endpoint Management (AEM) agent to look out for such processes
and kill them once an alert is raised.
You can also configure the monitor to raise an alert if a process is
not running or if it has reached a certain CPU or memory usage.
Note that too many unnecessary or unwanted processes can slow
down the device, so being able to control the processes that run in
the background may help you to improve the overall system performance.
Windows
Mac
Linux
Service Monitor
Services are applications that operate in the background on your
device and while some of these are useful and necessary for the
optimal running of a device, you may not need others. Certain
third-party applications install their own services but your operating system has its default services as well. In Windows, for
example, they can be configured to start at the same time as the
operating system does or they can be set to start delayed. Also, if
you don't need a particular service, it can be stopped or disabled
to run altogether.
To ensure that critical services, such as WSUS (Windows Server
Update Services) or Exchange are running on your device, the
Autotask Endpoint Management (AEM) agent can be instructed to
look out for these services and attempt to restart them, should they
have stopped. By applying a service monitor, the AEM Agent can
also be instructed to stop services or raise an alert if a service has
reached a certain CPU or memory usage.
Windows
Monitor Type
Function
Operating system
Event Log Monitor
The Windows Event Log is a rich source of information about the
health and status of the devices you manage and support. A huge
number of operating system features as well as the applications
that are running on the device will write to the Event Log
whenever they encounter problems.
This means that you can see events like virus infections, backup
status or even pending hardware failures by looking at specific
event log entries. Autotask Endpoint Management (AEM) can be
used to monitor the event logs and raise an alert whenever the
entries you're particularly interested in are created.
Windows
Software Monitor
With the help of the Autotask Endpoint Management (AEM) agent,
you can easily follow whether a certain software package has
been installed or uninstalled on your endpoints or if it has
changed version.
Windows
Security Center
Monitor
Action Center (formerly known as Windows Security Center)
checks the security and maintenance settings of your Windows
device and displays a notification if it identifies any issues. To find
out more about what settings it looks at, refer to Action Center.
The Autotask Endpoint Management (AEM) agent can be instructed to monitor whether the Windows Security Center (Action
Center) is enabled or disabled on your device.
Windows
Disk Usage Monitor
Low disk space on a device can result in poor performance, applic- Windows
ation problems and, eventually, user complaints when they cannot
save any more data. If the available space on your hard drive
drops below a certain threshold, the device may not be reliable
anymore, therefore, it is important to be aware of any disk space
issues.
File/Folder Size
Monitor
At times you may find that opening certain files or folders takes too Windows
much time and your device slows down or even freezes. While
there may be many reasons behind this, it is probably worth checking the size of these files or folders. Keeping your system organized will help you prevent an overflow of data and may also
prevent you from running out of disk space.
Special purpose monitors
Monitor Type
Function
Operating system
KES Security Management Monitor
You can set up a Kaspersky Endpoint Security (KES) Security Man- Windows
agement Monitor if you have downloaded the KES component
Mac
from the ComStore and have a valid KES license key. Once you
have your monitor configured, it will monitor the endpoints that
have KES installed and will raise an alert if the criteria set in the
monitor details are met. The monitor can alert you if:
• KES is not installed
• KES is not active (stopped or disabled)
• KES agent requires a reboot (not applicable on Mac devices)
• Active threats are found (not applicable on Mac devices)
• Configuration file deployment has failed
• There is no valid KES license
• The definition database is not updated for a number of days that
you define
For further information about KES and how to configure it, refer to "Kaspersky Endpoint Security Integration" on page 208.
Webroot Security
Management Monitor
You can set up a Webroot Security Management Monitor if you
have downloaded the Webroot Endpoint Security component from
the ComStore and have a valid Webroot Site Key. Once you have
your monitor configured, it will monitor the endpoints that have
Webroot installed and will raise an alert if the criteria set in the
monitor details are met. The monitor can alert you if:
• Webroot is not installed
• Webroot is not active
• Attention and reboot is required
• An infection is found
• There is no valid Webroot license
• The system has been infected for longer than a specific number
of hours
• The Webroot license is due to expire within a specific number of
days
Windows
Mac
For further information about the Webroot integration
and how to configure it, refer to "Webroot Endpoint
Security Integration" on page 218.
Datto Monitor
You can set up a Datto Monitor if you have downloaded the Datto
Integration component from the ComStore and your AEM account
has been integrated with your Datto subscription. Once you have
your Datto Monitor configured, it will monitor the endpoints that are
protected by your Datto device.
Windows
For further information about the Datto Integration
and how to configure it, refer to "Datto Backup Integration" on page 202.
Monitor Type
Function
Operating system
SNMP Monitors
Offline Monitoring and Network Monitoring are available for Managed network devices only.
SNMP monitors are not available to be added to a policy at
account or site level. Refer to "Monitor a Managed network device"
on page 95.
N/A
ESXi monitors
ESXi monitors are not available at device level. They can only be applied at account and site level as part of
an ESXi policy.
Monitor Type
Function
Operating system
ESXi CPU Monitor
Similarly to the "CPU Monitor" on page 232 available for Windows,
Mac and Linux devices, the ESXi CPU Monitor can alert you if
your ESXi host has high CPU usage.
VMware ESXi
ESXi Memory Monitor
Similarly to the "Memory Monitor" on page 233 available for Windows, Mac and Linux devices, the ESXI Memory Monitor can alert
you if your ESXi host has high memory usage.
VMware ESXi
ESXi Data Store
Monitor
Similarly to the "Disk Usage Monitor" on page 234 available for
Windows devices, the ESXi Data Store Monitor can alert you if the
available space in any of the datastores on an ESXi host drops
below a certain threshold.
VMware ESXi
ESXi Temperature
Sensor Monitor
This monitor can alert you if the temperature sensors on the ESXi
host exceed a certain threshold.
VMware ESXi
ESXi Fan Monitor
This monitor can alert you if the status of any fan unit on any targeted device is other than "normal".
VMware ESXi
ESXi Disk Health
Monitor
This monitor can alert you if any disk on any targeted device
registers disk health or RAID errors.
VMware ESXi
ESXi PSU Monitor
This monitor can alert you if the status of any power supply on any
targeted device is other than "normal".
VMware ESXi
Managing monitors
Monitors can be created and managed in these places:
l
l
l
On the Device > Monitor tab > click the Monitors radio button. Monitors created here are directly
associated with the selected device, but not with a monitoring policy. Refer to "Manage Monitors" on
page 239.
When you are creating or editing a monitoring policy. Refer to "Create a Monitoring Policy" on page
256.
When you are creating an ESXi policy. Refer to "Create an ESXi Policy" on page 104.
About Policies
Policies are a tool for bulk operations in Endpoint Management. With a policy you can:
l
Define something you want to do (configure a setting, run a monitor, install a patch or an update)
l
Define the target devices you want to do it to, using sites, filters and groups
l
Push any changes immediately or at a predetermined time
Policies can be created at account and site level. Account policies are visible at site level as well, and can be
enabled or disabled for a specific site. Policies set at site level will not replace account polices but will work in
conjunction with them. For information on how to manage policies, refer to "Managing Policies" on page 250.
Types of policies
The following types of policies can be created:
l
l
l
l
l
l
l
l
l
Agent Policies - Agent policies deploy settings to affect the operation and configuration of the
Autotask Endpoint Management (AEM) Agent. Refer to "Create an Agent Policy" on page 74.
ESXi Policies - ESXi policies allow the user to monitor the performance, datastore, temperature and
hardware of ESXi host devices and their guest machines. Refer to "Create an ESXi Policy" on page
104.
Monitoring Maintenance Window Policies - Monitoring Maintenance Window Policies allow you to suspend monitoring while doing scheduled maintenance work on your devices. Refer to "Create a Monitoring Maintenance Window Policy" on page 253.
Mobile Device Management Policies - Mobile Device Management policies manage restrictions and
settings for enrolled iOS mobile devices. Refer to "Create an iOS Mobile Device Management Policy"
on page 86.
Monitoring Policies - Monitoring policies allow the user to configure what monitors, component or otherwise, are run on the devices targeted with the policy. Refer to "Create a Monitoring Policy" on page
256.
Patch Management Policies - Patch management policies allow you to automate the deployment of
software patches to the devices you manage. Refer to "Create a Patch Management Policy" on page
160.
Power Policies - Power policies allow you to configure the Windows Control Panel > Power Options
on all devices that are targeted with this policy. Refer to "Create a Power Policy" on page 261.
Security Management Policies - This type of policy is used with the Kaspersky Endpoint Security
Integration or the Webroot Endpoint Security Integration. Refer to "Create a Security Management
Windows Update Policies - Windows update policies allow you to control the features of the automatic
update settings part of Windows Update. Refer to "Create a Windows Update Policy" on page 174.
l
Software Management Policies - Software management policies target your iOS devices with a list of
applications that you previously added to your Component Library from the iOS App Store. Refer to
"Create a Software Management policy" on page 193.
How are polices different from jobs?
Jobs deploy components.
While some types of policies can also deploy components (monitoring policies), they can also configure
many different types of settings.
Manage Monitors
At account and site level, permission to manage Policies. At device level, permission to manage
Sites > Monitor.
Sites > select a site > Devices > select a device > Monitor > Monitors radio button
Sites > select a site > Policies > add or edit a policy > add, edit or delete a monitor
Account > Policies > add or edit a policy > add, edit or delete a monitor
How to...
Create a monitor
For information about adding a monitor to a monitoring policy, refer to "Create a Monitoring Policy"
on page 256.
1. Open a site and navigate to Devices > select a device > Monitor > Monitors radio button.
2. Scroll to the bottom of the page and click Add a monitor...
3. Select a Monitor Type and click Next.
4. Configure the Monitor Details.
Device health and special purpose monitors
Monitor Type
Trigger Details
You can choose:
• Whether you want to be alerted if the device goes offline or comes online.
• How long the device needs to be in either of these states before the alert is
raised. (0-60 minutes)
When a device is elected as a network node, an Online Status
Monitor will automatically be assigned to it. If the device is offline
for 5 minutes, the monitor will raise a Critical alert and send a notification to the default email recipients. For more information on
network node devices, refer to "Assign a device to be a network
node" on page 183.
CPU Monitor
You can choose:
• What the CPU usage threshold should be. (5-100%)
• How long the device's CPU usage needs to be above the threshold before the
alert is raised. (0-60 minutes)
Monitor Type
Trigger Details
Memory Monitor
You can choose:
• What the memory usage threshold should be. (5-100%)
• How long the device's memory usage needs to be above the threshold before
the alert is raised. (0-60 minutes)
Component Monitor
• From the drop-down list, select the component monitor you wish to run.
Note that in order for a component monitor to appear in this list, it needs to be
added to your Component Library first by downloading it from the ComStore or by
creating and adding your own custom component. Refer to "Download a component to your workstation" on page 334 and "Create a Custom Component Monitor" on page 338.
• Specify when the component monitor should be run.
Note that the criteria in Trigger Details may differ depending on how the component monitor has been configured.
Process Monitor
• Enter the process name.
• Specify whether an alert should be raised if the process is running or not running
OR if it has reached a certain CPU or memory usage (5-100%).
• Specify how long the process should be in this state before the alert is raised. (060 minutes)
• If you want to kill the process if it triggers an alert as per the criteria you specified,
select the check box of Attempt to kill the process if it triggers an alert.
Note that this check box will only be active if you chose "the process is running /
not running" option before.
Service Monitor
• Enter the service name.
• Specify whether an alert should be raised if the service is stopped or running
OR if it has reached a certain CPU or memory usage (5-100%).
• Specify how long the service should be in this state (0-60 minutes) and how
much time after the device has booted (immediately - 60 minutes) before the alert
is raised.
• If you want to start or stop the service if it triggers an alert as per the criteria you
specified, select the check box of Attempt to take remedial action. Note that
this check box will only be active if you chose "the service is stopped / running"
option before.
• If you would not like to be alerted if the service has been disabled, select the
check box of Do not alert Service Stopped messages if service has been
disabled.
Monitor Type
Trigger Details
Event Log Monitor
Trigger Details:
• Enter the event log name (e.g. Application, System, etc. as shown in the Windows Event Viewer).
• Enter the event source name (as shown in the Event Log).
Filter Details:
Complete at least one of these fields (as shown in the Event Log):
• Event Codes: enter one or more Event IDs, e.g. 1 56 5719. For Event ID
examples, refer to "Event Log examples" on page 249.
• Event Types: enter one or more of the following types: Critical, Error, Warning,
Verbose, Information, 'Success Audit', 'Failure Audit'.
• Event Descriptions: enter one or more words or phrases enclosed in quotation
marks, of which at least one should be present in the Event Message Body. Additionally, use a - in front of a word or phrase to indicate that it should not be present
in the message body (e.g. "backup failed" -partial).
Use a space between filters of the same category to have the monitor apply an OR between them.
For example, entering "failed" "error" in the Event Descriptions
category will raise an alert if the event log entry contains either
the words failed OR error (or both). Similarly, entering more than
one event ID separated by a space (e.g. 1 56 5719) in the Event
Codes field will alert if the event log contains any of these event
codes.
Software Monitor
• Enter the name of the software package you want to monitor. Refer to "Enable
monitoring of software licenses " on page 108.
• Specify whether an alert should be raised if the software is installed / is uninstalled / changes version.
Security Center
Monitor
Select whether the Windows Security Center (Action Center) should be:
• Activated
• Disabled
Note that it is not possible to configure the settings of the Windows Security Center
(Action Center) through this monitor.
Disk Usage Monitor
Select:
• The drive you want to monitor.
• The threshold that needs to be passed for the alert to be triggered (% disk space
used / GB disk space used / GB disk space free).
• How long the device's disk usage needs to be in this state before the alert is
File / Folder Size
Monitor
• Select from the drop-down if you want to monitor a file or a folder and enter its full
path.
• Select from the drop-down if the size of the file or folder should be over or under
the set threshold.
• Enter the threshold for the file or folder size (MB) that needs to be passed for the
alert to be triggered.
•Specify how long the file or folder needs to be in this state before the alert is
Monitor Type
Trigger Details
Select any of these options:
• KES is not installed
• KES is not active (stopped or disabled)
• Reboot is required (not applicable on Mac devices)
• Active threats have been found (not applicable on Mac devices)
• Configuration File deployment has failed
• There is no valid license
• Alert if database has not been updated for a specific number of days (maximum
value: 365 days)
Webroot Security
Management Monitor
Select any of these options:
• Webroot is not installed
• Webroot is not active
• Attention and reboot is required
• Alert when an infection is found
• No valid license
• Alert if the system has been infected for longer than a specific number of hours
(maximum value: 168 hours)
• Alert if the Webroot license is due to expire within a specific number of days (maximum value: 365 days)
Datto Monitor
Set the time window to monitor for errors. (1-48 hours)
SNMP monitors (only available for Managed network devices and can only be applied at device level)
Monitor Type
Trigger Details
Offline Monitor
• Select a Network Node Device that will be performing the monitoring on your network device.
Offline monitors will create an alert if the device has
been offline for 1 minute.
Network Monitor
• Select a Network Node Device that will be performing the monitoring on your network device.
• After clicking Next, specify the Trigger Details by selecting a Network Monitor Component from the drop-down list. This will
provide the threshold for the monitor to raise an alert. Refer to "Download or Create Network Monitor Components" on page 96.
• Once you have selected your Network Monitor Component, you
will be able to modify its threshold for this specific device only, if
necessary.
Printer Monitor
A Printer Monitor will be enabled automatically on all sites with
Managed printers. By default, this monitor will alert you if any issues
are reported or consumables go below 25%. The monitor can be modified under the respective site's Policies tab.
ESXi monitors (to be applied at account and site level only, as part of an ESXi policy)
Monitor Type
Trigger Details
ESXi CPU Monitor
You can choose:
• What the CPU usage threshold should be. (5-100%)
• How long the device's CPU usage needs to be above the threshold
before the alert is raised. (0-60 minutes)
ESXi Memory Monitor
You can choose:
• What the memory usage threshold should be. (5-100%)
• How long the device's memory usage needs to be above the
threshold before the alert is raised. (0-60 minutes)
ESXi Data Store Monitor
Specify:
• The threshold that needs to be passed for the alert to be triggered
(% used / GB used / GB free).
• How long the datastore needs to be in this state before the alert is
ESXi Temperature Sensor Monitor
Specify:
• The temperature threshold that needs to be passed for the alert to
be triggered (Celsius (°C)).
• How long the temperature needs to be above the threshold before
the alert is raised. (0-60 minutes)
ESXi Fan Monitor
An alert will be triggered if the status of any fan unit on any targeted
device is other than "normal".
ESXi Disk Health Monitor
An alert will be triggered if any disk on any targeted device registers
disk health or RAID errors.
This monitor relies on the presence of CIM providers. ESXi servers
must have CIM providers installed to provide the information this monitor requires. Devices that do not have CIM providers installed will not
raise any alerts.
ESXi PSU Monitor
An alert will be triggered if the status of any power supply on any targeted device is other than "normal".
5. Configure the Alert Details and Auto-Resolution Details.
Field
Description
Alert Details
You can choose the priority of the alert that will be raised:
• Critical - Priority 1
• High - Priority 2
• Moderate - Priority 3
• Low - Priority 4
• Information - Priority 5
Field
Description
Auto-Resolution
Details
You can choose when the alert should auto-resolve itself, i.e., if it's no longer
triggered for a certain period of time (1 minute - 1 week), it will be resolved automatically. The monitor will then be reset allowing further alerts to be raised.
The following monitor types cannot be auto-resolved: Event Log Monitor,
Software Monitor, KES Security Management Monitor, Webroot Security
Management Monitor, Datto Monitor, SNMP Monitors (Offline Monitor
and Network Monitor), ESXi Fan Monitor, ESXi Disk Health Monitor, ESXi
PSU Monitor.
6. Click Next.
7. Configure the Response Details, that is, specify what the response should be to a raised alert.
Field
What to Choose / Enter
Run the following component
This field is not available for SNMP and ESXi monitors.
Select this check box if you want to run a component as a response to the alert, then
select the required component from the drop-down menu. If the selected component
has been configured with variables, you can override them here.
Note that in order for a component to appear in this list, it needs to be marked as a
favorite. For further information on how to do that, refer to "Make a component available as a Quick Job" on page 324.
Field
What to Choose / Enter
Email the following recipients
Select this check box if you want to send out a notification when the alert is raised.
• Select Default recipients if you would like to notify the default Mail Recipients set
up in Account Settings and "Site Settings" on page 20.
• Enter Additional recipients. Add a name, an email address, choose the correct
email type (HTML, text or both) and make sure to click Save. You can add more than
one additional recipient.
The email field only accepts the following characters:
a-z, A-Z, 0-9, @, and !#$%&'`*+-|/=?^_{}~.
If the Email the following recipients check box is selected but the
Default recipients check box is not selected, you must enter and save
a name and an email address in the Additional recipients area.
• Advanced Options - Enter a string to be used as the Subject Line of the alert
email. You can include the following:
• [hostname]: hostname of the device
• [description]: description of the device
• [os]: operating system of the device
• [user-defined X]: user-defined field where X is the user-defined field number. Refer to
"User-Defined Fields" on page 38.
• [lastuser]: last user login name logged into the device
• [sitename]: name of the site in which the device resides
• [category]: category of the alert raised (e.g. performance, service, process, event log,
etc.)
• [type]: type of the alert raised (e.g. memory, disk space, etc.)
• [alert]: reason for the alert being raised
• [ipaddress]: IP address of the LAN card of the device
8. Click Next.
9. Configure the Ticket Details if you want to create a ticket for this incident in AEM through standalone
or advanced integrated ticketing, or in any PSA tool integration you may have configured in your
account. For further information, refer to "Alerts and Tickets" on page 345.
Tickets are entirely separate from the alert. If you would like to use monitors to raise tickets
in a PSA tool, make sure to configure the Ticket Details section. Alerts alone will not be
able to synchronize with the PSA tool.
Depending on the type of ticketing you use, complete the following fields:
Standalone ticketing
Field
What to Choose
New Ticket
Select this check box if you want to create a ticket once the alert is raised.
Once this check box has been selected, the remaining fields become editable as well.
Assigned Resource
Select who this ticket should be assigned to. The drop-down lists all the
users of your account. Only one user can be selected per monitor.
Priority
Select the Priority of the ticket to be raised:
Ticket Email Notification
Select this check box if you want to notify the ticket owner about the ticket
via email.
Disable Auto-Resolution of
Tickets
Select this check box if you would like to prevent the raised tickets from
being auto-resolved if the alert is resolved.
Advanced integrated ticketing
Field
What to Choose
New Ticket
Select this check box if you want to create a ticket once the alert
is raised.
Once this check box has been selected, the remaining fields will
become editable as well.
Add related ticket note
Select this check box to allow the alerts from this monitor to create a related ticket note. This requires the Autotask Integration's
global Related Alerts setting to be enabled. To learn how to
enable it, refer to Repeating and Related Alerts.
The check box will have no impact when the global Related
Alerts setting is OFF. The check box will be checked and disabled when the New Ticket check box is not selected.
Autotask PSA Alert Ticket Attributes
Field
What to Choose
Use the settings of the monitor type
Select this check box if you would like to apply the settings configured in the ticketing section of the Autotask Integration. For further information, refer to the Ticket Attributes section in
Configure ticket integration.
Source, Queue, Issue, Sub-Issue,
Work Type
If you do not wish to use the settings above, select the required
Source, Queue, Issue, Sub-Issue and Work Type from the
drop-down lists. The drop-downs list those values that are currently active in Autotask PSA.
If the mapped device (that is, the
PSA configuration item) has a contact assigned in
PSA, that contact will be selected for the alert
ticket by default.
Use Subject Line from Response
Details
You can choose any of these options:
• Select this check box to use the Subject Line configured in the
monitor's Response Details section as the Ticket Title.
• Leave the check box unchecked and add a Subject Line to customize the Ticket Title.
• Leave the check box unchecked and leave the Subject Line
blank to apply a standard (automated) subject line as the Ticket
Title.
The Ticket Title field in PSA has a limit of 255 characters. If your Subject Line exceeds this limit, it
will be cut off in the ticket's Ticket Title field at 255
characters.
10. Click Next. You will be returned to the monitor list for the device or the policy details page (if you are
adding the monitor to a policy). There you can add another monitor if you want.
The changes will be pushed instantly on single devices if the Agent is online or as soon as it checks
in to the platform. In case you are adding the monitor to a policy, the changes first need to be saved
and pushed to be applied. Refer to "Create a Monitoring Policy" on page 256.
Edit or delete a monitor
You can always edit or delete the monitor by locating it on the Device > Monitors list or the Monitoring
Policy page by clicking on the pencil icon or the red X .
Suspend or unsuspend monitoring
If you want to stop alerts from being generated for a specific device altogether, you have two options:
Suspend monitoring manually
1. Locate your device and click the Monitor tab.
2. Select the Monitors radio button in the top right corner.
3. Click Suspend Monitoring.
4. A dialog will open. Click OK to proceed or Cancel to stop the action.
It may take a few minutes to suspend monitoring.
5. To reverse the suspension, click Unsuspend Monitoring.
It may take a few minutes to unsuspend monitoring.
6. All devices for which monitoring has been suspended manually are listed on the Account > Suspended Devices list and can also be unsuspended there by clicking on the Unsuspend this device
icon at the end of the row. Refer to "Suspended Devices" on page 125.
Suspend monitoring through a policy
A Monitoring Maintenance Window Policy allows you to specify a maintenance window, during which
monitoring is suspended on the targeted devices. For further information, refer to "Create a Monitoring Maintenance Window Policy" on page 253.
View alerts generated by your monitors
To view an alert in the Web Portal and act on the alert information, go to
l
Account > Monitor > Monitor Alerts or
l
Sites > click on a site > Monitor or
l
Sites > click on a site > Devices > click on a device > Monitor > Monitor Alerts
You can choose to display the alerts as per category, priority and status. Refer to "Manage Alerts" on page
346.
Event Log examples
Here are a few examples of important events that might be logged to your device's Event Log if something
goes wrong.
Event ID
Definition
6008
Unexpected shutdown. Refer to Microsoft Support.
51
Error writing to disk. It may be worth taking a look as the hard drive may be coming to an end.
Refer to Microsoft Support.
17052
SQL error. This is a catch-all SQL error, which will allow you to see where you've got database
problems that need investigating. Refer to Microsoft Support.
13568
Journal wrap error. Refer to Microsoft Support.
5 and/or 32
Almost every anti-virus software will write to the event log when it finds an infection. These are
the event codes for Symantec AV and Sophos, but the documentation for the anti-virus software you're using should contain the information you need to monitor for, allowing you to see
infection incidents before they become wide-scale outbreaks.
You can also monitor built-in Windows backups using an Event Log Monitor. For more information, refer to How do I monitor backups using built-in backup tools in Windows?
Managing Policies
Account > Policies
Policies can be created at account and site level. Account policies are visible at site level as well, and can be
enabled or disabled for a specific site. Policies set at site level will not replace account polices but will work in
conjunction with them.
For an introduction to policies, refer to "About Policies" on page 237.
How to...
Manage policies
Policies are managed on the Account > Policies and Site > Policies tabs. On the Site > Policies tab, both
account policies and site policies (created for the selected site) are displayed.
Software management policies can be created and managed by navigating to Account > Manage
> Software Management or Sites > select a site > Manage > Software Management. Refer to
"iOS Software Management" on page 189.
You will see the following columns:
Column
Descriptions
Over- This icon only appears if the policy in question is an Account-level patch management policy AND it
is overridden at the Site level. At the same time, an Edit Override button becomes available for the
ride actpolicy. Refer to "Override Account-level patch policy options at the Site level" on page 167.
ive icon
Name
The name of the policy. Click on the name to edit the policy.
Targets
Each policy can have one or many targets, which in turn can consist of one or many device filters,
device groups and site groups.
Type
Indicates the type of policy. Refer to "Types of policies" on page 237.
Override
/ Edit
Override
The Override button only appears if the policy in question is an Account-level patch management
policy that is not overridden at the Site level.
The Edit Override button only appears if the policy in question is an Account-level patch management policy that is overridden at the Site level. At the same time, an
icon
Override active
will be visible in front of the policy.
Refer to "Override Account-level patch policy options at the Site level" on page 167.
Push
changes...
Target icon
Click Push changes... to immediately push any policy changes to all devices targeted by the
policy. The target icon
changes color
Clicking on this icon will open a pop-up window to show included and excluded sites and/or devices
targeted by the policy. In the case of patch management policies, the
icon
will
Override active
be displayed in front of sites that override the Account-level policy options.
In the case of Account-level policies, you can filter by Site Exclusions and Site Manually
Enabled (for patch management policies these options change to All Sites, Included Sites, and
Excluded Sites), and you can also filter by All Devices, Included Devices, and Excluded
Devices in the case of both Account- and Site-level policies. You can turn the policy on or off for
your sites and devices by toggling the Enabled button to ON or OFF, and you can push the
changes by clicking on the Push changes... button. The target icon
changes color
when
changes are being pushed.
Enabled
for this
site
Delete
A toggle to turn the policy ON or OFF.
Hover over a row and click this icon to delete the policy.
Add a policy
At account level:
1. Click on the Account tab.
2. Click on Policies.
3. Click on New account policy....
At site level:
1. Click on the Sites tab.
2. Click on the required site name.
3. Click on Policies.
4. Click on New site policy....
The policy details differ for each policy type. Refer to:
"Create an Agent Policy" on page 74
"Create an ESXi Policy" on page 104
"Create a Monitoring Maintenance Window Policy" on page 253
"Create an iOS Mobile Device Management Policy" on page 86
"Create a Monitoring Policy" on page 256
"Create a Patch Management Policy" on page 160
"Create a Power Policy" on page 261
"Create a Security Management Policy" on page 227
"Create a Windows Update Policy" on page 174
Edit a policy
1. On the account or site policy list, click on the name of the policy you want to edit.
The Update Policy page opens.
2. Make changes to any field except the Policy type field. For field descriptions, refer to the topics on the
various policy types.
3. Click Save.
4. Click Push changes on the account or site policy list so that the changes can be applied.
Apply a policy to a new device
To learn how you can run newly added devices against already existing policies, refer to "Apply Policies to
New Devices" on page 265.
Create a Monitoring Maintenance Window Policy
Permission to manage Policies at Account and/or Site level
Account > Policies
What is a Monitoring Maintenance Window Policy?
A Monitoring Maintenance Window Policy allows you to suspend monitoring while doing scheduled maintenance work on your devices.
l
l
l
During the maintenance window, alerts will be muted for the targeted devices, which allows you to
prevent false alerts, for example during a backup.
Alerts created during the maintenance window will not create tickets or send email notifications,
however, response components will be executed as normal.
When the alert condition is still in effect when the maintenance window ends, a new alert will be generated.
Monitoring Maintenance Window Policies can be set up in Autotask Endpoint Management (AEM) at both
account and site level. Refer to "Add a policy" on page 251.
You can also suspend monitoring on individual devices manually. For more information, refer to
"Suspend or unsuspend monitoring" on page 247.
How to...
Specify the policy details for Monitoring Maintenance Window Policy
4. Under Type, select Monitoring Maintenance Window.
6. Click Next and you will see the policy details.
8. Click Add.
9. Configure the Schedule Options:
Field
Description
Schedule
Click Click to change... to choose when you want the policy to run.
In the Schedule window, select one of the following:
At selected date and time - The policy will run once at the selected date and time.
Daily - The policy will run every day at the time indicated in the Start field.
Weekly - The policy will run every week on all selected days at the time indicated in the
Start field.
Monthly - The policy will run in the selected months on the selected days.
Monthly day of week - The policy will run in the selected months on the specified occurrence of the selected days of the week.
Yearly - The policy will run on the selected day (1 - 365) each year.
Click OK to close the scheduling window.
Duration
Specify the duration of the maintenance window (0-24 hours, 0-60 minutes).
10. Click Save.
11. Click Push changes next to your new policy to activate it.
platform.
Edit the policy
2. Edit the policy details.
3. Save your policy and push the changes.
platform.
Create a Monitoring Policy
Account > Policies
What is a monitor?
Monitors keep track of attributes, processes and events on devices they are deployed to, and raise an alert
when the device is not operating within specified parameters. They can be created on the Device > Monitor
tab and applied to a single device, or they can be set at account and site level as part of a Monitoring
Policy, and can target specific filters and groups at either level.
SNMP monitors (that is, the monitors available for Managed network devices) can only be applied
at device level. For further information, refer to "Monitor a Managed network device" on page 95.
What is a monitoring policy?
A monitoring policy is a way to apply one or more monitors to multiple devices in a site, group, or filter, or
even all devices in your account.
Monitoring policies can be set up in the Web Portal at both account and site level.
Two monitoring policies are set up by default at account level in every account: one for desktops
(Desktop Monitoring, with a filter of All Desktop O/S) and one for servers (Server Monitoring,
with a filter of All Server O/S).
How to...
Specify the policy details for a monitoring policy
4. Under Type, select Monitoring.
6. Click Next and you will see the policy details.
Add a target
To target your devices with the policy:
1. Click on Add a target.
2. Select the required Target type. For information about target types, refer to "Filters" on page 130 and
"Groups" on page 142.
3. Choose the required filter(s) or group(s).
4. Click Add.
5. If you want to add more than one target type, repeat steps 1-4.
Add a monitor
1. Click Add a monitor. The Add a Monitor page will open.
2. Select a Monitor Type.
3. Configure the Monitor Details, Response Details, and Ticket Details. Refer to "Create a monitor"
on page 239.
4. On the last page, click Next. You will return to the policy details page.
5. To add additional monitors for the policy targets, repeat steps 1-4.
1. Once you are re-directed to the policy details page, click Save. This will save the changes you made
to the policy which will be confirmed through a pop-up window on the top of the page.
2. You will now see your list of policies. Click Push changes next to the newly created policy.
3. The targeted devices will now be notified that a new policy has been applied and you will start to see
alerts (as well as receive them via email if you configured that option) for any device that meets the criteria set in the policy.
platform.
To learn how to view an alert in the Web Portal, refer to "Manage Alerts" on page 346.
Edit the policy
2. You can edit the Name, Targets and Monitors of the policy.
3. Once you have finished editing, click Save. The change will be confirmed through a pop-up window on
the top of the page.
4. You will now see your list of policies. Click Push changes next to the policy you have modified.
platform.
Export a monitoring policy
You can export any of your monitoring policies and share it with other users who can then import these
policies into their own AEM account. Refer to "Import a monitoring policy" on page 259.
An exported monitoring policy includes the configured monitors, their thresholds and priority settings, however, it will not include the monitors' Response Details, Ticket Details and targets.
Please note that the following monitor types will be excluded from the exported policy:
l
Component Monitor
l
l
Webroot Security Management Monitor
l
Datto Monitor
To export a monitoring policy:
1. Open a monitoring policy.
2. Click the Export Policy button found at the bottom of the page.
3. Your policy will be saved as a .pcy file. The exported file will contain the following information:
Field
Exported information
Monitor details
• Name
• Monitor type
• Trigger details
• Alert details
• Auto-resolution details
Import a monitoring policy
If an exported monitoring policy (.pcy file) has been shared with you, you can import it into your own
AEM account. An exported monitoring policy includes the configured monitors, their thresholds and priority
settings, however, it excludes certain monitor types and details. For further information, refer to "Export a
monitoring policy" on page 258.
To import a monitoring policy:
1. Go to Account > Policies or Sites > click on a site name > Policies.
2. Click the Import Policy button.
3. Browse to your .pcy file and click Import Policy.
4. You can edit the policy details including Name, Targets and Monitors.
5. Click Save to save your changes and click Push changes... to activate the policy.
To save time and to make sure you apply best practices, you can also import monitoring
policies created by AEM. Refer to "Best Practice Monitoring Policies" on page 260.
Best Practice Monitoring Policies
You can import AEM's Best Practice Monitoring Policies into your account. These policies include best practices for monitoring the most common platforms and applications, such as Exchange, SQL and IIS.
1. Access the following link: AEM Importable Monitoring Policies.
2. Download any of the policies.
3. Import any of the downloaded policies (.pcy files) into your AEM account. Refer to "Import a monitoring policy" on page 259.
Create a Power Policy
Account > Policies
What is a power policy?
A power policy in Autotask Endpoint Management (AEM) allows you to control the Power Options in the Windows Control Panel of the devices that are targeted with this policy. This lets you save energy and increases
the security of the targeted devices.
A power policy allows you to specify the following settings:
l
l
l
l
Turn off disk after - Turns off the hard disk after it has been idle for the selected time interval (never 300 minutes).
Turn off display after - Turns off the display after the machine has been idle for the selected time interval (never - 300 minutes).
Standby after - Puts the computer into sleep mode after it has been idle for the selected time interval
(never - 300 minutes).
Schedule- Allows you to either disable the Schedule feature, or set a time to put the computer into
Sleep, Hibernate or Shutdown each day.
When a power policy is applied to a device, AEM adds a power plan called AEM that is visible under the
Power Options on the local device.
The policy can be applied at account level to target all devices in your account or at site level to target the
devices within one particular site only. Refer to "Add a policy" on page 251.
How to...
Specify the Power Policy details
3. Select the type Power.
5. Click Next.
7. Click Add.
8. Choose one or more of the Power Policy Options.
9. Click Save.
Once the change has been applied on the Agent, the newly created power plan will be visible under
the Power Options on the local device.
Apply Policies to New Devices
When you add a new device to your Autotask Endpoint Management (AEM) account, you want to make sure
that your already existing policies will run against it. This topic will discuss the logic that determines how
policy memberships get recalculated.
Target your device
In order for a policy to be applied to any device, the device needs to be part of a filter or group that the policy
targets. To learn how to add a device to a filter or group, refer to "Filters" on page 130 and "Groups" on page
142.
When do policies get refreshed?
l
Every 24 hours, at midnight in your timezone
l
Immediately after you push the policy
l
Every few minutes if a "reassigned" flag had been set on the device
Policies get recalculated every 24 hours, at midnight in your timezone. If any device has been added to or
removed from the policy, the new associations will automatically be applied at midnight.
You can expedite this process by turning the policy off and then on again and pushing the changes.
This will update the policy memberships immediately. For more information on how to do this, refer to
"Managing Policies" on page 250.
If you add a new device to your account, move a device to another site, or update the device's group membership, the device will be flagged as "reassigned". A job that runs every few minutes will see this flag and
perform some basic policy recalculation for the device. The basic policy recalculation is not a full policy
refresh, however, it can:
l
l
Remove any site policies that the device had. (Account policies do not get removed when the "reassigned" flag is detected.)
Add all the site and account policies to the device where it is part of the filter or group that the policy targets.
Components and ComStore
A component is a prepackaged script or application that can be deployed to a device via the Web Portal. You
can download many useful components from the ComStore, an online library of prepacked components and
scripts created by Autotask.
Component Categories
To make searching for components a bit easier, we have grouped them into different categories:
l
l
l
l
l
Applications - The Applications category contains programs such as web browsers and browser
plug-ins, Adobe products, Flash players etc., ready to be pushed out to as many endpoints as
required.
Monitors - The two monitor categories feature device and network monitors for anti-virus, backups,
services, processes, and more.
Extensions - Extensions provide additional functionality such as custom branding or patch management.
Integrations - Integrations enable Autotask Endpoint Management to connect to PSA platforms such
as Autotask PSA.
Scripts - This area contains scripts for activities such as installing the uVNC mirror drivers, clearing
the print spooler, restarting a specific service, hard drive checks and various other useful tools.
Where do I find components?
l
l
l
l
Autotask makes several hundred components available in the ComStore, an online library of prepacked components and scripts. Refer to "Download Components from the ComStore" on page 268.
To see a list of available components, refer to "List of components" on page 270.
On the Autotask Endpoint Management Community, you will find the Community Component
Exchange. You can import these components into your AEM account. Refer to "Import a component
into your Web Portal" on page 335.
Finally, you can create your own custom components. Refer to "Create or Edit a Component" on page
301.
Manage and Deploy Components
l
l
Components that you have downloaded, imported or created yourself are available in your Component
Library that you can find by clicking on the Components tab. Refer to "Manage Components" on page
333.
One special category of component you can download or create yourself are Device Monitors that are
not directly deployed to the devices, but first incorporated into a monitor. Refer to "Create a Custom
l
Components are deployed to devices using either a Scheduled Job, or a Quick Job. Refer to "Deploy
Components Using Jobs" on page 319.
Download Components from the ComStore
Permission to view or manage the ComStore
ComStore tab
Autotask makes hundreds of components available to all customers. The components can be found in an
online library called ComStore.
To make the components available to yourself or other users in your company, you must first add them to
your Component Library that can be accessed by clicking on the Components tab. From there you can
deploy the components to your endpoints.
How to...
Search for a component
To check whether a specific component is available in the ComStore, enter a name or part of a name into the
Search ComStore field and click the button.
All matches will be displayed with version and component category information. If you have already downloaded a component, the status is displayed as Added.
Icons will indicate Windows or Apple OS.
Download a component
1. Search for your component and click on the component icon in the ComStore.
A new window will open, with a description of the component.
2. Click Add to my Component Library.
3. A message will confirm that the component was downloaded successfully.
4. Click OK to close the dialog.
The component is now available in your Component Library and can be used in scripts and policies. You can
access your Component Library by clicking on the Components tab.
The component level of the components downloaded from the ComStore is set to 1 (Basic) by
default and it cannot be edited.
List of components
The following components are currently available in the ComStore:
Name
Description
Category
7-Zip [WIN]
7-Zip is a file archiver with a high compression ratio. The main features of
7-Zip are:
• High compression ratio in new 7z format with LZMA compression
• Supported packing / unpacking formats: 7z, ZIP, GZIP, BZIP2 and TAR
• Supported formats for unpacking only: ARJ, CAB, CHM, CPIO, DEB,
DMG, HFS, ISO, LZH, LZMA, MSI, NSIS, RAR, RPM, UDF, WIM, XAR and Z
• Compression ratio for ZIP and GZIP formats: 2-10 % better than the ratio
provided by PKZip and WinZip
• Strong AES-256 encryption in 7z and ZIP formats
• Self-extracting capability for 7z format
• Integration with Windows Shell
• Powerful File Manager
• Powerful command line version.
Applications
Acronis Backup
10/11 Monitor [WIN]
This component monitors Acronis Backup 10 and 11.
Device Monitors
Acronis Backup
and Recovery 10
monitor [WIN]
This component monitor will check and alert for: Acronis Backup and
Recovery 10 not installed/not running, Not backed up in last X days. Check
period is configurable when applying the monitor (default period=2 days)
Compatible with: Win XP Pro (32/64) Win Vista (32/64) Win 7 (32/64) Svr
2003/2003 R2 (32/64) Svr 2003/2003 R2/2008/2008 R2 (32/64).
Device Monitors
Acronis Drive Monitor v1.0 [WIN]
Acronis Drive Monitor is a free software application developed by Acronis
to report on server, workstation and PC hard disk drives.
Applications
Active Directory
Audit (SPLA) [WIN]
Active Directory Audit script for AEM. This script counts the number of Active users on a Windows Domain Controller that have logged in in the last
30 days. It will output to STDOUT and store this number in the user-defined
fields.
Scripts
Adobe AIR [MAC]
This component will update or install Adobe AIR to the latest version. The
Adobe AIR runtime enables you to have your favorite web applications
with you all the time. Since applications built for Adobe AIR run on your
desktop computer without a web browser, they provide all the convenience
of a desktop application.
Applications
Adobe AIR [WIN]
This component will install or update Adobe AIR to the latest version. The
Adobe AIR runtime enables you to have your favorite web applications
with you all the time. Since applications built for Adobe AIR run on your
desktop computer without a web browser, they provide all the convenience
of a desktop application.
Applications
Adobe Flash Player
NP/PPAPI [MAC]
Adobe Flash Player is the high performance, lightweight, highly expressive
client runtime that delivers powerful and consistent user experiences
across major operating systems, browsers, mobile phones and devices.
Applications
Adobe Flash Player
[WIN]
This component will install or update Adobe Flash Player to the latest version. Adobe Flash Player is the high performance, lightweight, highly
expressive client runtime that delivers powerful and consistent user experiences across major operating systems, browsers, mobile phones and
devices.
Applications
Name
Description
Category
Adobe Reader
[WIN]
This component will update or install Adobe Reader to the latest version.
Adobe Reader software is the free trusted standard for reliably viewing,
printing, and annotating PDF documents. It's the only PDF file viewer that
can open and interact with all types of PDF content, including forms and
multimedia.
Applications
Adobe Reader
11.0.11 [MAC]
multimedia.
Applications
Adobe Reader DC
[WIN]
This component will update or install Adobe Reader to the latest version.
multimedia.
Applications
Adobe Reader DC
[MAC]
multimedia.
Applications
Adobe Shockwave
64-Bit [MAC]
This component will install or upgrade your Mac to the latest 64-bit version Applications
of Adobe Shockwave. Shockwave Player is the web standard for powerful
multimedia playback. The Shockwave Player allows you to view interactive
web content like games, business presentations, entertainment, and advertisements from your web browser.
Agent - Set Logging
Level [WIN]
This component will set the Agent service logging level via a job. Options
are to set to Warnings (basic logging), Errors (error logging) and Verbose
(all Agent events logged). For the configuration to take effect, an Agent service restart is needed. This can be also chosen via this component.
Note: The job will remain in the 'running' state if you chose to restart the
Agent via this component as it will not be able to report the job completing
back to the Platform.
Scripts
Ahsay Backup Monitor (ACB)
This component monitors the state of the Ahsay A-Click Backup 7.7.2.0. It
will alert when no backup has been made for X days, the product is not
installed or the service is not running.
Device Monitors
Ahsay Backup Monitor (OBM)
This component monitors the state of the Ahsay Online Backup Manager
7.7.2.0. It will alert when no backup has been made for X days, the product
is not installed or the service is not running.
Device Monitors
Attix5 Backup
Status Monitor
This component monitor will monitor the status of the Attix5 Backup solution.
Thanks to Redstor/Attix5 for providing this script.
Device Monitors
Attix5 Pro DL Version 6 Backup Monitor [WIN]
This component monitor will check and alert for: Attix5 not installed/not running, Attix5 not backed up in last 24 hours (check period is configurable
when applying the monitor).
Device Monitors
Attix5 Run Backup
now
This component will start a Backup job for the Attix5 Backup solution. The
script works based on display name, and will only run if: A service name
match is found, the service has the right files installed to be a valid Backup
Pro installation, the service is running and the backup status is idle.
Scripts
Name
Description
Category
AutoIt 3.3.14.1 +
SciTE4AutoIt3
15.729.1555.0
[WIN]
AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of
simulated keystrokes, mouse movement and window/control manipulation
in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys). AutoIt is also very small, self-contained and will run on all versions of Windows out-of-the-box with no
annoying 'runtimes' required! Includes customized version of SciTE with
lots of additional coding tools for AutoIt.
Applications
Autoruns 12.00
[WIN]
Autoruns shows you what programs are configured to run during system
Applications
bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run,
RunOnce, and other Registry keys. Autoruns goes way beyond the MSConfig utility bundled with Windows. This is a great tool for combating viruses
as you can easily find where they are starting up from and prevent them
from running at boot time.
Autotask
Autotask works hard to deliver a best of class integration of PSA and Endpoint Management. This version adds automated device synchronization
from AEM to PSA. It keeps your PSA accounts up to date with the latest
audit of your customers' environment, and automatically generates
Autotask tickets whenever an alert is raised in Endpoint Management. You
can also use LiveLinks to initiate a remote support session from directly
within a ticket or configuration item.
Autotask Endpoint
Backup Monitor
[MAC]
(refer to Autotask
Endpoint Backup
Integration)
This component monitors Autotask Endpoint Backup for problems and
Device Monwarnings. The monitor will also use two user-defined-fields to show the cur- itors
rent AEB status, backup size and versions.
Autotask Endpoint
Backup Monitor
[WIN]
(refer to Autotask
Endpoint Backup
Integration)
This component monitors Autotask Endpoint Backup for problems and
Device Monwarnings. The monitor will also use two user-defined-fields to show the cur- itors
rent AEB status, backup size and versions.
Autotask Endpoint
Backup [MAC]
(refer to Autotask
Endpoint Backup
Integration)
This component installs or removes the Autotask Endpoint Backup (AEB)
Agent on Mac OS. Use an AEB TeamKey to make this installation silent
and fully automatic. The TeamKey can be retrieved from the AEB Manager.
Applications
Autotask Endpoint
Backup [WIN]
(refer to Autotask
Endpoint Backup
Integration)
This component installs or removes the Autotask Endpoint Backup (AEB)
Agent on Windows. An AEB TeamKey allows for a silent, automatic install
that configures AEB to use the correct Team and settings.
Applications
Autotask Workplace
Agent Install/Uninstall [WIN]
Install or uninstall the Autotask Workplace (AWP) Agent, previously known
as Soonr. Initial installs may warrant a device restart, but this is not performed automatically.
Applications
Integrations
Name
Description
Category
Autotask Workplace
Opportunity Audit
Tool [WIN]
This component will scan Windows machines for existing FSS solutions
and perform a scan for important file types. The summary data is presented
per machine. The information can be used to determine the viability of
Autotask Workplace in your working environment. This component may
incur a brief performance impact as it scans.
Scripts
Avast! v6 AV Monitor [WIN]
This component monitor will check and alert for: Avast! not installed/not run- Device Monning, Out-of-Date Definitions. Compatible with MS Windows XP Pro
itors
(32/64), Vista (32/64), Windows 7 (32/64).
Avira AntiVir v10
Monitor [WIN]
This component monitor will check and alert for: Avira not installed/not running, Out-of-Date Definitions. Compatible with MS Windows XP Pro
(32/64), Vista (32/64) and Windows 7 (32/64).
Device Monitors
Backup Assist v5.x
Monitor [WIN]
This component monitor will check and alert for: Backup Assist 5.x not
installed/not running, Not backed up in last X days. Check period is configurable when applying the monitor (default period=2 days) Compatible
with Win XP Pro (32/64) Win Vista (32/64) Win 7 (32/64) Svr 2003/2003 R2
(32/64) Svr 2008 (32/64) Svr 2008 R2 (64).
Device Monitors
Backup Exec 2010
and 2012 job Monitor
This component monitors the state of the Backup Exec Backup solution. It
will alert when no backup has been made for X hours, the product is not
installed or service is not running. The Backup Exec CLI is a requirement
for this monitor to work.
Device Monitors
BareTail Free 3.50a
[WIN]
BareTail is a handy, freeware log file monitoring application that is the Windows equivalent of the Unix 'tail' utility. Use the context menu option to
open and view log files in real-time without having to reload to see the
updated entries. Notepad begone!
Applications
BitDefender
Antivirus 2016
This component monitor will check and alert for: BitDefender Antivirus service not running, Out of Date Signatures. Compatible with: Win 7 (32/64),
Win 8 (32/64), Win 8.1 (32/64), Win 10 (32/64).
Device Monitors
Block Internet
Explorer From Critical Windows
Updates [WIN]
Blocks Internet Explorer 7, 8, 9, 10 or 11 from being downloaded automatically by Windows Updates. Has the effect of moving ANY or ALL of
these updates from 'Critical' to 'Optional' in the Windows Updates interface.
Scripts
Bonjour 3.0.0.10 +
Bonjour Print Services 2.0.2.0 [WIN]
Bonjour, also known as zero-configuration networking, enables automatic
discovery of devices and services on a local network using industry standard IP protocols. Bonjour Print Services for Windows lets you discover and
configure Bonjour-enabled printers from your Windows computer using the
Bonjour Printer Wizard. 32/64 bit versions included.
Applications
Bonjour 3.0.0.10
[WIN]
Bonjour, also known as zero-configuration networking, enables automatic
discovery of devices and services on a local network using industry standard IP protocols. 32/64 bit versions included.
Applications
BullGuard v10 AV
Monitor [Server and
Workstation] [WIN]
This component monitor will check and alert for: Bullguard v10 not
installed/not running, Out-of-Date Definitions. Compatible with XP Pro
(32/64), Vista (32/64), Win 7 (32/64), Server 2003 (32/64), Server 2008
(32/64), Server 2008 R2 (64), SBS 2008 (64).
Device Monitors
Name
Description
Category
Bunker Backup
5.11 Monitor [WIN]
This component monitor will check and alert for: Bunker Backup not
installed/not running, Bunker Backup not backed up in last 24 hours (check
period is configurable when applying the monitor).
Device Monitors
CA v7 AntiVirus
Monitor [WIN]
This component monitor will check and alert for: CA v7 not installed/not run- Device Monning, Out-of-Date Definitions. Compatible with XP Pro (32), Vista (32/64),
itors
Win 7 (32/64).
CCleaner 1.09.313
[MAC]
While CCleaner has been the most popular PC maintenance tool for over
a decade, it is relatively new to the Mac platform. CCleaner is a quick and
easy to use program which makes your Mac faster and more secure.
CCleaner removes cookies, temporary files and various other unused data
that clogs up your operating system. This frees up valuable hard disk
space allowing your system to run faster. Removing this data also protects
your anonymity meaning you can browse online more securely.
CCleaner Slim
[WIN]
This component will install CCleaner. CCleaner is a freeware system optim- Applications
ization, privacy and cleaning tool. It removes unused files from your system
- allowing Windows to run faster and freeing up valuable hard disk space.
It also cleans traces of your online activities such as your Internet history.
Additionally it contains a fully featured registry cleaner. But the best part is
that it's fast (normally taking less than a second to run) and contains NO
Spyware or Adware!
Note: The slim version does not contain Yahoo Toolbar.
CentraSize [WIN]
Show folders in order of largest first for selected drive. Designed to find
folders that are taking up too much disk space. Similar in operation to the
product TreeSize. Powered by Disksum.
CentraTrack [WIN]
Designed to be run on devices that have been stolen in order to attempt to
Scripts
locate them. It puts the Agent into 'Stealth Mode' by performing the following actions: Removing the Agent System Tray icon, removing the Agent
from Add/Remove Programs, making all Agent application folders protected operating system files (i.e. SuperHidden), removing Agent shortcuts
from the start menu, reporting back external IP Address and performing a
TRACEROUTE command to try and get ISP information. The Agent will continue to function in the background as usual but not be easily visible to the
thief. The process is irreversible so USE WITH CAUTION!
CentraTrash [WIN]
Scours all drives on the target device for the supplied file extensions and
deletes them using the Pseudorandom Overwrite method. This will defeat
all software recovery programs and possibly microscopic forensic analysis
also.
CAUTION: THIS COMPONENT IS EXTREMELY DANGEROUS AND ANY
FILES DELETED WILL BE UNRECOVERABLE BY ANY MEANS!
Scripts
Change user password [WIN]
Changes the password for a user specified at execution time. Run on a
Domain Controller will change the password for a domain user. Run on a
member workstation, stand-alone workstation or stand-alone server will
change the password for a local user.
Scripts
Clean Internet
Browser Caches
[WIN]
Cleans Internet Browser Caches for all users. Supports IE, Firefox, Chrome
and Opera. This will not clean internet history or cookies but all cached
images and web pages that accumulate while internet browsing.
Scripts
Applications
Scripts
Name
Description
Category
Clear Packages
Folder [WIN]
Script to clear all files and folders from the Agent Packages folder minus
the current job. This is good for running as a thorough cleanup of your
Packages folder.
Note: The Packages folder is where all of your components land on the
remote device.
Scripts
Compatibility Pack
for the 2007 Office
System [WIN]
Microsoft Office Compatibility Pack is an add-on for Microsoft Office 2000,
Office XP and Office 2003 to open, edit and save Microsoft's newer Word,
Excel and Powerpoint formats that were introduced with Office 2007. The
tool also adds support to the 2003 versions of Word Viewer, Excel Viewer
and Powerpoint Viewer to open DOCX, DOCM, XSLX and PPTX files. This
component will install the 'Compatibility Pack for the 2007 Office System'
12.0.6500.5000, apply the 'Microsoft Office Compatibility Pack Service
Pack 3' 12.0.6612.1000 and suppresses reboot.
Note: Your system may require a reboot to complete installation.
Applications
Connectwise Integration
ConnectWise Integration
Integrations
CPU Temperature
Deploy OpenHardware Monitor application. Can be used in association
Monitor - OpenHard- with the 'CPU Temperature Monitor', also available from the ComStore.
ware Monitor
Installer [WIN]
Applications
CPU Temperature
OpenHardware Monitor application uninstaller.
Monitor - OpenHard- Note: Check if the 'CPU Temperature Monitor' is active on any devices
ware Monitor Unin- before running this uninstaller.
staller [WIN]
Scripts
CPU Temperature
Monitor Log Management Tool [WIN]
Script to retrieve or delete the log file created by the CPU Temperature
Monitor.
Scripts
CPU Temperature
Monitor [WIN]
Monitors your devices' CPU temperatures. Set the threshold with the variable CSTJMAX (Thermal Junction Maximum) Option to log alerts to .txt file
and to retrieve these log files using the script component 'CPU Temperature Monitor Log Management Tool' - also available from the
ComStore.
Note: This monitor should only be set on devices that have had the 'CPU
Temperature Monitor - OpenHardwareMonitor Installer' successfully
deployed.
Device Monitors
Create New Administrative User [WIN]
Creates a new user and makes them a member of the local administrators
group (For Windows).
Scripts
Create System
Restore Point [WIN]
On Windows 8 and above, if a restore point was created within the last 24
hours, a new one will not be created by default. You can edit a registry setting to change this. If system restore is disabled, the script will attempt to
enable it before creating the restore point.
Scripts
Name
Description
Category
Cute PDF Writer
3.0.0.7 [WIN]
CutePDF Writer (formerly CutePDF Printer) is the free version of comApplications
mercial PDF creation software. Portable Document Format (PDF) is the de
facto standard for the secure and reliable distribution and exchange of electronic documents and forms around the world. CutePDF Writer installs itself
as a printer subsystem. This enables virtually any Windows applications
(must be able to print) to create professional quality PDF documents - with
just a push of a button!
Datto Integration
Users can add this extension to enable Datto Integration in their account.
To disable the feature, simply delete this component from your Component
Library.
Extensions
Defraggler Defrag
[WIN]
Defrags selected drive using standalone version of Defraggler (df.exe).
Note: It does not require installation of Defraggler to function.
Scripts
Defraggler Slim
2.18.945 [WIN]
Defraggler Installer. Most defrag tools only allow you to defrag an entire
drive. Defraggler lets you specify one or more files, folders, or the whole
drive to de-fragment.
Note: This is the Slim version and does not include any additional toolbars
or browser installers.
Applications
Detect Windows
and Office keys
[WIN]
This component will detect Windows and Office license keys used on a
device and write them in the STDOUT and User-Defined Fields 9 and 10.
Scripts
Detect Windows
Product Keys [WIN]
Finds product keys for the following products: Microsoft Windows, Office,
SQL and Exchange. For more information on ProduKey, please visit
http://www.nirsoft.net/utils/product_cd_key_viewer.html
[Component submitted by customer: Fernand Jonker 21/03/2012]
Scripts
Disable the Get Win- This component disables the 'Get Windows 10' (GWX) nagware application
dows 10 Update
and automatic downloader by removing two Windows Updates and
enabling a registry key.
Scripts
Disk Space Monitor
[LINUX]
Use this component to monitor an attached disk drive for a machine running the Linux agent. Specify drives as 'sdXY', eg 'sda1'. One monitor per
drive.
Device Monitors
Disk Space Monitor
[MAC]
Use this component to monitor a disk drive's capacity on a Mac running OS
X. The monitor will post a warning once a user-set threshold is breached.
One monitor per drive.
Device Monitors
Domain Controller
monitor
This component runs DCDIAG on your Active Directory Domain Controllers, and will alert if one of the 6 key tests is failed.
Device Monitors
doPDF 7.3.393 PDF Converter
[WIN]
Using doPDF you can create PDF files by selecting the 'Print' command
from virtually any application. With one click you can convert your Microsoft
Excel, Word or PowerPoint documents or your emails and favorite web
sites to PDF files.
Applications
Drive list change
monitor
This monitor will write the current drive list to User-Defined Field 6, and
then alert if the drive list changes (e.g. drives are added or removed). This
will allow you to get alerts when a new disk was added or removed. This
monitor will not resolve until HKLM\Software\CentraStageScripts\DriveCheck\Current is removed.
Device Monitors
Name
Description
Category
Empty Recycle Bin
[WIN]
Empties the Recycle Bin for all users.
Scripts
Eraser 6.0.10.2620
[WIN]
Eraser is an advanced security tool for Windows which allows you to completely remove sensitive data from your hard drive by overwriting it several
times with carefully selected patterns.
Applications
eScan ISS v11 AntiVirus Monitor [WIN]
This component monitor will check and alert for: eScan not installed/not
running, Out-of-Date Definitions. Compatible with MS Windows XP Pro
(32/64), Vista (32/64) and Windows 7 (32/64).
Device Monitors
ESET Antivirus v5
Deployment [Linux]
ESET Antivirus v5 deployment for Linux.
Applications
ESET Antivirus v5
Deployment [MAC]
ESET Antivirus v5 deployment for Mac OS X.
Applications
ESET Antivirus v5
Deployment [Server
and Workstation]
[WIN]
ESET Endpoint Antivirus v5 deployment for 32 and 64-bit computers running Windows. Products will be automatically detected and downloaded
based on type and architecture (32 or 64-bit). Workstations can use EEA
(Endpoint Antivirus) or EES (Endpoint Security) products. Servers are automatically detected and receive EFSW. To override automatic download,
copy this component and attach your own installers. You can declare them
by stating the filenames using the pre-defined local32 and local64 variables.
Applications
ESET Antivirus v6
Deployment [Linux]
ESET Antivirus v6 deployment for Linux.
Applications
ESET Antivirus v6
Deployment [MAC]
ESET Antivirus v6 deployment for Mac OS X.
Applications
ESET Antivirus v6
Deployment [Server
and Workstation]
[WIN]
ESET Endpoint Antivirus v6 deployment for 32 and 64-bit computers running Windows. Products will be automatically detected and downloaded
based on type and architecture (32 or 64-bit). Workstations can use EEA
(Endpoint Antivirus) or EES (Endpoint Security) products. Servers are automatically detected and receive EFSW. To override automatic download,
copy this component and attach your own installers. You can declare them
by stating the filenames using the pre-defined local32 and local64 variables.
Applications
ESET NOD32 v4
AV Monitor [Server
and Workstation]
[WIN]
This component monitor will check and alert for: ESET NOD32 v4 not
installed/not running, Out-of-Date Definitions. Compatible with: XP Pro
(32/64), Vista (32/64), Win 7 (32/64), Server 2003 (32/64), Server 2008
(32/64), Server 2008 R2 (64), SBS 2008 (64).
Device Monitors
ESET v5/6 AV Monitor [Linux]
This component monitor will check and alert for: ESET v5 or v6 not
installed/not running, Out of Date Definitions.
Device Monitors
ESET v5/6 AV Monitor [MAC]
This component monitor will check and alert for: ESET v5 or v6 not
installed/not running, Out of Date Definitions.
Device Monitors
ESET v5/6 AV Monitor [WIN]
This component monitor will check and alert for: ESET v5 or v6 service not
running, Out of Date Definitions. Compatible with: XP Pro (32/64), Vista
(32/64), Win 7 (32/64), Server 2003 (32/64), Server 2008 (32/64), Server
2008 R2 (64), SBS 2008 (64).
Device Monitors
Name
Description
Category
Evernote
5.8.13.8152 [WIN]
Evernote allows you to easily capture information in any environment
using whatever device or platform you find most convenient, and makes
this information accessible and searchable at any time, from anywhere.
Applications
Exchange 2007:
Information Store
File Size Monitor
[WIN]
Exchange 2007 Monitor. Monitors: Information Store File Size and will generate an alert once the specified limit is exceeded. Prerequisites:
• Compatible with Agent version 1506 and above
• Exchange 2007 is 64-bit only and this monitor requires the CAGservice.exe to run as a 64-bit process (check Task Manager on the target
device)
• Ensure that the latest Service Pack (SP3) and subsequent hotfixes have
been applied to your Exchange 2007 Server
Device Monitors
Exchange 2010:
Information Store
File Size Monitor
[WIN]
Exchange 2010 Monitor. Monitors: Information Store File Size and will generate an alert once the specified limit is exceeded. Prerequisites:
• Compatible with Agent version 1506 and above
• Exchange 2010 is 64-bit only and this monitor requires the CAGservice.exe to run as a 64-bit process (check Task Manager on the target
device)
• Ensure that the latest Service Pack (SP2) and subsequent hotfixes have
been applied to your Exchange 2010 Server
Device Monitors
Exchange Message
Queue Length Monitor
This monitor will check the Message Queue Length and alert if the specified threshold is exceeded. Compatible with Exchange 2007/2010/2013.
Device Monitors
Expired Certificates
Monitor [WIN]
This component will monitor for expired certificates on a Windows
machine. If it is due to expire in 30 days, it will generate an alert and
provide more details in the alert message.
Device Monitors
F-Secure Antivirus
Monitor
This component monitor will check and alert for: F-Secure Antivirus service
not running, Out of Date Signatures. Compatible with: Win 7 (32/64), Win 8
(32/64), Win 8.1 (32/64), Win 10 (32/64).
Device Monitors
FileZilla Client
(32/64-bit) [WIN]
FileZilla Client is a fast and reliable cross-platform FTP, FTPS and SFTP cli- Applications
ent with lots of useful features and an intuitive graphical user interface.
FileZilla Client
3.17.0 [MAC]
FileZilla Client is a fast and reliable cross-platform FTP, FTPS and SFTP cli- Applications
ent with lots of useful features and an intuitive graphical user interface.
Fix incorrect CPU
reporting on XP
and 2003 [WIN]
Windows XP or Server 2003 devices can report incorrect CPU information
Scripts
to the WMI where the Agent collects audit information. The data that is
returned indicates that the CPU name is 'Intel Pentium III Xeon' or 'Intel Pentium III' when it may be a 'Core 2 Duo' or a 'Quad core'. (http://support.microsoft.com/kb/953955). This script Component will fix this
problem.
Note: A reboot is required to complete the installation but automatic reboot
is disabled in the installer. The Component will detect the O/S and install
the correct version of KB953955.
Foxit PDF Reader
5.5.6.218 [WIN]
Foxit Reader is a free PDF document viewer, with incredible small size,
breezing-fast launch speed and rich feature set. Its core function is compatible with PDF Standard 1.7.
Applications
Name
Description
Category
Foxit PDF Reader
7.2.0.0722 [WIN]
Foxit Reader allows you to create, view and print PDFs. The application is
noticeably smaller than Adobe's Acrobat software and therefore makes it
ideal for those of you who need a powerful program, which doesn't rely
heavily upon system resources. Foxit Reader is a completely configurable
program. You can change the way your document looks with read mode,
reverse view and text viewer options. You can also configure the page to
display in many ways; full screen, single page, continuous scrolling, split,
two page facing, continuous facing, separate cover page and auto-scroll.
Applications
Freemake Video
Converter 4.1.6.7
[WIN]
Freemake freeware program for video converting. Developed as alternative to popular paid software. Free, easy and of high quality are the fundamental principles of Freemake. Convert video to AVI, MP4, WMV, MKV,
SWF, 3GP, DVD, MPEG, MP3, iPod, iPhone, PSP, Android, rip and burn
DVD, convert online videos directly from 40 plus sites, burn Blu-ray, and
upload to YouTube. Compatibility: Windows XP Pro, Vista and 7.
Note: Freemake requires .Net Framework 4 to run .This component will
check if .Net FW4 is present and if not found it will be installed.
Applications
G-Data Antivirus
Monitor
This component monitor will check and alert for: G-Data Antivirus service
not running, Out of Date Signatures. Compatible with: Win 7 (32/64), Win 8
(32/64), Win 8.1 (32/64), Win 10 (32/64).
Device Monitors
GFI Cloud Agent
UNINSTALLER
[WIN]
This component will uninstall all traces of GFI Cloud from the user's computer, along with all software installed by GFI (VIPRE, TeamViewer etc).
Independent installations of these software suites should not be affected.
This uninstaller is not suitable for GFI MAX.
Scripts
GFI MAX Agent
UNINSTALLER
[WIN]
This component uninstalls the GFI MAX Agent from a Windows device.
Scripts
Google Chrome
[WIN]
This component will install or update Google Chrome to the latest version.
Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.
Applications
Google Chrome
[MAC]
Google Chrome is a browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.
Applications
Google Drive
1.25.0468.5720
[MAC]
Google Drive is a place where you can create, share, collaborate, and
keep all of your stuff. Whether you're working with a friend on a joint
research project, planning a wedding with your fiance or tracking a budget
with roommates, you can do it in Drive. You can upload and access all of
your files, including videos, photos, Google Docs, PDFs and beyond.
Applications
Google Drive
1.25.523.2491
[WIN]
Google Drive is a place where you can create, share, collaborate, and
keep all of your stuff. Whether you're working with a friend on a joint
research project, planning a wedding with your fiance or tracking a budget
with roommates, you can do it in Drive. You can upload and access all of
your files, including videos, photos, Google Docs, PDFs and beyond.
Applications
Google Earth
7.1.5.1557 [WIN]
Google Earth lets you fly anywhere on Earth to view satellite imagery,
maps, terrain, 3D buildings, from galaxies in outer space to the canyons of
the ocean. You can explore rich geographical content, save your toured
places, and share with others.
Applications
Name
Description
Category
Google SketchUp
8.0.16846 [WIN]
Google SketchUp is software that you can use to create 3D models of anything you like. Get started right away. Most people get rolling with
SketchUp in just a few minutes. Dozens of video tutorials, an extensive
Help Center and a worldwide user community mean that anyone who
wants to make 3D models with SketchUp, can.
Applications
GreenShot 1.2.6.7
[WIN]
Greenshot is a light-weight screenshot software tool for Windows with the
following key features:
• Quickly create screenshots of a selected region, window or fullscreen;
you can even capture complete (scrolling) web pages from Internet
Explorer.
• Easily annotate, highlight or obfuscate parts of the screenshot.
• Export the screenshot in various ways: save to file, send to printer, copy to
clipboard, attach to e-mail, send Office programs or upload to photo sites
like Flickr or Picasa, and others.
Applications
Hard Drive predicted failure Monitor [WIN]
Monitor S.M.A.R.T hard drive information for all local drives using Windows
WMI in order to predict a failing drive.
Device Monitors
IE - Disable or
Enable Browser
Extensions [WIN]
This component will disable or enable Internet Explorer Browsers Extensions. Handy if you want to ensure your users do not run any nasty Toolbars in IE.
Scripts
Install recommended updates
on OSX [MAC]
This component will download and install all recommended updates on
Apple OSX devices.
Scripts
Install uVNC Mirror
Driver - NOT XP or
Server 2003 [WIN]
Installs uVNC Mirror Driver on the following Windows operating systems:
Vista, 7, Server 2008, Server 2008R2, 8, Server 2012. Installation will abort
if an incompatible operating system is found. Also checks for a previous
driver installation and aborts if found. Install this on systems you wish to
connect to. http://www.uvnc.com
Scripts
Internet Explorer 11
32-bit for Windows
7 [WIN]
Internet Explorer 11 is fast and fluid, and lets your websites shine and perform just like native apps on your PC. Fast and fluid for Windows 7.
• Fast: Internet Explorer 11 harnesses the untapped power of your PC,
delivering pages full of vivid graphics, smoother video, and interactive content.
• Easy: Experience the web the way you want to with pinned sites, built-in
Spellcheck, and seamless integration with your PC running Windows 7.
• Safer: Improved features like SmartScreen Filter and Tracking Protection
let you be more aware of threats to your PC and your privacy.
Applications
Internet Explorer 11
64-bit for Win7 and
Win Svr 2008 R2
SP1 [WIN]
Internet Explorer 11 is fast and fluid, and lets your websites shine and perform just like native apps on your PC. Fast and fluid for Windows 7.
• Fast: Internet Explorer 11 harnesses the untapped power of your PC,
delivering pages full of vivid graphics, smoother video, and interactive content.
• Easy: Experience the web the way you want to with pinned sites, built-in
Spellcheck, and seamless integration with your PC running Windows 7.
• Safer: Improved features like SmartScreen Filter and Tracking Protection
let you be more aware of threats to your PC and your privacy.
Applications
Name
Description
Category
IObit Smart Defrag
3.1.0.319 [WIN]
Disk fragmentation is generally the main cause of slow and unstable PC
performance. IObit SmartDefrag helps defrag your hard drive most efficiently. With 'Install it and forget it' feature, IObit SmartDefrag works automatically and quietly in the background on your PC, keeping your hard
disk running at its speediest. Slow down, freeze-ups and crashes will be a
thing of the past. IObit SmartDefrag is 100% free for personal, home and
small business. Detected by many strictest tests, IObit SmartDefrag is
100% safe and has no spyware / adware.
Applications
IObit Uninstaller
4.3.0.122 [WIN]
IObit Uninstaller helps you uninstall and remove unwanted programs and
folders from your computer fast and easily. Where the built-in and sluggish
'Windows Add or Remove Programs' option fails, IObit Uninstaller works as
always and picks up the slack. As well as allowing programs to be batch
uninstalled, it can also scan the registry for leftover traces and eliminate
them.
Applications
iTunes 12.2.2.25
32-bit [WIN]
iTunes is a free application for Mac and PC. It plays all your digital music
and video. It syncs content to your iPod, iPhone, and Apple TV and it's an
entertainment superstore that stays open 24/7. Organize your music into
playlists. Edit file information. Record compact discs. Copy files to an iPod
or other digital audio player. Purchase music and videos on the Internet
through the built-in iTunes store. Run a visualizer to display graphical
effects in time to the music. Encode music into a number of different audio
formats.
Applications
iTunes 12.2.2.25
64-bit [WIN]
iTunes is a free application for Mac and PC. It plays all your digital music
and video. It syncs content to your iPod, iPhone, and Apple TV and it's an
entertainment superstore that stays open 24/7. Organize your music into
playlists. Edit file information. Record compact discs. Copy files to an iPod
or other digital audio player. Purchase music and videos on the Internet
through the built-in iTunes store. Run a visualizer to display graphical
effects in time to the music. Encode music into a number of different audio
formats.
Applications
Java - Modify auto
update settings
[WIN]
Script to enable / disable Java auto update by modifying the registry.
Scripts
Java Runtime Edition 1.6 [WIN]
Java software allows you to run applications called 'applets' that are written
in the Java programming language. These applets allow you to have a
much richer experience online than simply interacting with static HTML
pages.
Applications
Java Runtime Edition 7 [WIN]
Java Runtime Edition 7 [MAC]
Java Runtime Edition 8 [WIN]
Java Runtime Edition 8 [MAC]
Name
Description
Category
K-Lite Codec Pack
11.36 [WIN]
The K-Lite Codec Pack is a collection of DirectShow filters, VFW/ACM
codecs and tools. Codecs and DirectShow filters are needed for encoding
and decoding audio and video formats. The K-Lite Codec Pack is
designed as a user-friendly solution for playing all your audio and movie
files. With the K-Lite Codec Pack you should be able to play all the popular
audio and video formats and even several less common formats.
Applications
Kaseya Agent
UNINSTALLER
[WIN]
This component uninstalls the Kaseya Agent from a Windows device.
Applications
Kaspersky 2011
Internet Security
monitor [WIN]
This component monitor will check and alert for: Kaspersky 2011 not
installed/not running, Out-of-Date Definitions. Compatible with XP Pro
(32/64), Vista (32/64), Win 7 (32/64).
Device Monitors
Kaspersky Endpoint Security
Users can add this extension to enable Kaspersky Endpoint Security Integration in their account. To remove it, simply delete it from the Extensions
category in your Component Library.
Extensions
Labtech Agent
UNINSTALLER
[WIN]
This component uninstalls the Labtech Agent from a Windows device.
Scripts
LogMeIn Agent
UNINSTALLER
[WIN]
This component uninstalls LogMeIn from a Windows device.
Scripts
Mac OSX 10.7.5
and above BASH
Update 1.0 [MAC]
Update for Macs running OS X 10.7.5 and above. This update fixes a secur- Applications
ity flaw (Shellshock) present in the bash command interpreter present on
all OS X systems. http://support.apple.com/kb/HT6495
Note: Post deployment, run the command "bash –version"; a fixed version
of BASh will output the string "GNU bash, version 3.2.53(1)".
Malwarebytes AntiMalware
1.75.0.1300 [WIN]
Malwarebytes' Anti-Malware can detect and remove malware that even the Applications
most well known anti-virus and anti-malware applications fail to detect. Malwarebytes' Anti-Malware monitors every process and stops malicious processes before they even start.
Malwarebytes AntiMalware 2.2.0.1024
[WIN]
Malwarebytes' Anti-Malware can detect and remove malware that even the
most well known anti-virus and anti-malware applications fail to detect.
Malwarebytes' Anti-Malware monitors every process and stops malicious
processes before they even start.
Applications
Malwarebytes AntiMalware [MAC]
This component installs Malwarebytes Anti-Malware for Mac. This application can detect and remove malware that even the most well known antivirus and anti-malware applications fail to detect. Malwarebytes' Anti-Malware monitors every process and stops malicious processes before they
even start.
Applications
Maximum file size
[WIN]
Monitors whether a specified file exceeds a certain size and alerts if detected.
Device Monitors
McAfee Anti-Virus
14.5 Monitor [WIN]
This component monitor will check and alert for: McAfee 14.5 not
installed/not running, Out-of-Date Definitions. Compatible with XP Pro (32),
Vista (32/64), Win 7 (32/64).
Device Monitors
Name
Description
Category
Memory Audit
[MAC]
Reports on memory status and type - Mac OSX.
Scripts
Microsoft .NET
Framework 4 Extended 4.0.30319
[WIN]
The .NET Framework is Microsoft's comprehensive and consistent programming model for building applications that have visually stunning user
experiences, seamless and secure communication, and the ability to
model a range of business processes. The Microsoft .NET Framework 4
redistributable package installs the .NET Framework runtime and associated files that are required to run and develop applications to target the
.NET Framework 4. The .NET Framework 4 works side by side with older
Framework versions. Applications that are based on earlier versions of the
Framework will continue to run on the version targeted by default.
Note: .NET Framework 4 is NOT supported on Windows XP Service Pack 2
or lower.
Supported Operating Systems : Windows 7, Windows 7 Service Pack 1,
Windows Server 2003 Service Pack 2, Windows Server 2008, Windows
Server 2008 R2, Windows Server 2008 R2 SP1, Windows Vista Service
Pack 1, Windows XP Service Pack 3.
Applications
Microsoft .NET
Framework 4.5
[WIN]
model a range of business processes. The Microsoft .NET Framework 4.5
.NET Framework 4.5. The .NET Framework 4.5 works side by side with
older Framework versions. Applications that are based on earlier versions
of the Framework will continue to run on the version targeted by default.
Note: .NET Framework 4.5 is NOT supported on Windows XP/Server 2003
or lower.
Supported Operating Systems : Windows 7 SP1, Windows Server 2008
SP2, Windows Server 2008 R2 SP1, Windows Vista SP2.
Applications
Microsoft .NET
Framework 4.5.1
[WIN]
model a range of business processes. The Microsoft .NET Framework
4.5.1 redistributable package installs the .NET Framework runtime and
associated files that are required to run and develop applications to target
the .NET Framework 4.5.1. The .NET Framework 4.5.1 works side by side
with older Framework versions. Applications that are based on earlier versions of the Framework will continue to run on the version targeted by
default.
Note: .NET Framework 4.5.1 is NOT supported on Windows XP/Server
2003 or lower.
Supported Operating Systems : Windows 8 Windows 7 SP1, Windows
Server 2012, Windows Server 2008 SP2, Windows Server 2008 R2 SP1,
Windows Vista SP2.
Applications
Name
Description
Category
Microsoft .NET
Framework 4.5.2
[WIN]
model a range of business processes. The Microsoft .NET Framework
4.5.2 redistributable package installs the .NET Framework runtime and
associated files that are required to run and develop applications to target
the .NET Framework 4.5.2. The .NET Framework 4.5.2 works side by side
with older Framework versions. Applications that are based on earlier versions of the Framework will continue to run on the version targeted by
default.
Note: .NET Framework 4.5.2 is NOT supported on Windows XP/Server
2003 or lower.
Supported Operating Systems: Windows 8.1, Windows 8, Windows 7 SP1,
Windows Server 2012 R2, Windows Server 2012, Windows Server 2008
SP2, Windows Server 2008 R2 SP1, Windows Vista SP2.
Applications
Microsoft .NET
Framework 4.6
model a range of business processes. The Microsoft .NET Framework 4.6
.NET Framework 4.6 The .NET Framework 4.6 works side by side with
older Framework versions. Applications that are based on earlier versions
of the Framework will continue to run on the version targeted by default.
Note: .NET Framework 4.6 is NOT supported on Windows XP/Server 2003
or lower.
Supported Operating Systems: Windows 8, Windows 7 SP1, Windows
Server 2012, Windows Server 2008 SP2, Windows Server 2008 R2 SP1,
Windows Vista SP2.
Applications
Microsoft .NET
Framework Repair
Tool v1.2
The Microsoft .NET Framework Repair Tool detects frequently occurring
Scripts
issues that affect the Microsoft .NET Framework setup or updates. The tool
tries to resolve those issues by applying known fixes or by repairing the corrupted installations of the supported .NET Framework versions. Log output
is recorded in the StdOut.
http://support.microsoft.com/en-gb/kb/2698555
Microsoft Baseline
Security Analyzer
2.3 (32-Bit) [WIN]
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that
helps small and medium businesses determine their security state in
accordance with Microsoft security recommendations and offers specific
remediation guidance. Improve your security management process by
using MBSA to detect common security misconfigurations and missing
security updates on your computer systems.
Applications
Microsoft Baseline
Security Analyzer
2.3 (64-Bit) [WIN]
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool that
helps small and medium businesses determine their security state in
accordance with Microsoft security recommendations and offers specific
remediation guidance. Improve your security management process by
using MBSA to detect common security misconfigurations and missing
security updates on your computer systems.
Applications
Microsoft Silverlight
5.1.30317.0 [MAC]
Microsoft Silverlight is a programmable web browser plugin that enables
features such as animation, vector graphics and audio-video playback so
you can experience rich Internet applications.
Applications
Name
Description
Category
Mobile Device Management
Add support for iOS and Android devices. Add this extension to enable
Mobile Device Management in your account. Before you can enroll any
Apple iOS devices, you will need to upload your Apple Push Notification
Certificate. Instructions to do this can be found in Account Settings once
the extension has been downloaded. You can then send enrollment
emails to your devices within every site. To remove this extension simply
delete it from the Extensions category in your Component Library.
Extensions
Modify .ini file [WIN]
Modify a specific value in an .ini file. Variables to determine the path, section, key and value to be modified.
Scripts
Modify Secure
Attention Sequence
(SAS) [WIN]
This registry edit script enables Services and Ease of Access applications
to simulate the Secure Attention Sequence (SAS). This is the
CTRL+ALT+DELETE screen that appears on the login page in certain
environments and can render the VNC service unable to simulate the
necessary key presses to log into Windows Vista, 7, 8, Server 2008 and
Server 2012.
Scripts
Monitor Device
Movement
This component checks external IP address against site variables to detect
movement of the device. This can be used to generate a ticket to ensure
assets are ultimately billed to the correct Account within Autotask. Requirement: Create two site variables "EXTIP" and "EXTIPALT" and define the
primary and if existing, alternate external IP address (i.e. some sites have
redundant connections).
Device Monitors
Monitor for V2 of
MSE [WIN]
MS Security Essentials v2 AV Monitor This component is to monitor version
2 only of MSE and will check and alert for: MSE not installed/not running,
Out-of-Date Definitions. Compatible with XP Pro (32), Vista (32/64), Win 7
(32/64).
Device Monitors
Monitor System
Restore Status
[WIN]
This component alerts if System Restore is disabled. (Workstations Only).
Thanks to Adam Peterson on the AEM community.
Device Monitors
Mozilla FireFox
[MAC]
The Web is all about innovation, and Firefox sets the pace with dozens of
Applications
new features to deliver a faster, more secure and customizable Web browsing experience for all.
Mozilla Firefox
[WIN]
This component will update or install Mozilla Firefox to the latest version.
Applications
The Web is all about innovation, and Firefox sets the pace with dozens of
new features to deliver a faster, more secure and customizable Web browsing experience for all.
MS Security Essentials (32-Bit)
(Vista/Win 7)
4.6.305 [WIN]
Microsoft Security Essentials provides real-time protection for your PC that
guards against viruses, spyware, and other malicious software.
Applications
MS Security Essentials (32-Bit) (XP)
4.4.304 [WIN]
Applications
MS Security Essentials (32-Bit) (XP)
2.1.1116 [WIN]
Applications
Name
Description
Category
(Vista/Win 7)
2.1.1116 [WIN]
Applications
(Vista/Win 7)
4.6.305 [WIN]
Applications
N-Able Agent
UNINSTALLER
[WIN]
This component uninstalls the N-Able Agent from a Windows device.
Scripts
Network Speed
Test [WIN]
This component will check the current Ping, Upload and Download speeds
by checking the connection to a near server. Check the STDOUT for the
results.
Scripts
Network: 3Com
Analogue Telephony 'ELBRUS'
Device Monitor
This monitor supports 3Com NBX devices that use the OIDs standardized
in the A3ComNBX MIB.
Network
Monitors
Network: AdTran
Network Devices
Monitor
Network Monitor for AdTran Network Devices.
Network
Monitors
Network: APC
Symetra 40K UPS Battery Monitor
Network Monitor for American Power Conversion (APC) UPS Model
Symetra 40K.
Network
Monitors
Network: Cisco 800
Series
Network Monitor for Cisco 800 Series.
Network
Monitors
Network: Cisco Network Device Monitor
Generic resource monitor for Cisco Networking Devices.
Network
Monitors
Network: Compaq
ProLiant Servers
Monitor
Network Monitor for Compaq ProLiant Servers.
Network
Monitors
Network: Dell RAID
Controller State
Monitor
Generic State Monitor for Dell RAID Controller Units.
Network
Monitors
Network: Dell
Remote Access
Card Global Status
Monitor
Monitor the global status of managed devices with a Dell Remote-Access
Card (DRAC) installed.
Network
Monitors
Network: Dell Servers with OpenManage Monitor
Network Monitor for Dell Servers with OpenManage.
Network
Monitors
Network: Dell
Switch Monitor
Generic Monitor for Dell Switches, checking for Fan and Power Supply
status.
Network
Monitors
Name
Description
Category
Network: Generic
APC Management
Card Monitor
Generic Network Monitor for Management cards installed in American
Power Conversion (APC) UPS devices.
Network
Monitors
Network: Generic
APC UPS Battery
Monitor
Generic Monitor for batteries connected to APC UPS Devices.
Network
Monitors
Network: Generic
Dell Storage Array
(Global) Monitor
Global Monitor for Dell Storage Arrays.
Network
Monitors
Network: Generic
Dell Storage Battery Monitor
Monitor for Dell Storage Unit Batteries.
Network
Monitors
Network: Generic
Dell Storage Controller Monitor
Monitor for Dell Storage Unit Controllers.
Network
Monitors
Network: Generic
Dell Storage Disk
Array Monitor
Generic Monitor for Disk Arrays in a Dell Storage Unit.
Network
Monitors
Network: Generic
FortiGate Firewall
Monitor
Generic Monitor for FortiGate Firewall Units.
Network
Monitors
Network: HP
ProCurve Monitor
Generic Resource and Sensor Monitor for HP ProCurve devices.
Network
Monitors
Network: HP ProLiant Fault-Tolerant
Power Supplies
Monitor
Network Monitor for HP ProLiant Fault-Tolerant Power Supplies.
Network
Monitors
Network: HP ProLiant Thermal Sensor
Monitor
Network Monitor for HP ProLiant Thermal Sensor.
Network
Monitors
Network: HP Server
Health Monitor
Monitor for HP Server RAID, Fan, Power and Thermal Sensors for HP
Network
Boxes running Windows and HP Software - HP Management Agents and
Monitors
the Insight Manager are both supported, as is Systems Management
Homepage. The Windows SNMP Service will need to be installed and functional on the device as well.
Network: HP-Compaq ProLiant Controller Board
Monitor
Monitor for CPU Status in HP-Compaq ProLiant Controller Boards.
Network: Linux
Network Monitor for Linux CPU and RAM.
CPU and RAM Monitor
Network
Monitors
Network
Monitors
Name
Description
Category
Network: MiTel
3300 IP Communication Platform
(ICP) Monitor
Network Monitor for MiTel 3300 IP Communication Platform (ICP).
Network
Monitors
Network: NetApp
Monitors for Filesystem status, CPU and system status.
Network
Monitors
Network:
NetScreen Generic
Firewall Device
Monitor
Generic Resource Monitor for NetScreen Firewall Devices.
Network
Monitors
Network: OS X
SNMP Device Monitor
Resource Monitor for Macs running OS X which are outputting System diagnostics via SNMP.
Network
Monitors
Network: RiverBed
SteelHead Device
Monitor
Network Monitor for RiverBed SteelHead Device.
Network
Monitors
Network: Room
Alert 11E ID Box
Monitor
SNMP Monitor for Room Alert 11E ID Box alerts.
Network
Monitors
Norton Anti-Virus
v18 (2011) AV Monitor [WIN]
Norton Anti-Virus v18 (2011) AV Monitor. This component will check and
alert for: AV not installed/ not running, Out of Date. Compatible with MS
Windows XP Pro (32), Vista (32/64), Windows 7 (32/64).
Device Monitors
Norton Internet
Security 18.x
(2011) Monitor
[WIN]
Norton Internet Security 18.x (2011) Monitor. This component will check
and alert for: AV not installed/ not running, Out of Date. Compatible with
MS Windows XP Pro (32), Vista (32/64), Windows 7 (32/64).
Device Monitors
Norton Online
Backup 2.0 Monitor
[WIN]
This component monitor will check and alert for: Norton Online Backup not
installed/not running, Not backed up in last 24 hours (check period is configurable when applying the monitor), Log file flagged words alerts. Compatible with Windows XP Pro (32/64), Windows Vista (32/64), Windows 7
(32/64), Windows Server 2003 (32/64), Windows Server 2003 R2 (32/64),
Windows Server 2008 (32/64), Windows Server 2008 R2 (64).
Device Monitors
Notepad++ 5.9.8
[WIN]
Notepad++ is a free source code editor and Notepad replacement that supports several languages. Running in the MS Windows environment, its use
is governed by GPL License. Based on a powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which
ensures a higher execution speed and smaller program size.
Applications
Notepad++ 6.8.5
[WIN]
Notepad++ is a free source code editor and Notepad replacement that supports several languages. Running in the MS Windows environment, its use
is governed by GPL License. Based on a powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which
ensures a higher execution speed and smaller program size.
Applications
Name
Description
Category
Opera
31.0.1889.99 [WIN]
Opera is the fastest web browser available, and offers more features than
Applications
any other browser to let you take advantage of today's Web. Popular features:
• Opera Turbo speeds up browsing on slow connections.
• Opera Link can synchronize bookmarks with other computers and mobile
phones.
• Opera Unite makes it easy to share files, photos and music from your computer.
All this is just the beginning - there is so much to discover in Opera. Read
more at www.opera.com, or just download Opera now and try a better
browser for yourself.
OSFMount
1.5.1015 [WIN]
OSFMount installer. OSFMount allows you to mount local disk image files
(bit-for-bit copies of a disk partition) in Windows with a drive letter.
OSFMount also supports the creation of RAM disks, basically a disk mounted into RAM. This generally has a large speed benefit over using a hard
disk. As such this is useful with applications requiring high speed disk
access, such as database applications, games (such as game cache files)
and browsers (cache files). A second benefit is security, as the disk contents are not stored on a physical hard disk (but rather in RAM) and on system shutdown the disk contents are not persistent. OSFMount supports
mounting images of CDs in .ISO format, which can be useful when a particular CD is used often and the speed of access is important.
Applications
Paint.NET .ico and
.cur file support
[WIN]
Adds .ico and .cur file support to Paint.NET in the form of a plugin.
Note: The full version of Paint.NET must be installed prior to running this
component.
Applications
Paint.NET 3.5.11
(32-Bit) [WIN]
Paint.NET is an image and photo manipulation application. Every feature
and user interface element was designed to be immediately intuitive and
quickly learnable without assistance. In order to handle multiple images
easily, Paint.NET uses a tabbed document interface. The tabs display a
live thumbnail of the image instead of a text description. This makes navigation very simple and fast.
Applications
Paint.NET 3.5.11
(64-Bit) [WIN]
Applications
Paint.NET 4.0.6 32bit [WIN]
Note: Paint.NET requires Windows 7 SP1 or above and .NET Framework
4.5.x or above.
Applications
Name
Description
Category
Paint.NET 4.0.6 64bit [WIN]
Note: Paint.NET requires Windows 7 SP1 or above and .NET Framework
4.5.x or above.
Applications
Panda Anti-Virus
2011 Monitor [WIN]
This component monitor will check and alert for: Panda Anti-Virus 2011 not
installed/not running, Out of Date Definitions. Compatible with: XP Pro (32),
Vista (32/64), Win 7 (32/64).
Device Monitors
Panda Cloud
AntiVirus 1.5.x AV
Monitor [WIN]
This component monitor will check and alert for: Panda 1.5 not
installed/not running, Out of Date Definitions. Compatible with: XP Pro (32),
Vista (32/64), Win 7 (32/64).
Device Monitors
PeaZip 5.7.1 (64Bit) [WIN]
PeaZip is an open source file and archive manager. It's freeware and free
of charge for any use. PeaZip can extract most of archive formats both from
Windows and Unix worlds, ranging from mainstream 7Z, RAR, TAR and
ZIP to experimental ones like PAQ/LPAQ family. Currently the most powerful compressor available.
Applications
PeaZip 5.7.1 (32Bit) [WIN]
PeaZip is an open source file and archive manager. It's freeware and free
of charge for any use. PeaZip can extract most of archive formats both from
Windows and Unix worlds, ranging from mainstream 7Z, RAR, TAR and
ZIP to experimental ones like PAQ/LPAQ family, currently the most powerful compressor available.
Applications
Physical Memory
Audit [WIN]
Script to output a detailed audit of installed physical memory, free memory
slots and maximum supported memory. Powered by CPU-Z and useful for
determining if a memory upgrade is possible for a given device. Set to trigger a warning using Post-Conditions if both installed memory is less than
maximum supported and at least one free memory slot is available.
Scripts
Picasa 3.9 Build
139.161 [WIN]
Picasa is software that helps you instantly find, edit and share all the pictures on your PC. Every time you open Picasa, it automatically locates all
your pictures (even the ones you forgot you had) and sorts them into visual
albums organized by date with folder names you will recognize. You can
drag and drop to arrange your albums and make labels to create new
groups. Picasa makes sure your pictures are always organized.
Applications
Ping Monitor v2
[WIN]
Monitors to ping a specified host/IP address 10 times in a row with a 5
second timeout and returns an alert status if no responses are received.
Input: Host (String) - Host/IP Address to check for. Input: Name (String) Name of monitor (user defined).
Device Monitors
Ping Monitor [WIN]
Monitors to ping a specified host/IP address 10 times in a row with a 5
second timeout and returns an alert status if failed (70% success - Warning, 50% success - Critical).
Device Monitors
Name
Description
Category
Port Checker [WIN]
This Monitor Component will check whether a specified endpoint address
has a specified TCP port reachable from the device that the monitor is
applied to. An alert will be triggered when the port is unreachable from that
device or if the specified host address is not reachable.
Note: This monitor should only be set on devices that have had the 'Portqry
Installer' component successfully deployed.
Device Monitors
Portqry Installer
[WIN]
Deploy Microsoft's 'Portqry.exe' program. Can be used in association with
the Port Checker Monitor, also available in the ComStore.
Applications
Powershell execution policy [WIN]
Script to set powershell execution policy to the value set in the input variable policy_level (default = Unrestricted).
Scripts
Pre-install
Splashtop Streamer
[MAC]
This component will install the Splashtop Remote Control Stream on a
MAC OSX Endpoint. By running this component you can make sure the
streamer is present at the time you want to connect to the device. It also
allows for more flexibility versus the Account Settings page in the system.
For example, you can now schedule this process at a convenient time and
also use the LanCache functionality.
Applications
Pre-install
Splashtop Streamer
[WIN]
This component will install the Splashtop Remote Control Stream on a Win- Applications
dows Endpoint. By running this component you can make sure the
streamer is present at the time you want to connect to the device. It also
allows for more flexibility versus the Account Settings page in the system.
For example, you can now schedule this process at a convenient time and
also use the LanCache functionality.
Printer Spooler Clear and Restart
[WIN]
Script that will stop the Printer Spooler service, clear down any troublesome pending print jobs and then restart the service.
Scripts
Process Explorer
14.11 [WIN]
Process Explorer shows you information about which handles and DLLs
processes have opened or loaded. The unique capabilities of Process
Explorer make it useful for tracking down DLL-version problems or handle
leaks, and provide insight into the way Windows and applications work.
Applications
Process Explorer
15.40 [WIN]
Applications
Process Explorer
16.02 [WIN]
Applications
Process Monitor
3.10 [WIN]
Process Monitor is an advanced monitoring tool for Windows that shows
real-time file system, Registry and process/thread activity. It combines the
features of two legacy Sysinternals utilities, Filemon and Regmon, and
adds an extensive list of enhancements including rich and non-destructive
filtering, comprehensive event properties such as session IDs and user
names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much
more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
Applications
Name
Description
Category
Process started
[WIN]
Monitor whether a specified process is started and alert if detected.
Device Monitors
Process stopped
[WIN]
Monitor whether a specified process is stopped and alert if detected.
Device Monitors
RDP Critical Vulnerability Update
(KB2621440 and
KB2667402)
This security update resolves two privately reported vulnerabilities in the
Remote Desktop Protocol. The more severe of these vulnerabilities could
allow remote code execution if an attacker sends a sequence of specially
crafted RDP packets to an affected system. By default, the Remote Desktop
Protocol (RDP) is not enabled on any Windows operating system. Systems that do not have RDP enabled are not at risk. Script uses Windows
Update API to retrieve updates from Windows Update website.
Scripts
Reboot Device
[WIN]
Reboot device forcibly with variable timeout.
Scripts
Reboot FROM
Normal Mode TO
Safe Mode (with
Networking) [WIN]
Reboots the device to safe mode with networking. VNC is possible but not
RDP.
Note: Once your Safe Mode remote session is finished, run the 'Reboot
FROM Safe Mode TO Normal Mode' component.
Scripts
Reboot FROM Safe
Mode TO Normal
Mode [WIN]
Reboots a device to the normal Windows mode.
Note: You must use this script to reboot to normal mode only after using the
'Reboot FROM Normal Mode TO Safe Mode' component successfully.
Scripts
Reboot If Required
This component will reboot a machine forcibly if pending from either
Microsoft Patching or a Software Installation. For Windows Server 2008+
the script will query the CBS registry key as another factor in determining
pending reboot state. Features input variables to configure alerting on
Component Based Servicing, Windows Update, SCCM 2012 or Pending
File Rename Operations.
Scripts
Reboot Required
Monitor
This Component monitor will determine a pending reboot from either
Microsoft Patching or a Software Installation. For Windows Server 2008+
the script will query the CBS registry key as another factor in determining
pending reboot state. Features input variables to configure alerting on
Component Based Servicing, Windows Update, SCCM 2012 or Pending
File Rename Operations.
Device Monitors
Reboot [MAC]
This component will reboot a MAC OSX device immediately. This can be
useful as a scheduled task.
Scripts
Recuva 1.51 [WIN]
Recuva (pronounced 'recover') is a freeware Windows utility to restore files
that have been accidentally deleted from your computer. This includes files
emptied from the Recycle bin as well as images and other files that have
been deleted by user error from digital camera memory cards or MP3 players. It will even bring back files that have been deleted from your iPod, or
by bugs, crashes and viruses!
Applications
Remove existing
VNC installations
and reinstall uVNC
[WIN]
Removes existing versions of RealVNC 3/4, TightVNC 1.3/2.0.x/2.5.x/2.6.x
and uVNC and reinstalls uVNC service (1.0.9.5). To be used in situations
where installing the Agent is causing problems with existing installations of
VNC. Especially ones using the same service name as the Agent (uvnc_
service).
Scripts
Name
Description
Category
Run ad hoc CMD
[WIN]
Script to run a single line command from Windows CMD to multiple
devices at the same time. The Component allows you to specify a single
command at schedule time by inputting the command into the Input Variable field. The command will then be run across all targeted devices.
Scripts
S.M.A.R.T. Hard
Drive Check [WIN]
Checks hard drive S.M.A.R.T. data for overall hard drive health on all physical drives. Displays an overall PASSED or FAILED result along with
detailed information including drive temperature. If the device reports failing health status, this means either that the device has already failed, or
that it is predicting its own failure within the next 24 hours. Powered by
smartctl.exe from smartmontools. Post-Conditions set to return a warning
state if tests fail. Supports up to 26 physical drives.
Scripts
Safari 5.1.7 [WIN]
At one time, web browsers simply got you to the Internet. But from the day it
was released, Safari set the bar higher for web browsers. It introduced
sophisticated design elements that made browsing a joy. Easy to use,
Safari stayed out of your way and let you effortlessly navigate from site to
site.
Applications
Scratch 2 434a Offline Editor [WIN]
With Scratch, you can program your own interactive stories, games, and
animations - and share your creations with others in the online community.
http://scratch.mit.edu
Note: Requires Adobe Air
Applications
Scratch 2 434a Offline Installer [MAC]
With Scratch, you can program your own interactive stories, games, and
animations - and share your creations with others in the online community.
http://scratch.mit.edu
Note: Requires Adobe Air. This installer will remove all previous versions
as they conflict.
Applications
Send Message
Sends a message in a VBS popup. Make sure to check "Execution: Only
run this job when user is logged in" and "Execute when user is logged in".
Scripts
Server Role Detection
This component gets a comprehensive list of installed service roles and
writes these to a user-defined field in the following format, delimited by
colon. Allows the creation of custom filters by role. ie :SQL:IIS:HyperV:File:Print:
Thanks to Alex Bidhendy for this script.
Scripts
Shockwave
12.2.0.162 [WIN]
Shockwave Player is the web standard for powerful multimedia playback.
The Shockwave Player allows you to view interactive web content like
games, business presentations, entertainment, and advertisements from
your web browser.
Applications
Shockwave Player
11.6.8.638 [WIN]
Shockwave Player is the web standard for powerful multimedia playback.
The Shockwave Player allows you to view interactive web content like
games, business presentations, entertainment, and advertisements from
your web browser.
Applications
Shut-down Device
[WIN]
Shut-down device forcibly with variable time-out.
Applications
Silverlight
4.0.60831 [WIN]
Applications
Name
Description
Category
Silverlight
5.1.40728 [WIN]
Applications
Skitch for Windows
2.3.1.163 [WIN]
Skitch is a screenshot editing and sharing utility. Skitch permits the user to
add shapes and text to an image, and then share it online. Images can
also be exported to various image formats.
Applications
Skype [MAC]
Skype is the most popular free voice-over IP and instant messaging service globally. It allows users to text, video and voice call over the internet.
Users can also call landlines and mobiles at competitive rates using Skype
credit, premium accounts and subscriptions. Skype uses P2P technology
to connect users on a multitude of platforms including desktop, mobile and
tablet. The call quality (depending on your internet signal) and additional
features like conversation history, conference calling and secure file transfer are excellent.
Applications
Skype [WIN]
This component will install or update the latest version of Skype. Skype is
software for calling other people on their computers or phones. Download
Skype and start calling for free all over the world. The calls have excellent
sound quality and are highly secure with end-to-end encryption. You don't
even need to configure your firewall or router or any other networking gear.
Applications
Sophos AV 10.x
Monitor [Server and
Workstation] [WIN]
Check for last successful definition update on Sophos Anti-Virus 10.x.
Device Monitors
Sophos AV 9.x Mon- This component monitor will check and alert for: Sophos Event Log errors,
itor [Server and
Sophos not installed/not running, start Sophos services if not running, OutWorkstation] [WIN]
of-Date AV Definitions. Compatible with XP Pro (32/64), Vista (32/64), Win
7 (32/64), Server 2003 (32/64), Server 2008 (32/64), Server 2008 R2 (64),
SBS 2008 (64).
Device Monitors
Speccy 1.25.674
[WIN]
Installer for Speccy 1.20.446. Speccy will give you detailed statistics on
every piece of hardware in your computer. Including CPU, Motherboard,
RAM, Graphics Cards, Hard Disks, Optical Drives, Audio support. Additionally Speccy adds the temperatures of your different components, so
you can easily see if there's a problem!
Applications
Splashtop Remote
Screen Sharing
Splashtop is a leading screen share technology that provides a faster and
smoother experience than the default VNC. The streamer can be rolled out
to all your connected devices, both Windows and Mac, either automatically
or on demand. By purchasing this component you are activating an unlimited trial and can start using Splashtop immediately. Your Autotask account
manager will be in touch to discuss any applicable subscription costs.
Extensions
Splashtop Uninstaller [PC][MAC]
This script will uninstall the Splashtop Streamer from a target PC or Mac.
Note: The platform will re-install the Streamer if the platform has been configured to do so automatically.
Scripts
Name
Description
Category
Stopped Auto-start
Services Monitor
[WIN]
Monitor to check the status of ALL services that have a startup type of Automatic and alert if any are stopped. Also contains the option to attempt to
start ALL stopped automatic services. Set to alert if ANY services are found
that meet the criteria and contains summary of attempted start result if this
option is selected.
Note: Problematic services that successfully start may fail shortly afterwards and generate another alert. Problem services, if they cannot be
fixed, can be removed from the monitor by setting the startup type to anything other than 'Automatic'.
Device Monitors
SumatraPDF 3.0
[WIN]
Installer for SumatraPDF, the free, simple, easy-to-use PDF reader by
Krzysztof Kowalczyk with an incredibly small footprint.
Applications
Suppress Process
[WIN]
Monitor whether a specified process is started and alert/terminate process
if detected.
Device Monitors
Symantec AV EndPoint v11 Monitor
[Server and Workstation] [WIN]
This component monitor will check and alert for: Symantec AV End-Point
v11 not installed/not running, Out-of-Date Definitions. Compatible with XP
Pro (32/64), Vista (32/64), Win 7 (32/64), Server 2003 (32/64), Server 2008
(32/64), Server 2008 R2 (64).
Device Monitors
Symantec Backup
Exec Monitor 20032008 [WIN]
This component monitor will check and alert for: Symantec Backup Exec
Device Monnot installed/not running, Not backed up in last X days. Check period is con- itors
figurable when applying the monitor (default period=2 days). Compatible
with Backup Exec 11d : Svr 2003/2003 R2 (32/64), Backup Exec 12.5 : Svr
2003/2003 R2/2008/2008 R2 (32/64), Backup Exec 13 : Svr 2003/2003
R2/2008/2008 R2 (32/64).
Synology NAS Mon- Compatible with Synology Diskstations. Make sure SNMP is turned on on
itor
the Synology device.
Network
Monitors
Telnet Client Enable [WIN]
Telnet Client - Enable. By default Windows Vista, Server 2008 /2008 R2
and Windows 7 do not have the Telnet client available. This component
will make the Telnet client available from the command-line.
Scripts
Thunderbird 38.1.0
[WIN]
Thunderbird is a great email client from the same people who brought you
the Firefox browser. Thunderbird gives you IMAP/POP support, a built-in
RSS reader, support for HTML mail, powerful quick search, saved search
folders, advanced message filtering, message grouping, labels, return
receipts, smart address book LDAP address completion, import tools, and
the ability to manage multiple e-mail and newsgroup accounts.
Applications
Thunderbird 38.2
[MAC]
Thunderbird is a great email client from the same people who brought you
the Firefox browser. Thunderbird gives you IMAP/POP support, a built-in
RSS reader, support for HTML mail, powerful quick search, saved search
folders, advanced message filtering, message grouping, labels, return
receipts, smart address book LDAP address completion, import tools, and
the ability to manage multiple e-mail and newsgroup accounts.
Applications
Time Machine Monitor [MAC]
Monitor to check if Time Machine has performed a backup within a user-set
threshold (in minutes). Users will need to have previously configured a
backup drive and performed a successful backup to it. The monitor can be
configured to instigate a backup if the time threshold is breached.
Device Monitors
Name
Description
Category
Toggle Windows 10
Update Sharing
This component will enable / disable the option in Windows 10 to share
Windows Updates with other machines in the network. This will reduce network load when installing updates on many Windows 10 machines. Set
value to 0 to disable this feature, when set to 2 it will share updates outside
of the LAN as well.
Scripts
TreeSize Free 2.70
[WIN]
Every hard disk is too small if you just wait long enough. TreeSize Free
tells you where precious space has gone to. TreeSize Free can be started
from the context menu of a folder or drive and shows you the size of this
folder, including its subfolders. You can expand this folder in Explorer-like
style and you will see the size of every subfolder. All results can also be
drilled down to the file level.
Applications
TreeSize Free
3.0.1.200 [WIN]
Every hard disk is too small if you just wait long enough. TreeSize Free
tells you where precious space has gone to. TreeSize Free can be started
from the context menu of a folder or drive and shows you the size of this
folder, including its subfolders. You can expand this folder in Explorer-like
style and you will see the size of every subfolder. All results can also be
drilled down to the file level.
Applications
Trend Micro
Titanium 3 AV Monitor [WIN]
This component monitor will check and alert for: Trend Micro Titanium 3
not installed/not running, Out-of-Date Definitions. Compatible with XP Pro
(32), Vista (32/64), Win 7 (32/64).
Device Monitors
Trend Micro WFBS
6 AV Monitor
Trend Worry-Free Business Security v6 AV Monitor This component monitor will check and alert for: Trend WFBS6 not installed/not running, Out-ofDate Definitions. Compatible with XP Pro (32/64), Vista (32/64), Win 7
(32/64), Server 2003 (32/64), Server 2003 R2 (32/64), Server 2008 (32/64)
Server 2008 R2 (64).
Device Monitors
Trend Micro WFBS
7 AV Monitor
Trend Worry-Free Business Security v7 AV Monitor This component monitor will check and alert for: Trend WFBS7 not installed/not running, Out-ofDate Definitions. Compatible with XP Pro (32/64), Vista (32/64), Win 7
(32/64), Server 2003 (32/64), Server 2003 R2 (32/64), Server 2008 (32/64)
Server 2008 R2 (64).
Device Monitors
Uninstall Quicktime
[WIN]
This component removes Apple Quicktime from Windows devices. Apple
has recommended to remove Quicktime from all Windows devices. Quicktime has security problems that won't be patched.
Thanks to Simon Morley on the AEM Community.
Scripts
Uninstall Software
Installed via MSI
[WIN]
This Component searches for MSI based software installations by name
using an input variable and uninstall. Uses the PowerShell -like operator.
Supports wildcards (*) but will function as 'equals' if none are included.
Use wildcards either side of string to function as 'contains'. Must be at least
3 alphanumeric characters when 'Uninstall' is set to 'True'.
Scripts
Uninstall Windows
Update by KB number
This component will uninstall Windows Updates and Security Patches for
Windows 7 and Windows 8 ONLY.
Note: Uninstalling Windows update can seriously harm a system.
Thanks to Brandon Phipps on the AEM Community.
Scripts
USB - Disable or
Enable USB Storage [WIN]
This component will disable or enable the USB storage function on the targeted device(s) while keeping all other USB functionality working (e.g. keyboards, mice etc.). Compatible with Windows 7 and above.
Applications
Name
Description
Category
Veeam Backup &
Replication Monitor
Monitoring of Veeam Backup and Replication for VMware vSphere and
Hyper-V.
Device Monitors
Vipre Anti-Virus 4
and 5 Monitor [WIN]
For Vipre AV versions 4 (2011) and 5 (2012). This component monitor will
check and alert for: Vipre Anti-Virus not installed/not running, Out-of-Date
Definitions. Compatible with Windows XP Pro (32/64), Vista (32/64), Windows 7 (32/64).
Device Monitors
VLC 2.2.1 [MAC]
VLC is a free and open source cross-platform multimedia player and frame- Applications
work that plays most multimedia files as well as DVD, Audio CD, VCD, and
various streaming protocols.
VLC Media Player
2.1.5 (No file associations) [WIN]
various streaming protocols. Modified installer to ignore setting file associations.
VLC Media Player
2.1.5 [WIN]
various streaming protocols.
Wake-On-Lan all
discovered devices
This component looks at the Discovered Devices list that's available on an
Agent that's running the Network Node with Scanning function. It will select
all Windows device, and sends the MAC address of these devices the
Wake-On-Lan Command.
Scripts
Warranty audit for
HP, DELL and Lenovo [WIN]
Warranty checker script for AEM. This script will check Dell, Lenovo and
HP websites for Warranty Expiration dates; it will output to STDOUT and
store this date in the AEM user-defined fields.
Scripts
Webroot Endpoint
Security
Business users can download this extension to enable Webroot Endpoint
Security Integration in their account. To remove it, simply delete it from the
Extensions category in your Component Library.
Extensions
WinDirStat 1.1.2
[WIN]
WinDirStat is a disk usage statistics viewer and cleanup tool for various ver- Applications
sions of Microsoft Windows.
Windows Server
Backup Monitor
[WIN]
VBScript to monitor Windows Server Backup for completed backups with
Device Monerrors and the absence of a completed backup. Input variables can omit
itors
days of the week where backups are not taking place. Compatible with Windows Server 2008, SBS 2008, 2008 R2, SBS 2011, 2012, 2012R2. 32 and
64-bit architecture supported.
Windows Update
Bugfix Rollup for
Windows 7 SP1
x86
This component installs Windows Updates KB3102810, KB3145739,
KB3138612 and KB3172605 to introduce a collaborative improvement to
Windows Update patch scanning performance. Endpoints will require two
reboots to finalise. Not intended for use on Local Caches.
Refer to Why are Windows 7 SP1 devices taking so long to download
updates and therefore taking a long time to audit?.
Applications
Windows Update
Bugfix Rollup for
Windows 7 SP1
x64
This component installs Windows Updates KB3102810, KB3145739,
KB3138612 and KB3172605 to introduce a collaborative improvement to
Windows Update patch scanning performance. Endpoints will require two
reboots to finalise. Not intended for use on Local Caches.
Refer to Why are Windows 7 SP1 devices taking so long to download
updates and therefore taking a long time to audit?.
Applications
Name
Description
Category
Windows Update
History
This component retrieves the Windows Update history from a machine.
Look at the STDout of this script to see the details.
Scripts
WinHTTP Proxy
(Add) - v2 [WIN]
This component will add a system level proxy setting on the target device.
The Microsoft Windows Update client requires Microsoft Windows HTTP
Services (WinHTTP) to scan for available updates. Microsoft Windows
HTTP Services run independently of Microsoft Internet Explorer and cannot
auto detect proxy settings that may have been set from within a user
account. Please see http://support.microsoft.com/kb/900935 for further
details.
This is v2 of the 'WinHTTP Proxy (Add)' component and adds full support
for 64-bit Operating Systems.
Scripts
WinHTTP Proxy
(Remove) - v2
This component will remove a system level proxy setting on the target
device. The Microsoft Windows Update client requires Microsoft Windows
HTTP Services (WinHTTP) to scan for available updates. Microsoft Windows HTTP Services run independently of Microsoft Internet Explorer and
cannot auto detect proxy settings that may have been set from within a
user account. Please see http://support.microsoft.com/kb/900935 for further details.
This is v2 of the 'WinHTTP Proxy (Add)' component and adds full support
for 64-bit Operating Systems.
Scripts
Zendesk
Business users can add this extension to enable Zendesk in their account.
To remove it, simply delete it from the Extensions category in your Component Library.
Extensions
ZoomIT 4.50 [WIN]
ZoomIt is a screen zoom and annotation tool from SysInternals for technical presentations that include application demonstrations. ZoomIt runs
unobtrusively in the tray and activates with customizable hotkeys to zoom
in on an area of the screen, move around while zoomed, and draw on the
zoomed image. ZoomIt works on all versions of Windows and you can use
pen input for ZoomIt drawing on tablet PC.
Applications
Check for updates
Components available in the ComStore are regularly updated. To stay current with the changes, be notified of
new components, and be able to provide better management of third-party software, you can opt into a Component Update Digest email notification that is sent to your mailbox once every week (there is no "set time"
for the emails). The email will list:
l
Available updates for the components you already possess in your Component Library
l
New components that have been added to the ComStore
The Component Update Digest is simply a summary of the updates made available since the last
notification email, and it does not take into account whether you have already updated/downloaded
the component(s) in question.
For information on how to opt into or out of the Component Update Digest notification, refer to the Email
Recipients section of Account Settings.
To opt out of the digest, you can also click on the unsubscribe link in the email notification, and
you will be directed to the Account Settings page.
To update your components:
1. If an update is available for a component, you can view it by clicking on Check for Updates on the
left-hand side of the ComStore page.
2. Click Update All to download all available updates, or click Get Update to update an individual component.
Request a component
If you haven't found the component you were looking for, you can send a request to AEM.
1. Click Request Component.
2. Add a Subject and your Message.
3. Click Send.
Download an iOS app
You can download iOS apps from the App Store by clicking on Add iOS app. For further information, refer to
"Download iOS apps" on page 191.
Create or Edit a Component
Permission to manage Components and to view Sites
Components tab
In addition to and downloading a component from your Components list, you can create components yourself
and share them with other users.
A typical component contains a script, written in one of several available languages, and may also contain a
program to install or an executable to run. This functionality guarantees that administrators have complete
control over the technology they supervise.
How to...
Create a component
2. In the top left corner, click New Component.
3. Select a Category: Applications, Device Monitors, Network Monitors, Scripts.
4. Enter a Name and a Description.
5. Click Save. The Component page will open.
6. If you have chosen the category Network Monitors, follow this guide: "Create a network monitor component" on page 97.
If you have chosen any other category, then populate the following fields:
Name
Favorite
Description
(available for the categories
Applications and Scripts)
Copy
Makes this component available to be used in Quick Jobs.
Refer to "Make a component available as a Quick Job" on
page 324.
Opens a confirmation dialog. Click OK to create a copy of the
component.
General
Name
Description
Category
Displays selection made on the previous page.
Change Image
Click to select a different image for this component.
Name
Displays the name entered on the previous page, but can be
edited.
Description
Displays the description entered on the previous page, but
can be edited. This should contain a description of what will
happen when the component is run.
ID
The unique identifier of the new component.
Component Level
Specifies which users can access this component. Refer to
Users.
The component level of custom components can
be set to 1 (Basic), 2 (Low), 3 (Medium), 4 (High)
and 5 (Super).
Created
The date and time the component was created in UTC, and
the name of the creator.
Modified
The date and time the component was last modified.
Sites
Sites radio button
If All sites is selected, the component can be deployed to
devices belonging to any site.
If Selected sites is selected, you can select the sites this component can be deployed to. Use the Search field above either
the Include or Exclude column to search for your sites. As you
type, the search results are narrowed to match your search
string. By default, all sites are initially excluded. Refer to "Map
components to specific sites" on page 336.
Commands / Script
Name
Description
Install command/Script
Select the scripting language you want to use from the dropdown. For an overview of scripting, refer to "Scripting" on page
306.
Expand/Collapse
Changes the size of the Install command text box.
Text field
Enter the install command (the script) into the text box.
Timeout this script if not completed
within:
Allows you to set the maximum amount of time, in seconds,
until the script will time out.
This component requires site credentials
If installing this component requires a username and password that is unique for each site, checking this setting will
allow AEM to use the cached credentials that you previously
entered in your Site > Settings tab. Refer to "Credentials" on
page 24.
This is useful if you’re running the component on multiple sites
that each need different credentials, because you can specify
the credentials beforehand for 10 different sites, then just run
the component once against 10 different sites at the same
time.
Files (available for the categories Applications and Scripts)
Add File
Click Add file... to browse to the installer file and select it.
The file will be uploaded and shown on the list. Click the
Delete icon to remove it, if necessary. Refer to "Attached
Files" on page 308.
Variables
Name
Description
Input variables
Click the plus icon to the right to open the Add Input Variable dialog. Input variables allow you to determine certain
parameters at runtime, so you don't have to have them hard
coded in the script itself. Moreover, input variables allow you
to re-use a single component to carry out multiple tasks. You
can add multiple variables, and they can be edited and
deleted. Add the following details: Name, Type (Variable
Value/Date/Boolean), Default value, Description. Refer
to "Using Variables" on page 308.
Output data (available for the category
Device Monitors)
You need to let AEM know what variable name you're using to
capture the output. Click the plus icon to the right to open the
Add Output Variable dialog. You can add multiple variables, and they can be edited and deleted. Add the following
details: Name, Type
(String/Number/Timestamp/Boolean/Blob),
Description. For more information, refer to "Create a Custom
Name
Description
Post-Conditions (available for the categories Applications and Scripts)
Warning Text
This function will look at the output (Standard Output Stream
and/or the Standard Error Stream) from a script you have run
and alert if a specific text string is either found or not found.
Refer to "Post-Conditions" on page 309.
7. Click Save.
The component will now be added to the Component List.
Edit a component
Custom components and components that are copies of components downloaded from the ComStore can be
edited. For components that can be edited, the name appears as a hyperlink.
2. Click on a component name that appears as a hyperlink.
3. Edit the fields as required. For field descriptions, refer to "Create a component" on page 301.
4. When you have finished editing the component, click Save.
Scripting
AEM contains powerful functionality that allows users to create and share components (bundles of code,
data and even applications) that can be executed across multiple devices.
A typical component contains a script, written in one of several available languages, and may also contain a
program to install or an executable to run. This functionality guarantees that administrators have complete
control over the technology they supervise.
Scripting Languages
A scripting language is a programming language that supports scripts, programs written for a special run-time
environment that can interpret (rather than compile) and automate the execution of tasks that could alternatively be executed one-by-one by a human operator.
AEM supports the following scripting languages, which allow you to develop scripts that can be run across a
wide range of devices and operating systems:
l
Batch
l
Unix (Bash)
l
VBScript
l
JavaScript
l
PowerShell
l
Python
Supported versions:
Windows: Python 2.x. Note that Python 2 MSI should be installed for all users or the C:\Python27\
value doesn’t end up in the PATH System Environment Variable and AEM cannot find the Python interpreter.
Mac: AEM will only use the Python interpreter that comes pre-installed with OS X as of version 1.8
(Mountain Lion).
l
Ruby
l
Groovy
We will discuss the three most widely used scripting languages from that list.
Windows user account permissions
By default, all scripts are executed in the Windows LocalSystem Account (otherwise known as NT
AUTHORITY\SYSTEM). This has the advantage of running with extensive privileges on the local endpoint,
and script execution is possible even if nobody is logged on or the logged on user has Limited User rights.
Points of note for the LocalSystem Account:
l
Does not have a visible desktop, so any windows generated will be hidden.
l
Does not have a virtual keyboard or mouse, so no macro-based automation is possible.
l
Does not have a password, so no network authentication is possible.
l
Does not have access to resources defined per user, such as mapped network drives.
Quick Jobs always run in the LocalSystem Account but it is possible to force the execution of a
script to run in the context of the local logged on user by opting to a Scheduled Job and using the
advanced options under Execution. Refer to "Execution" on page 322.
How to...
Generate a Batch script (Windows)
About Batch Scripts
Batch is the most compatible and widely-used scripting language across Windows systems. Although it has
been around since MS-DOS times, the syntax and certain commands have remained much the same.
A batch file is a kind of script file in DOS, OS/2 and Windows. It consists of a series of commands to be
executed by the command line interpreter, stored in a plain text file. It is typically created by using a text
editor such as Notepad or a word processor in text mode, and then saving it with a .bat extension.
The script could be as simple as a single line, or a more complex process involving loops and subroutines.
Generally, scripts that can be run locally can also be executed via AEM, on multiple devices, either one time
or on a recurring schedule.
Here is an example:
@ECHO off
ECHO Good Morning, Dave!
PAUSE
When executed, the following is displayed:
Good Morning, Dave!
Press any key to continue . . .
To input a command in batch format, there are no special considerations – your scripts will not require a
header to begin the script, and you are not required to precede execution of your script with any special steps.
If you have a batch script prepared, simply paste it into the Install command text box.
Using Variables
Batch scripts support the use of Windows environment variables (such as %username%, or %logonserver%), as well as variables you define yourself in the script. You can define your temporary environment variables using the Variables section of the Component page. The user running this script will receive
a prompt to use the default value for the variable when running the script, or to enter a different value.
In the above screenshot, we created an input variable called "FileName", with a default value of
"Test.txt". When we create a component monitor, for instance, we can specify the value that the
component monitor should be set to when it runs:
Attached Files
Files that have been attached to the component using the file attachment fields beneath the script edit-box
can be referenced directly. For example, if your component was to install the Windows Installer file
install.msi, your code might look like this:
Get-Content file.txt@echo off
msiexec /i install.msi
echo Product Installed Successfully
exit
The file install.msi can be referred to without hard links, because the command shell is being launched from
the same directory that contains the executable.
Some users might question the use of the command @echo off which precedes the main
script. This function hides the commands being executed from the output, so an end-user, or
administrator looking through script output using AEM’s StdOut/StdErr viewer won’t see the
codes the command shell is running, only the output from them. It's not necessary to include
this in any scripts you run, but it does keep the output looking a bit neater.
Post-Conditions
Its also possible to set up conditions to look for certain text output strings and alert the user if they appear
using the Warning Text function at the bottom of the page. This function will look at the output from a script
the user has run and generate an alert if anything from the output matches a criteria the user has defined.
If you place the string “ERROR:” (note that it is case-sensitive) into the field, then run the script,
AEM will spool through the command’s output and, if a string containing “ERROR:” is found, a warning is posted.
These warnings appear as an orange status box (as opposed to the traditional green for success and red for
failure) and the caption “Warning” on the Jobs page of the Web Portal.
Please note that AEM spools through the output of the command, and not the script. The virtue of
such a system is in its extensibility; by setting a post-condition looking for the string "ERROR:", a
user is able to place conditions in the script (presumably using the if function) and echo out the
string "ERROR: " only in cases where an error occurs in the script.
Administrators who take advantage of this intelligent output analysis when writing their scripts will
receive notifications instantly when a script error occurs, instead of being forced to check command outputs for each execution.
Generate a PowerShell script (Windows)
PowerShell is Microsoft's answer to the highly-adaptable terminal systems offered by *nix operating systems.
More extensive than Batch, it is constantly being developed and revised by Microsoft engineers (and 3rd
parties) with modern computing tasks in mind. AEM offer support for this new platform, assuming that PowerShell is installed on the users' computers - in other words, if PowerShell isn't installed on a device, you're not
going to be able to run PowerShell scripts on it.
Much like Batch, the scripts launched from any PowerShell command prompt are launched from the package
directory of the respective script. This directory is produced by the agent and typically contains the script
itself – PowerShell scripts typically have a .ps1 extension – along with simple metadata and any files the
user has attached.
Because of this, to refer to a file that has been attached to a component, no hardlinks are required, and the file
can be referred to without any need to change directories.
If you are writing a script to type the contents of attached document file.txt so it can be read in StdOut, for
example, your script would look like this:
Get-Content file.txt
You do not have to precede your commands with anything; however, lines in PowerShell scripts can be commented out by preceding them with a hash (#) character.
Using Variables
You can also define external variables and refer to them in the script using the $ENV: command.
Example:
$Env:windir
will return the path and directory Windows is installed in.
Security
This is very important!
PowerShell is a more powerful scripting solution than Batch and has stronger security features.
By default, all Windows machines have the PowerShell execution policy set to Restricted, and this explicitly blocks the execution of such scripts. Moreover, this policy is reset following a reboot.
To run PowerShell scripts, you must therefore bypass this policy. You can download a component from the
ComStore called PowerShell execution policy bypass. You must run this on all computers before you can
run any PowerShell scripts.
To increase security, we recommend running the same script with the policy set to “Restricted"
(case-sensitive) to re-instate the policy after all PowerShell scripts have been run.
Generate a Bash script (Unix/OS X)
Unix (which includes Linux, as well as a number of other related systems) is less an operating system in and
of itself and more a framework built to a set of rigorous standards (“POSIX") from which many compatible
forks and projects have been started. Although inconsistencies do exist between *nix projects (referred to in
GNU/Linux terminology as “distributions" or “distros"), the scripting technology typically utilized is surprisingly compatible.
OS X is itself based on one of these Unix projects (BSD), and as such we can use Unix scripting to run
scripts and deployments to OS X devices.
AEM provides an agent and scripting capabilities for the *nix-based OS X and various Linux versions. For further information, refer to Supported Operating Systems and Requirements for the Agent.
You may be reading this after being sent here via a link in the script creation window of the web portal; the
appearance of this link was a conscious decision by AEM to ensure users are fully current with the AEM *nix
scripting system before proceeding to use it.
After you select Unix from the Install command drop-down menu, a line of code will appear in the script field.
#!/bin/bash
This line has been included for your convenience. As part of AEM's functionality, this line – an operation to
choose a command interpreter – must begin any *nix script, including those intended for use on Mac OS X.
The line tells the computer which command interpreter to use – that is to say, it selects a program to manage
the lines of the script with. *Nix machines typically have several available, and while certain scripts may
demand different interpreters, the Bash interpreter specified in the default line is the most compatible across
*nix-based systems.
If you are a novice user or are unsure of this line of code's purpose, please leave it alone. It will not alter the
functionality of your code, and removing it may cause your code not to work as you had intended.
Without a code interpreter explicitly selected as the first line of your script, it will not run on your
Mac or other *nix-based system.
If you are an experienced user, or your choice of command interpreter differs from the default, please feel free
to experiment. You are welcome to edit the initial line of the script; you may even decide to remove it entirely.
However, such actions may cause your script to act unpredictably or even fail; you make such alterations at
your own risk.
Scripting Ninite using Autotask Endpoint Management
(AEM)
This guide is for informational purposes only. Autotask does not directly offer support on any
issues raised with third party components.
Scripting Ninite for automated installs can only be done with a Ninite Pro account. There is a free
version, but it doesn't have the same command line or unattended functionality.
Ninite is a service that allows you to install or update multiple applications on multiple endpoints through a
single executable. The power of that functionality really increases, however, when you start to add the sort of
automation, scheduling and alerting that Autotask Endpoint Management (AEM) can deliver.
There are two functions that Ninite will commonly be used for alongside AEM:
l
The installation or updating of a specific application or applications
l
Managing general application updates for all manageable apps on a device
How to...
Install and update specific applications
To use Ninite and AEM to install and update an application (or multiple applications):
1. Download the AEM Ninite - Install and Update Applications component.
2. Import the component into your Component list. Refer to "Import a component into your Web Portal"
on page 335.
3. With the script component open, add your own ninitepro.exe (which is associated with your own Ninite Pro account) in the Files section. Refer to "Attached Files" on page 308.
4. You can, if you wish, edit the command line which is run here to change how Ninite should behave
when it runs (for example, adding proxy details if your devices sit behind an authenticating proxy
server). More details on the command line options for Ninite can be found in the Ninite Command
Line Switch Reference.
5. Click Save to add the component to your library.
If you want to be able to use this component as a Quick Job, click the star icon next to it in
the list.
When you run this component (either as a one time quick job, or as a scheduled job), you will be asked to
enter the names of the applications you want to install or update. To see the list of applications which can be
installed or managed, refer to Ninite Pro app list.
If you run this component as a scheduled job, the first time it runs, the applications will be installed from the
web. Subsequent runs will check if the application is at the latest version currently available, and if not, it will
update to that version.
Manage General Application Updates
If, rather than deploying and managing specific apps, you just want Ninite to control all of the updates for the
applications it manages, you can use this component instead:
1. Download the AEM Ninite - Update Everything component.
2. Import the component into your Component list. Refer to "Import a component into your Web Portal"
on page 335.
3. With the script component open, add your own ninitepro.exe (which is associated with your own Ninite Pro account) in the Files section. Refer to "Attached Files" on page 308.
4. You can, if you wish, edit the command line which is run here to change how Ninite should behave
when it runs (for example, excluding some applications from being updated - by default, this component excludes Firefox, but you will probably want to add your own list of exceptions). More details
on the command line options for Ninite can be found in the Ninite Command Line Switch Reference.
5. Click Save to add the component to your library.
General Advice
We recommend that, as with all new components, test this out on a couple of devices to make sure you
understand what it's doing and how it works, then schedule it to run on a regular basis. Bear in mind that lots
of applications updating in the background may make the user feel their device is running slowly, so be careful when you schedule it.
You may also want to investigate using the cache feature in Ninite to reduce Internet bandwidth
usage, since 100 devices all downloading Google Earth at the same time will be quite a large download.
And finally, we can't recommend strongly enough getting signed up for the Community Component
Exchange, which was the original source of these scripts and concepts.
Input Variables
What is an Input Variable?
One of the facets of the Autotask Endpoint Management (AEM) scripting engine is the ability to use input variables in your scripts. This lets you re-use a single component to carry out multiple tasks without having to
modify the script itself, or create (and maintain) duplicate components.
Input variables allow you to define values in your script at runtime, rather than having them hard coded into
the script.
If you regularly had to restart a number of Windows services (netlogon service, DNS client service,
DHCP client service), you could create a separate component for each service. They would be
identical, except for the name of the service that was being restarted.
If you used a variable ("servicename") instead, you would need to create only one component
(called "Restart Service"). The script would prompt you for the name of the service to be restarted.
How do Input Variables work in AEM?
AEM creates Windows environment variables whenever components execute which are set to the names
and values of your input variables. You can then call these in your scripts just like you would a "normal" environment variable (such as %computername%).
How to...
Create input variables
Input variables are defined when you create or edit a component. Refer to "Create or Edit a Component" on
page 301.
1. Click the plus icon to the right to open the Input Variables dialog.
2. Enter a Name for the variable.
3. Select a Type for the variable. Options include Value, String, Number, Timestamp, Date, Boolean and
Blob.
4. Enter a description.
5. Click Add.
The window will close and the variable will appear on the list.
When you set up a policy to use this monitor script, you are able to specify the value that this should be set to
when it runs:
Refer to input variables in a script
How you refer to a variable in a script depends on the scripting language you are using.
Batch Scripts
In batch scripts, you just need to wrap the name of the variable you're referencing in % signs:
echo Checking for existence of %FileName%
VBScript
In VBScript, it's a little more complicated: you need to expand the environment variable, and set a 'normal'
variable to that value:
Set wshShell = CreateObject("WScript.Shell")
FileToCheck = wshShell.ExpandEnvironmentStrings("%FileName%")
PowerShell
And in PowerShell, variables can be treated as child items of a PowerShell drive called Env:
Get-Childitem env:FileName
or, alternatively:
$env:FileName
Worked Example
In this worked example, we're going to take an existing component and modify it so that the drive, path and
filename are no longer hard coded into the script - they'll be variables.
The script we are starting with is looking for a hard coded path and file:
@echo off
echo Checking for file C:\test\test.txt
if exist C:\test\test.txt (goto found) ELSE (goto notfound)
:found
echo File found - script exiting OK
exit /B 0
:notfound
echo File not found - script exiting with warning
exit /B 1
To replace the hard coded path and file with variables:
1. Open up the monitor component that's checking for the file "test.txt".
2. Add three new input variables (one for the drive, one for the folder and one for the filename).
Notice that we configured default values, so if we run this monitor with no changes to the variables at
all, it will check for C:\Test\Test.txt.
3. Modify the script to use these variables as described above instead of the explicit path:
echo off
echo Checking for file %drive%\%filepath%\%filename%
if exist %drive%\%filepath%\%filename% (goto found) ELSE (goto notfound)
:found
exit /B 0
:notfound
echo ^<-Start Result-^>
echo CSMon_Result=%filename% not found - script exiting with warning
echo ^<-End Result-^>
exit /B 1
4. Now recreate the policy that uses this monitor, and you'll be able to specify the drive, path and filename on adding this component monitor - so with a single component you can alert on the existence of
C:\Test\Test.txt, C:\Test\Check.xlsx & D:\Monitor\File.tmp.
Deploy Components Using Jobs
Permission to manage Jobs
Sites > select a site, filter or group > click Schedule a Job
A Job is an automated process for deploying components from the Web Portal to a number of devices, either
immediately or at a scheduled time.
When a job is scheduled, the Web Portal will signal the targeted Agents that a job needs to be run. The Agent
will download the job to the local hard drive, unpack the package into its component parts, and run the script.
This process takes place in the system session where the AEM Agent runs. If you want a job to run in the
user session (for example to copy a shortcut to the desktop), you need to set it up when scheduling the job.
Refer to "Execution" on page 322.
Jobs can be scheduled for individual devices, sites, filters or groups. You cannot run a job at account level.
How to...
Schedule a job
To schedule a job, do the following:
1. Navigate to the Sites tab.
2. To run the job on all devices in one or more sites, select the required sites.
To run the job on an individual device, click on a site and select the device from the devices list.
To run a job on a filter or group, click on the name of your filter or group and select all or some
devices.
3. Click on the Schedule a Job
icon. The Schedule a Job page will open.
4. Populate the following fields:
Name
Description
General
Name
Description
Name
Give your job a name. This is how it will appear on the list of scheduled and completed jobs.
Schedule
By default, the job will be executed immediately. To schedule the job
for later or for recurring execution, click Click to change...
Immediately - The job will run as soon as it is saved.
At selected date and time - The job will run once at the selected
date and time.
Daily - The job will run every day at the time indicated in the Start
field.
Weekly - The job will run every week on all selected days at the
time indicated in the Start field.
Monthly - The job will run in the selected months on the selected
days.
Monthly day of week - The job will run in the selected months on
the specified occurrence of the selected days of the week.
Yearly - The job will run on the selected day (1 - 365) each year.
On Connect - Only available if you select an entire site to run the
job on. The job will run once on each device associated with the site
as soon as the device connects to the platform.
By default, offline devices will queue until they come
online or the job expires.
If the job run is a recurring job, any new devices attaching to the sites will pick up the job at the next run time.
Running as Security Level
This field is not editable, however, when you edit a job after it's been
saved, the field will show the security level used when the job got
scheduled.
Components
Name
Description
Add a Component
Click Add a Component and select one or multiple components
from the list. You will see all components your component level
allows you to see. Refer to Users.
Once your components are selected, you can control the order in
which components are deployed. To reorder the components, click
the green up and down arrows on the right. To remove a component
from the job, click the Delete icon.
Advanced Options
Job disabled
Click the check box to disable the job from running.
Expire this job after
Set a short term expiration for the job (up to 3 days).
Duration
Once a job is scheduled, it will run in perpetuity. This option allows
to set an expiration date/time for a job.
Name
Description
Execution
These options allow you to run the job in the user session, either
automatically or with user interaction. Click Only run this job
when user is logged in to enable the additional options.
Logged in user must have Administrator rights - Check this
box if the end user must be an Administrator of the device before the
job will run. It will wait for an Administrator logon even across multiple Limited User logons.
Execute when user is logged in - Automatically runs the job in
the user session.
Advertise to user but do not execute - Prompts the user to run
the job. In this instance, the user will be presented with an AEM system tray icon
to authorize the execution of the job. When the
user clicks on the icon, the software installer will be displayed.
Alerts
Alert me if
Optionally, you can choose to create an alert when the job succeeds, fails, has warnings or expires. Job alerts appear on the
Account > Monitor page when you toggle to Job Alerts. Refer to
"Manage Job Alerts" on page 329.
Automatically Email StdOut/StdErr options
Select output choices
Here, you configure the notification you will receive when the job is
run.
Select output choices: Check Stdout if you want to be notified
when the job is complete. Select Stderr to receive a notification
when an error occurs.
Select File Format: Click the radio button to select HTML or
Plain text. Selecting Plain text enables two additional choices:
Check Output Only to omit job summary information from the message (such as number of devices the job was run on, etc.). Check
Use custom file extension to present the output in a certain
format (for example, output tab-delimited text as .csv).
Job Recipients
Send alert to
Choose who will receive alert emails:
Default recipients - This will send the email to the default recipients set at the account and site levels.
Additional recipients - Use this option to add any additional recipients you wish.
Note that this field is enabled when you either select an Alert option
or an "Automatically email..." option.
a-z, A-Z, 0-9, @, and !#$%&'`*+-|/=?^_{}~.
The start and end time for scheduled jobs are based on the time zone set in Setup > My Info.
Refer to Edit your user details.
5. Click Save to schedule the job.
The window will close, and the job will appear on the list of scheduled jobs, where you can edit or
delete it.
6. Once the job has been completed, it will appear on the Completed Jobs tab.
Use a Quick Job to deploy one component
A Quick Job allows you to immediately deploy one component without having to schedule the job. Similar to
Scheduled Jobs, Quick Jobs can be scheduled against individual devices, sites, filters or groups from the
Action Bar.
There is one restriction: components must be marked as favorites on the Component list to be available for
Quick Jobs. Refer to "Make a component available as a Quick Job" on page 324.
To schedule a Quick Job, do the following:
1. Navigate to the Sites tab.
2. To run the job on all devices in one or more sites, select the required sites.
To run the job on an individual device, click on a site and select the device from the devices list.
To run a job on a filter or group, click the name of your filter or group and select all or some devices.
3. Click on the Run a quick job icon
in the action bar.
A window with all components available for Quick Jobs will open. In order for a component to appear in
this list, it needs to be marked as a favorite. For more information, refer to "Make a component available as a Quick Job" on page 324.
4. Select a component to use in the Quick Job and click Save.
If the component has variables, they will show below the job in the list and need to be completed first.
5. By default, the Jobs list will open when you click Save. Optionally, you can deselect Follow to jobs
list page on submit to stay on the device list.
6. Quick Jobs are added to the Scheduled Jobs > Active Jobs list with the heading Quick job running component [component name] on [selected devices].
7. Once completed, the Quick Job results can be accessed on the Completed Jobs tab.
Quick Jobs always run in the LocalSystem Account in Windows but it is possible to force the execution of a script to run in the context of the local logged on user by opting to a Scheduled Job and
using the advanced options under Execution. Refer to "Execution" on page 322.
Edit a scheduled job
1. Click the Scheduled Jobs tab.
2. Click the Edit Job icon at the right side of a row.
The Edit Existing Job window will open.
3. Make the required changes and click Save.
The job will be reconfigured and run according to the new settings.
A user who has the permission to manage jobs but is not assigned the security level that was used
when the job got scheduled will not be able to edit the scheduled job.
Make a component available as a Quick Job
1. In the Web Portal, click on the Components tab.
2. On the component you wish to make available as a Quick Job, click on the Toggle favorite icon
3. The star changes to yellow
.
to show it is now a favorite available for Quick Jobs.
Use a local component cache
To speed up the deployment process and minimize the bandwidth needed to distribute components to
devices in the same site, we recommend that you use a local component cache. For further information, refer
to "Designate a Local Cache" on page 111.
Manage Jobs
Permission to manage Jobs
Scheduled Jobs > Active Jobs
Scheduled Jobs > Completed Jobs
A Job is an automated process for deploying components from the Web Portal to a number of devices, either
immediately or at a scheduled time.
Jobs can be created on a number of pages. Refer to "Deploy Components Using Jobs" on page 319. They
are managed on the Scheduled Jobs page where you can view active and completed jobs and perform a variety of management tasks.
About the Scheduled Jobs Page
Tabs
The Scheduled Jobs page has two tabs, Active Jobs and Completed Jobs. The features are identical,
except for the status of the jobs.
Views
The Views radio buttons allow you to filter the jobs on each tab. By default, you will see all active or completed jobs, but you can click the following views:
l
l
l
Run Once - This selection will display jobs that were scheduled to run immediately or at a selected
date and time. This would include any Quick Jobs.
Recurring - This selection will display jobs that were scheduled to run daily, weekly, monthly,
monthly day of week, and yearly.
On Connect - This selection shows jobs that were scheduled for an entire site. The job will run once
on each device associated with the site, and will be shown as active until it has run on all devices.
For information on how to schedule jobs, refer to "Schedule" on page 320.
Other
Field
Description
Column Chooser
Field
Description
User
Allows you to filter the list by the user who scheduled the job.
Show me
It lets you select to show 25 / 50 / 100 / 250 entries per page.
Previous / Next
Click on Previous / Next to see the previous or next page of results.
Actions icons
Icon
Name
Description
Export to CSV
Allows you to export a list of the selected jobs in .CSV format. Make sure
to select the columns you want to include in the export.
Refresh
Refreshes the current view.
On the Active Jobs list, you can also click Auto-refresh on and off.
Auto-refresh only happens when an action occurs to trigger
it. It does not refresh at set time intervals.
Delete job(s)
Allows you to delete selected jobs.
Column Descriptions
Field
Description
Selection
check box
Check to select one or multiple jobs
Name
The name the job was given when it was set up.
Schedule
Shows the schedule set up for the job. For information on how to schedule jobs, refer to "Schedule" on page 320.
Components
The number of components that make up the job.
Jobs Run
If the job is recurring, the number of completed instances is shown.
Next Run
Date
Date, Time and Time Zone when the job is scheduled to be run..
Last Run
Date
Date, Time and Time Zone when the job was last run.
User
The user who scheduled the job.
Security
Level
The security level that was used to schedule the job.
Edit job
When you click this icon, the Edit Existing Job page will open. For field descriptions, refer to
"Deploy Components Using Jobs" on page 319.
A user who has the permission to manage jobs but is not assigned the security
level that was used when the job got scheduled will not be able to edit the scheduled job.
Field
Description
Delete this
job
Deleting a job will move it to the Completed Jobs list and will prevent any devices that have not
yet run this job from doing so.
Manage Job Alerts
Permission to manage Monitors at the account, site or device level.
Account > Monitor > Job Alerts
What is a job alert?
When you schedule a job, you can choose to be alerted when the job
l
succeeds
l
fails
l
has warnings
l
expired
All alerts appear on the Account > Monitor page when you click the Job Alerts radio button.
About the Job Alerts Page
Radio Buttons
The Account > Monitor tab displays radio buttons that allow you to toggle between Monitor Alerts and Job
Alerts lists.
For information about Monitor Alerts, refer to "Manage Alerts" on page 346.
Action bar icons
Icon
Name
Description
Resolve selected job alerts
Manually sets the status of the selected job alerts to Resolved.
Refresh
You can also click Auto-refresh on and off.
Auto-refresh only happens when an action occurs to trigger it. It does not refresh at set time intervals.
Column descriptions
Field
Description
Selection
check box
Check to select one or multiple alerts.
Field
Description
Job
Displays the job name as a hyperlink. Click on a job to open a detailed job view. Refer to "The
Job View" on page 331.
Condition(s)
Triggered
When a job is scheduled, you can choose to create an alert when the job succeeds, fails, has
warnings or expires. This column shows the reason the alert was created.
Time
The time and date the alert was raised.
The Job View
Permission to view Scheduled Jobs
Account > Monitor > Job Alerts > click on a job
Scheduled Jobs > click on a job
You can access information about individual jobs both from the Scheduled Jobs page and the Account
> Monitor > Job Alerts page by clicking on the name of the job.
Each device the job was targeted at is represented by a row. By default, all devices are displayed, but you
can use the radio buttons to display a specific status only.
Columns
Field
Description
Hostname (hyperlink)
The name of the device. Click on the name to open the Device Summary page. Refer to
"Device Summary" on page 119.
Site
The site the device is associated with. Click on the name to open the Site Summary
page. Refer to "Site Summary" on page 16.
Run At
The date and time the job was run on the device.
Status
The current status of the job on the device. The job may have succeeded on some
devices, and expired or failed on others. You can check expired or failed devices and
click the Rerun job on selected devices icon.
Result
A color indicator of the job result.
Green - The job ran successfully.
Orange - The job ran but there was a standard output (Stdout) value found based on
the component's post-conditions warning text filter. Refer to "Post-Conditions" on page
309.
Red - The job failed.
Stdout
Click on the icon to view the Stdout (standard output) message for the device.
Stderr
Click on the icon to view the Stderr (standard error) message for the device.
Field
Description
Remote takeover
tools
Connect to Device*
Refer to "Remote takeover icons" on page
118.
Splashtop*
Action bar icons
Icon
Name
Description
Add device(s) to group
Add the selected device(s) to a group. Refer to "Groups" on
page 142.
Rerun job on selected devices
Use this icon when the job succeeded on some devices but not
others. Check the box in front of devices you want to rerun the
job for.
Schedule a job*
Schedule a job for the selected device(s). Refer to "Deploy Components Using Jobs" on page 319.
Run a quick job*
Run a component through a quick job for the selected device
(s). Refer to "Deploy Components Using Jobs" on page 319.
Click to download selected Standard
Output/Error
Launches a window that lets you configure the options for the
download of Standard Output / Error messages, such as file
format, and how you want to receive the file, download or email.
Resend run job message...
Use this icon when a device is online, but the job appears to be
stuck at the scheduled status. This will resend the message that
a job needs to be run.
Export to CSV
Allows you to export a list of the selected devices in .CSV
format. Make sure to select the columns you want to include in
the export.
Refresh
Refreshes the current view. This will show the most up-to-date
alert status.
You can also click Auto-refresh on and off.
Auto-refresh only happens when an action occurs
to trigger it. It does not refresh at set time intervals.
Manage Components
Permission to manage Components
Components tab
The Components tab displays a list of all components that you have downloaded from the ComStore (that is,
copied to your Component Library on the Web Portal), or created yourself. These components can now be
downloaded to your PC so you can deploy them to devices.
About the Component List
The Component List can display between 10 and 100 entries per page.
l
To set the number of entries, select an option from the Show # entries drop-down field.
l
Scroll to the bottom of the list to navigate to the next page.
The component list displays the following columns:
Column
Description
Check box
Used for adding multiple components to a group.
Icon
Icon that identifies the component.
Name
Name and version of the component. This column also indicates WIN or MAC.
Description
The description of the component. Click on the row and hover over the description to see additional information.
Component
Level
Determines which users can access this component. Component levels go from 1 (Basic) to 5
(Super). Refer to Users.
Files
The number of files that are part of this component.
Size
The total size of the component.
Action Icons
Delete
Will delete the component from the Component List. If the component is part of an active job, you
will receive a warning. Click OK or Cancel.
Copy
Opens the Component page. All fields are exact copies of the original, except the Name, which is
labeled as "Copy of...". Make any required changes and click Save.
Favorite
Makes this component available to be used in Quick Jobs and as alert response in monitors.
Refer to "Make a component available as a Quick Job" on page 324 and the Response Details
section in "Create a monitor" on page 239.
Toggle
User Task
Makes the component available to all end users with the Agent installed on their computer. Refer
to User Tasks.
Column
Description
Export Com- This is the first step when you download a component. The gray icon indicates that the component
ponent
is available on the Web Portal, but is not yet ready to download.
The yellow icon indicates that the component is being prepared for downloading, that is, packaged as a .cpt file (a proprietary type of .zip file that includes an XML file and possibly additional
files such as a batch file or image file that can be recognized as an AEM file type when it is imported into another web portal).
Download
Component
Once the file has been zipped up, the icon turns blue. When you click on the icon, the component
is downloaded to your workstation.
How to...
Search for a component
To check whether a specific component has been downloaded, enter a name or part of a name or description
into the Search field.
The list display all records that contain a match in the Name or Description field.
Download a component to your workstation
Components that appear on the Component list can be downloaded to your workstation and deployed to
remote devices. If you see a gray Export component
icon, the component has either not yet been down-
loaded, or the component was edited and must be rebuilt.
"Export" and "download" are used interchangeably.
1. Click on the gray Export component icon. A dialog box appears.
2. Click Build now.
A note appears at the top of the page that the component is being built, and the icon turns yellow. The
.zip file that is generated will have a .cpt extension. When the build is complete, the icon will turn blue.
3. Click the blue Download component icon
.
Another dialog box opens that includes a download link.
4. Click Download here to download the component.
If you have previously downloaded the file and think it might have been changed, click
Rebuild it now.
You will be prompted to open or save the file. Note that the file extension might now be .zip.
Add a component
Refer to "Create or Edit a Component" on page 301.
Import a component into your Web Portal
You can upload components you have created or downloaded from the Component Exchange to the Web
Portal so they are available to other users and can be deployed.
To import a component:
2. In the top left corner, click Import Component.
3. Click Choose file... and locate the component file you want to upload.
Only Autotask Endpoint Management Component files (*.cpt) can be imported.
4. Click Upload.
When the upload is complete, the Component page will open.
5. Modify the component as required. Refer to "Create a component" on page 301.
6. Click Save.
Create a component group
By default, components are grouped into categories. Refer to "Component Categories" on page 266.
You can, however, create component groups, and associate any component with them, based on your own
criteria. This is helpful if you have components that are frequently viewed or edited.
To create a component group:
1. Navigate to the Components tab.
2. On the left, under Component Groups, click the plus sign. A pop-up window will open.
3. Enter a name for the group.
4. Click Save.
Add components to a group
Once the group exists, you can add any component to any group.
1. On the Component List, check the component or components you want to add to a group.
2. Click the Add component(s) to group icon
in the Action row.
A pop-up window will allow you to select the group to add the components to.
3. Click Add. The components are now added to the group.
Map components to specific sites
Components that can be edited (i.e. custom components and copies of components downloaded from the
ComStore) can be made available to some sites but not others. This is known as component site mapping.
2. Click on the component name you want to edit.
3. Scroll to the Sites section and click Selected sites.
4. Select the sites you wish to make the component available to and then click Include.
Use the Search field above either the Include or Exclude column to search for your sites. As
you type, the search results are narrowed to match your search string.
Use Shift or Ctrl on your keyboard to select multiple sites.
5. Once the changes are complete, click Save.
After you have mapped components to a specific site, it makes sense to specify a local cache or
caches to store the components. Refer to "Designate a Local Cache" on page 111.
Create a Custom Component Monitor
Knowledge of a scripting language like Batch or vb script. For scripting languages supported by
AEM, refer to "Scripting" on page 306.
Permission to manage Components. To create a policy, permission to manage Policies at account
or site level.
Components > New Component
Account > Policies
About Custom Component Monitors
Component monitors are, in essence, scripts that regularly run on your devices. If a specific condition is met,
an alert will be raised. You can find and download a number of pre-configured component monitors from the
ComStore, covering anti-virus packages, backup systems, CPU temperature, predicted hard drive failures,
etc. Refer to "Components and ComStore" on page 266.
For example, the status of Autotask's own online file backup service, Autotask Endpoint Backup,
can also be monitored through a component monitor. For more information, refer to Autotask Endpoint Backup Integration.
Sometimes, however, you want to generate alerts we don't have pre-configured component monitors for. You
might, for example, want to:
l
Monitor a backup or anti-virus package that we don't currently have a ComStore component for.
l
Check if a specific file or folder exists.
l
Run some diagnostic command (like dcdiag, or repadmin) and check the output for issues or failure.
l
Interrogate a database using a command line tool (like osql) and check specific values.
For cases like these, and many others, Autotask Endpoint Management (AEM) includes a powerful scripting
tool that allows you to write your own monitoring scripts, called custom component monitors. A knowledge of
scripting languages is required.
How to...
Create a script
In this exercise we are going to write a batch script that looks for a text file called C:\Test\test.txt. If that file
exists, the script will terminate with exit code 0 (which means, basically, "success"). If it doesn't, we'll see
some output telling us, and it will terminate with exit code 1 (which means "failure").
Our script to do that looks like this:
@echo off
:found
exit /B 0
:notfound
echo File not found - script exiting with warning
exit /B 1
Save that as a batch file called doesfilexist.bat to your C:\ directory. Make sure your text editor doesn't add
a .txt extension.
Run the script on your local machine
Before we incorporate the script into a component monitor, we want to make sure that the script does what
we expect. The easiest way to do this is to write it to run on a single, local device.
1. In you C:\ directory, create a folder called "test", but do not create the test.txt file yet.
2. Go to the Command prompt and type: doesfileexis.bat > log.txt
3. Hit the Enter key. This will execute the batch file and save the results in a log file.
The log file should read:
Checking for file C:\test\test.txt
File not found - script exiting with warning
4. Then add the test.txt file to the directory and run the batch file again.\
Now the log file should read:
Checking for file C:\test\test.txt
File found - script exiting OK
This confirms that we now have a working script, checking for the existence of a file called test.txt in
C:\test.
Get the output into the right format
While this output format works when the script is run on a local device, we need to make some changes so it
works for the output for a custom component monitor.
AEM is looking for output in this format:
<-Start Result->
OUTPUTVARIABLE=Your Warning/error message
<-End Result->
where "OUTPUTVARIABLE" is a variable you configure when you create the monitor. Refer to "Turn the
script into a Component Monitor" on page 341.
To make sure the script generates output that looks like the example above, we modify the output section of
the script as follows:
@echo off
:found
exit /B 0
:notfound
echo ^<-Start Result-^>
echo CSMon_Result=File not found - script exiting with warning
echo ^<-End Result-^>
exit /B 1
In this case, the < and > characters have to be escaped so they are parsed correctly in a batch
file, otherwise they are treated as though they were piping data into or out of a command.
Other monitor script types don't need to do this. - The vbs equivalent would be:
wscript.echo "<-Start Result->"
wscript.echo "CSMon_Result=File not found - script exiting with warning"
wscript.echo "<-End Result->"
wscript.quit 1
We don't have to put the "Start Result/End Result" section around the output when the file is found,
because we only want to raise an alert when it's not there. We only pass the output to the Agent
when there is a problem.
Now our script is checking the right things, and is outputting in the correct format. Now we are ready to incorporate this script into a component monitor.
Turn the script into a Component Monitor
To create a monitor component using the script you've written, follow these steps:
1. Log onto the AEM Web Portal as Administrator (or a user who has the relevant permissions to be able
to create components).
3. In the top left corner, click New Component.
4. In the window that then appears, select the category Device Monitors.
5. Enter a Name and a Description.
6. Click Save.
7. Scroll down to the Script section of the window that appears.
8. In the Script drop-down menu, select Batch (since our example script here is a batch / command shell
script). If you're using a different script, choose the appropriate script type.
9. Paste your working and tested script into the main window of the script section.
10. Next, we need to let AEM know what variable name we're using to capture the output. In this script,
we used CSMon_Result, so we need to configure that as Output Data. Click the green "+" alongside
the "Output Data" section.
11. In the window that appears, specify the output variable name as CSMon_Result, and the type as
String, then click Add.
12. Click Save. Your monitor component will be saved and added to your component list.
Create a monitoring policy to use your component
Now that we have a Custom Component Monitor, the final step is to deploy it to one or more devices using a
monitoring policy. Refer to "Create a Monitoring Policy" on page 256.
1. In the Monitor Type drop-down, choose Component Monitor.
2. Click Next.
3. Your custom component monitor will be listed in the first drop-down in the Monitor Details > Trigger
Details section. Select your component monitor.
4. Configure how often this monitor should be executed.
5. For now, we can leave the Alert Details and Auto-Resolution Details at their default values.
6. Click Next.
7. If you'd like to receive email alerts when this monitor is triggered, check the Email the following
recipients box on the Response Details page and enter your email address or just leave the Default
recipients check box selected.
8. Then click Next until the monitor is created and you are back to the New Policy page.
9. Add your targets and push out the policy.
View the output
If the file you are looking for does not exist on a device the monitor was pushed out to, the designated alert
recipients will receive an email like this:
In addition, you can see all raised alerts when you navigate to Account > Monitor > Monitor Alerts. Refer
to "Manage Alerts" on page 346.
For more details on a raised alert, just click on the hyperlinked message text:
Alerts and Tickets
When a monitor is triggered because its thresholds are being breached, possible responses include:
l
Sending a notification email to a designated recipient
l
Raising an alert
l
Creating a ticket
These responses are configured when the monitor is created. Refer to "Monitors and Policies" on page 232.
About Alerts
An alert is the automatic response to a device operating outside of the parameters defined in the monitor.
Alerts appear and can be managed on the Monitor tab at the device, site and account levels, where you can
review them and take the appropriate action. Automatic response options include running a component (that
is, a script), sending an email to designated recipients, and optionally creating a ticket.
For more information on managing and responding to alerts, refer to "Manage Alerts" on page 346.
About Tickets
Without the advanced Autotask integration enabled, Autotask Endpoint Management (AEM) offers a standalone ticketing feature where the ticket entity lives and gets updated in AEM. However, if you integrate with
Autotask PSA, you'll be able to use the advanced integrated ticketing, with the ticket entity living in Autotask
PSA and offering much more detailed ticket information. For information on how to enable the Autotask integration and the advanced integrated ticketing, refer to Autotask PSA and Endpoint Management Integration.
Tickets can be created in three ways whether or not you have enabled the Autotask integration:
l
l
l
In the Web Portal, users with access to the Support tab at the account, site or device level can manually create a ticket. Refer to "Create a Ticket in the Web Portal" on page 358.
Monitors can be configured to automatically create a ticket in addition to a notification email. Refer to
the documentation on the different types of monitors. Links can be found under "Types of monitors" on
page 232.
Tickets can be created by end-users in the Agent Browser. Refer to "Create a Ticket in the Agent
Browser" on page 361.
All tickets are managed in the Web Portal. Refer to "Manage Tickets" on page 352.
If the ticketing features AEM offers are not sufficient for your needs, AEM integrates with several other PSA
solutions. For information on PSA integrations, refer to Configuring Third Party Integrations.
Manage Alerts
Permission to manage Monitors at Account, Site or Device level
Account > Monitor > Monitor Alerts
Sites > select a site > Monitor
Device > select a device > Monitor > Monitor Alerts
What is an alert?
An alert is the automatic response to a device operating outside of the parameters defined in a monitor. Alerts
appear and can be managed on the Monitor tab at the device, site and account levels, where you can review
them and take the appropriate action. Automatic response options include running a component (that is, a
script), sending an email to designated recipients, and creating a ticket.
About the Monitor Alerts Page
Radio Buttons
The Account > Monitor tab displays radio buttons that allow you to toggle between Monitor Alerts and Job
Alerts lists. For information about Job Alerts, refer to "Manage Job Alerts" on page 329.
The Site > Monitor tab displays Monitor Alerts only.
The Device > Monitor tab displays radio buttons that allow you to toggle between Monitor Alerts and Monitors. For information about Monitors, refer to "Monitors and Policies" on page 232.
Columns and filters
Field
Description
Column Chooser
Category
By default, alerts of all categories are shown. Click the drop-down to display alerts
from a specific monitor type.
Field
Description
Priority
By default, alerts of all priorities are shown. Click the drop-down to display alerts of a
specific priority. The priority legend is as follows:
Status
By default, only active alerts (that is, Open Alerts) are shown. Click the drop-down to
display alerts with a specific status:
• Open Alerts
• All Alerts
• Resolved Alerts
• Muted Alerts
Action bar icons
Icon
Name
Description
Resolve selected alerts
Manually sets the status of the selected alerts to Resolved.
Standalone ticketing:
If your alert raised a ticket, resolving the alert will add a ticket note to the
ticket and close the ticket. You may disable the auto-resolution of tickets
in the monitor's Ticket Details section. Refer to "Create a monitor" on
page 239.
Advanced integrated ticketing:
If you use advanced integrated ticketing, enabling self-healed and
cleared alerts will allow you to handle the corresponding PSA alert
ticket's status. Refer to Self-Healed and Cleared Alerts.
Mute Monitors for Devices
Prevents email notifications that the alert has triggered for the selected
devices. The alerts will still appear on the list when the Muted Alerts filter
is selected.
Un-Mute Monitors for
Devices
Only available when the alert had been muted. It removes the alert from
the Muted Alerts list and allows it to trigger email notifications for the
selected devices again.
Mute Monitors for Sites
Prevents email notifications that the alert has triggered for the selected
sites. The alerts will still appear on the list when the Muted Alerts filter is
selected.
Un-Mute Monitors for Sites
selected sites again.
Mute Monitors for Account
Prevents email notifications that the alert has triggered for your entire
account. The alerts will still appear on the list when the Muted Alerts filter
is selected.
Icon
Name
Description
Un-Mute Monitors for
Account
entire account again.
Export to CSV
Allows you to export a list of the selected alerts in .CSV format. Make
sure to select the columns you want to include in the export.
New Ticket
Click to create ticket(s) for the selected alert(s). In the pop-up window,
you can complete the following fields:
• Standalone ticketing: Assigned to, Priority, Ticket Email Notification
• Advanced integrated ticketing: Priority, Source, Issue, Sub-Issue,
Queue, Primary Resource, Role, Ticket Note
Refresh
You can also click Auto-refresh on and off at account level.
Auto-refresh only happens when an action occurs to trigger
it. It does not refresh at set time intervals.
Column descriptions
The following columns are displayed by default:
Field
Description
Selection
check box
Check to select one or multiple alerts.
Alert type
icon
Displays an icon that identifies the type of alert that was triggered.
Triggered
Shows how long ago the alert was raised. You can click the column header to sort by this criterion.
Message
Displays the alert message.
Priority
Displays the priority of the alert. You can click the column header to sort by this criterion.
Alert Message (at
Device level
only)
Displays the alert message.
Alert
Triggered (at
Device level
only)
Displays what triggered the alert.
Alert
Resolved (at
Device level
only)
Displays whether the alert has been resolved. You can click the column header to sort by this
criterion.
Field
Description
Alert
Resolved
Date (at
Device level
only)
Displays when the alert got resolved.
Alert Muted
(at Device
level only)
Displays whether the alert is muted.
Alert
Received (at
Device level
only)
Displays when the alert was received.
Site (at
Account and
Device level
only)
The name of the site associated with the device that triggered the alert.
Online / Offline status
icon
Shows online / offline status, privacy status and network node status of the device.
Hostname
The hostname of the device that triggered the alert. You can click the column header to sort by
this criterion.
Ext IP Addr
(at Device
level only)
The external IP address of the device.
Resolved
Indicates where the issue was resolved (Agent or Platform), and how long ago. You can click
the column header to sort by this criterion.
How to...
View and act on alert information
When you click on the hyperlinked message of an individual alert, the Alert Information window is displayed.
On this page, you will see:
l
The Device Summary, with links to the device and the site
l
The Alert Summary, with links to the Policy that deployed the monitor that triggered the alert
l
The Alert Response, if an automatic response was configured in the monitor
l
The Resolution Summary, if the alert was resolved
l
Diagnostic Summary (e.g. CPU or memory usage)
Below the title bar, you will see a number of action icons that allow you to act on the information. Refer to
"Action bar icons" on page 347.
You can also run a quick job on the device or connect to it:
Icon
Name
Description
Run a quick job
Run a component through a quick job. Refer to "Deploy Components Using Jobs" on page 319.
Icon
Name
Description
Connect to Device*
Refer to "Remote takeover icons" on page 118.
Splashtop*
Manage Tickets
Permission to manage Account > Support or Sites > Support
Account > Support OR open a site and click the Support tab OR open a device and click the Support tab
Tickets are managed by clicking the Support tab at the account, site or device level, using both the standalone and advanced integrated ticketing that AEM offers.
l
On the Account > Support tab, you have access to all tickets in your AEM account.
l
On the Sites > Support tab, you have access to all tickets for the selected site.
l
On the Device > Support tab, you have access to all tickets associated with the selected device.
The list features on these three pages are identical.
About the Ticket List Page
Views
The Tickets radio buttons allow you to filter the tickets on the list. By default, you will see all open tickets, but
you can click the following views:
Radio button
Description
Open Tickets
This selection will display tickets where the status is something other than Closed.
All Tickets
This selection will display all tickets that have ever been created, regardless of status.
My tickets
This selection shows all tickets assigned to the logged-in user.
By default, you will see all tickets, but you can filter them by selecting one or more options from the following
drop-downs:
Drop-down
Description
Queue
Select any or all the queues. The drop-down lists all active queues as configured in Autotask
PSA.
Status
Select any or all the statuses. The drop-down lists all active statuses as configured in Autotask
PSA.
Priority
Select any or all the priorities. The drop-down lists all active priorities as configured in
Autotask PSA.
Drop-down
Description
Assigned To
Select any or all the resources. The drop-down lists all active resources as configured in
Autotask PSA.
The query displays tickets for a maximum of 100 sites within the past 30 days.
Actions icons
Icon
Name
Description
Update status of selected tickets
Allows you to update the status of multiple selected tickets.
Refresh
Auto-refresh
Switch auto-refresh ON or OFF to enable or disable auto-refresh of
the page.
Auto-refresh only happens when an action occurs to
trigger it. It does not refresh at set time intervals.
Icon
Name
Description
Refresh
Auto-refresh
Switch auto-refresh ON or OFF to enable or disable auto-refresh of
the page.
Auto-refresh only happens when an action occurs to trigger it. It does not refresh at set time intervals.
Save
Once you have selected the required Queues, Statuses, Priorities
and Assigned Resources, click Save to update the results.
Column Descriptions
Field
Description
Selection check box
Check to select one or multiple tickets. The check box is used in conjunction with the
Edit icon.
Number
The ticket number. You can click the column header to sort by ticket number. Click the
hyperlinked ticket number to edit the ticket.
Field
Description
Site
The site the ticket is associated with.
Created by
Displays the device name for which the ticket was created, or the user who created the
ticket in the Web Portal. You can click the hyperlinked device name to open the device.
Ticket Title
The title of the ticket. You can click the column header to sort by ticket title.
Description
The ticket description. You can click the column header to sort by ticket description.
Priority
The ticket priority between 1 and 5. You can click the column header to sort by priority.
The priority legend is as follows:
Status
Indicates the progress that has been made on the ticket. Options are New, In Progress, Waiting and Closed. You can click the column header to sort by status.
Create Date
Date, time and time zone when the ticket was created. You can click the column header
to sort by date.
Assigned to
The user responsible for resolving the ticket.
Field
Description
Site
The site the ticket is associated with.
Ticket Number
The ticket number. You can click the column header to sort by ticket number. Click the
hyperlinked ticket number to edit the ticket.
Title
The title of the ticket. You can click the column header to sort by ticket title.
Created By
The name of the user who created the ticket. If the ticket was raised through a monitor,
the user who created the monitor is listed as the creator.
Queue
The queue where the ticket got assigned. You can click the column header to sort by
queue.
Issue
The ticket issue type. You can click the column header to sort by issue type.
Sub-Issue
The ticket sub-issue type. You can click the column header to sort by sub-issue type.
Status
The ticket status. Both open and complete tickets are listed. You can click the column
header to sort by status.
Priority
The ticket priority between Critical and Low. You can click the column header to sort by
priority. The priority legend is as follows:
Field
Description
Created
Date, time and time zone when the ticket was created. You can click the column
header to sort by date.
Assigned To
The primary resource responsible for resolving the ticket.
How to...
Edit a ticket
All tickets, even completed ones, can be edited at any time. Depending on the type of ticketing you use, you
can update different fields.
1. Click on the ticket number. The Ticket window will open.
2. You can edit the Status, Priority, Assigned To, or Comments fields.
If your ticket was raised by a monitor alert, setting the ticket's status to Complete will
resolve the alert as well.
3. Click Save or Submit (if you are adding a new comment), and close the window.
1. Click on the ticket number. The Ticket window will open.
2. Update any of the following fields: Title, Description, Status, Priority, Source, Issue, Sub-Issue,
Queue, Primary Resource, Role.
If your ticket was raised by a monitor alert and it gets completed through an Autotask PSA
workflow rule, you can use the same workflow rule to fire off an extension callout to resolve
your AEM alert as well. Automatic alert closure will not occur if the ticket was completed
manually. For further information, refer to Automatic AEM alert closure when completing the
PSA alert ticket.
3. You can also add a new ticket note by clicking on Add a new note to this ticket.
4. Once you have finished editing the ticket, click Save.
Click the View in Autotask button in the top right corner of the ticket window to open and edit
the ticket in Autotask PSA. If you were already logged into PSA or single sign-on is configured
for you, you will be directed to the ticket detail page.
If you are not logged into PSA, you will be required to enter your login credentials.
For information about how to create a ticket, refer to "Create a Ticket in the Web Portal" on page
358 and "Create a Ticket in the Agent Browser" on page 361.
Create a Ticket in the Web Portal
In the AEM Web Portal, tickets can be created manually at account, site and device level, using both the standalone and advanced integrated ticketing that AEM offers. You can also configure monitors or monitoring
policies to create tickets when an alert is raised. For more information, refer to "Alerts and Tickets" on page
345.
How to...
Manually create a ticket
1. Log into the AEM Web Portal.
2. Navigate to the account level, or the desired site or device.
3. Click on the Support tab.
4. On the left hand side, click on New Ticket.
5. Depending on the type of ticketing you use, complete the following fields:
Field
Description
Ticket Title
Enter a ticket title.
Description
Enter a ticket description.
Priority
Select a ticket priority:
Assigned to
Select an AEM user who will be responsible for resolving the issue.
Fields marked with an * are required fields.
Field
Description
Ticket Information
Title*
Enter a ticket title.
Description
Enter a ticket description.
Site*
At account level, start typing to get a list of matching site names and select a
site.
At site and device level, the site name is filled in for you.
Status*
The default value is New. This field is not editable.
Priority*
Select a ticket priority. The drop-down lists all active priorities as configured
in Autotask PSA.
Source
Select a ticket source. The drop-down lists all active sources as configured in
Autotask PSA.
Issue
Select a ticket issue type. The drop-down lists all active issue types as configured in Autotask PSA.
Sub-Issue
Select a sub-issue type for the selected issue type. The drop-down lists all
active sub-issue types for the selected issue type as configured in Autotask
PSA.
Assignment
Queue*
Select a queue where the ticket should be assigned. The drop-down lists all
active queues as configured in Autotask PSA.
Primary Resource*
Select a resource who will be responsible for resolving the issue. The dropdown lists all resources that are currently active in Autotask PSA.
Role*
Select a role for the selected resource. The drop-down lists all the roles that
the selected resource is associated with in Autotask PSA.
Activity
Ticket Notes
If you would like to add further information to your ticket, click on Add a new
note to this ticket. This will open a box where you can enter a title and a
description for your note.
By clicking on Discard, you can delete the note entered.
6. Click Save.
A dialog that includes the ticket number will confirm that the ticket has been created. The newly created ticket will appear at the top of the ticket list.
Configure a monitor or monitoring policy to create a ticket
When you create or edit a monitor or a monitoring policy, you configure the alert responses that will be
triggered when a monitor threshold is breached. One of the possible response options is the automatic creation of a ticket. For information on how to configure the Ticket Details in a monitor or a monitoring policy,
refer to "Manage Monitors" on page 239.
Create a Ticket in the Agent Browser
In addition to the Web Portal, tickets can also be created in the Agent Browser. This allows end users to submit tickets using the AEM Agent installed on their local device. The ticket will appear in the Web Portal.
How to...
Create a ticket
1. Open the Agent Browser on the local device by double-clicking on the AEM system tray icon.
2. Select the Tickets tab .
3. Click New Ticket.
4. Complete the Ticket Title and Description fields.
5. Click OK to submit the ticket.
An email notification is sent to the assigned resource, and the ticket appears in the AEM Web Portal.
The end user is able to view open tickets from the Tickets tab in the Agent Browser.
Edit or close a ticket
If you are using the AEM standalone ticketing, end users can edit and close tickets on the Tickets tab in their
Agent Browser.
If you have integrated with Autotask PSA and are using the advanced integrated ticketing, tickets
can be edited in the Web Portal.
l
l
You can edit a ticket by clicking on the pencil icon next to it. You will be able to see any notes added
by the technician from the AEM Web Portal and you can also add further notes.
Closing the ticket will change the status to Closed in the Web Portal, and the ticket will no longer be
visible in the Agent Browser. AEM administrators will still be able to access the ticket via the Web
Portal.
Configure assigned resources for tickets
The assigned resource for tickets submitted via the Agent Browser can be configured in the AEM Web Portal.
The selected recipient will receive email notifications of new tickets when submitted. The assigned
resources can be configured at account and site level as well. Resources configured at site level will override
any set at account level.
For further information, refer to Account Settings and "Site Settings" on page 20.
Activity Logs and Reports
Activity Logs
Autotask Endpoint Management creates an audit trail of all human activity in the account. The logs can be
found on the following pages:
"Device Activity" on page 372
"User Activity" on page 373
"Account Activity" on page 371
Reports
Autotask Endpoint Management features a large number of reports that can be generated by users with sufficient permissions.
Report Levels
Reports can be run for a single device, all devices in a site, or at account level. On the Sites tab, you can also
select a filter or group, and generate a report at the device or account level, depending on the type of group or
filter you selected.
Security levels can have granular permission for each reporting level. Refer to Security Levels.
Output File Types
Reports can be generated in PDF or Excel format. The default output format is PDF.
Running or Scheduling a Report
Reports can be run immediately or at a preset schedule. Refer to "Schedule and Run a Report" on page 476.
Finding the Right Report
To assist you with locating the right report, refer to "Find the Right Report" on page 376. These topics contain
descriptions and screen shots of all available reports.
Account Dashboard
Permission to view or manage Account > Dashboard
Account > Dashboard tab
Autotask Endpoint Management (AEM) allows you to proactively monitor and manage your endpoints at
device, site and account level.
At device level, the Device Summary page displays audit information, notes, activity and performance
information about a single device. For more information, refer to "Device Summary" on page 119.
At site level, the Site Summary page lets you see statistical information, such as security or energy usage
information, about one site's endpoints, that is, about all the devices that have been added to the same site.
For more information, refer to "Site Summary" on page 16.
At account level, the Account Dashboard provides a summary of the health and security status of all your
endpoints across all your sites.
To access the Account Dashboard tab:
2. Click the Account tab. This will bring you to the Account Dashboard tab that displays two sections:
Dashboards and Security Status.
Dashboards
Dashboards can be viewed by clicking on the Account Dashboard hyperlink. This is a default account
dashboard and cannot be edited.
Clicking on the Kiosk Mode hyperlink will launch the Account Dashboard in a separate window.
Once you click on Account Dashboard or Kiosk Mode, the following information will be displayed:
Field
Description
Devices
Displays the following information:
• Total - The number of all devices in the account. Refer to "Manage Devices" on page 115.
• Online - The number of devices that are online at the moment.
• Offline for 7+ days - The number of devices that have been offline for more than 7 days.
Field
Description
Components
• Total - The number of components in your Component Library that you can find by clicking on the
Components tab. For more information, refer to "Components and ComStore" on page 266.
• ComStore - The number of components available in the ComStore. For more information, refer
to "Download Components from the ComStore" on page 268.
• Updates - The number of components that have updates available. For more information, refer to
"Check for updates" on page 299.
Notifications
Displays the alert notifications across the entire account. Hover over each line to see and/or click
for further details:
• Alert type icon - Displays an icon that identifies the type of alert that was triggered. Hover over it
to see the name displayed.
• Site name - The name of the site in which the alert was raised. Click on the name to open the
Site > Monitor page. Refer to "About the Monitor Alerts Page" on page 346.
• Device name - The hostname of the device for which the alert was raised. Click on the name to
open the Device > Monitor page. Refer to "About the Monitor Alerts Page" on page 346.
• Alert Information - Click on the message to review the Alert Information. Refer to "View and act
on alert information" on page 349.
• Time stamp - Hover over the end of the row to see the exact date and time when the alert was
raised.
The priority level of the alerts is indicated by different colors. For more information, refer to "About
the Monitor Alerts Page" on page 346.
Active Jobs
• Devices scheduled - The number of devices which currently have a job scheduled against them.
If one device has two scheduled jobs, the device will be counted only once.
• Devices running - The number of devices which are currently running a job.
• Devices with warnings - The number of devices where post-conditions have been triggered
when running the job. For more information, refer to "Create or Edit a Component" on page 301
and "Post-Conditions" on page 309.
• Devices with failures - The number of devices that exited with an error when running the job. For
more information, refer to "Create or Edit a Component" on page 301 and "Post-Conditions" on
page 309.
To see information about the job results, refer to "The Job View" on page 331.
Field
Description
Open
Alerts
Displays the number of devices with open alerts of priority 1 - 5. Refer to "About the Monitor Alerts
Page" on page 346.
Icons on the page:
Icon
Name
Description
Refresh
Hover over each section and click on the Refresh icon to refresh the data displayed.
In Kiosk Mode, you can also click on the Refresh Now button on the
top of the page.
Information
Hover over the Notifications section to see the icon and display the priority legend of
the raised alerts.
Security Status
Field
Description
Anti-Spyware Summary
Shows the number of devices that have:
• At least one active and updated anti-spyware product
• At least one active but not up-to-date anti-spyware product
• No active anti-spyware product
Field
Description
Anti-Virus Summary /
AEM Managed Anti-Virus
Summary
This section will display a different name and information, depending on whether
you have configured the Kaspersky Endpoint Security (KES) Integration or the
Webroot Endpoint Security Integration. Refer to "Kaspersky Endpoint Security
Integration" on page 208 and "Webroot Endpoint Security Integration" on page
218.
Without any of the above integrations enabled, the section is called Anti-Virus
Summary and shows the number of devices that have:
• At least one active and updated anti-virus product
• At least one active but not up-to-date anti-virus product
• No active anti-virus product
With any of the above integrations enabled, the section is called AEM Managed
Anti-Virus Summary and shows:
• The total number of devices targeted in security management policies. Note that
this number may not match the sum of devices listed for the various statuses
below as one device may be listed for more than one status. (For example, the
same device may be listed for the status "Installed, not active" and "No valid
license".)
The following device statuses are displayed:
• Installed & Active
• Not Installed
• Installed, not Active
• Reboot Required
• Active Threats
• Needs Update
• No Valid License
Firewall Summary
• At least one active firewall product
• No active firewall product
Security Status information is displayed for Windows devices only. It does not include anti-spyware status for Windows XP devices and the status of servers (as they do not report security center information).
Click the hyperlinked number of devices next to any status to see the list of devices of that
status.
The name of the anti-spyware, anti-virus and firewall products is listed under each section, along with their
status:
Icon
Description
Enabled and up to date
Enabled but not up to date
Disabled
By clicking on the Show/Hide Graph
icon in the Anti-Spyware Summary, Anti-Virus Summary and Firewall
Summary areas, you can see a graphical representation of the data.
Account Activity
Permission to view or manage Account > Report
Account > Report > toggle to Activity Log
At account level, the Report > Activity Log page only shows devices that were moved between sites.
This is used primarily in billing to show the movement of devices between Managed sites and the nonchargeable OnDemand sites.
Device Activity
Permission to view Sites > Devices
Sites > click on a site > Devices > click on a device > Report > toggle to the Activity Log view
The Activity Log view shows a list of all activities associated with a specific device, no matter who performed
the activity.
The listed items include patch installations, jobs, remote takeovers, password changes, or even data about
when the device was moved from one site to another. The following information is displayed in this area:
Field
Description
Type
Type of activity represented by its icon.
Name
Name of the activity.
Job names are hyperlinked. Clicking on the link will direct you to "The Job View" on page 331.
Started
Start date of the activity.
Ended
End date of the activity.
Policy
Name of the policy that targeted the device.
Status
Status of the activity.
For patches, it shows failure error codes where applicable.
Results
If a summary icon
Progress
A color indicator of the progress of the activity.
Green - Completed.
Red - Failed.
For more information on job results, click on the name of the job and refer to "The Job View" on page
331.
Stdout
Click on the icon to view the Stdout (standard output) message for the device.
Although Stdout is normally used for jobs, patch run information is also stored here.
Stderr
Click on the icon to view the Stderr (standard error) message for the device.
is displayed, you can click on it for more information about the activity results.
The most recent activities are also displayed on the "Device Summary" on page 119 page.
User Activity
Administrator
Setup > Activity Log
Setup > Users > toggle to Activity Log
AEM creates a log of all user activity in both the Web Portal and the Agent. This log is accessible by folowing
either of these paths:
l
Setup > Activity Log
l
Setup > Users > toggle to the Activity Log view
Activities associated with a specific device can be viewed on the Device > Report tab when you
toggle to the Activity Log view. Refer to "Device Activity" on page 372.
How to...
Review the activity log
The activity log is a list that can display up to 250 records per page. It can be sorted by Date/Time, User or IP
Address. The default sort order is Date/Time.
Name
Description
Selection check
box
Click the check box in the header row to select all rows, or click one or more rows to perform
an action.
Date/Time
It displays the time zone, date and time when the activity was carried out.
Name
Description
User
It displays the username of the user who performed the activity.
IP Address
It displays the public IP address the user logged in from.
Details
It displays the entity the activity was performed on, and the action that was performed.
Parameters
It displays the fields and values of the affected entity.
Search for activities of a specific user
1. In the Users field, select a Username and click Search.
2. To display the full list, select All and click Search.
Search for activities during a date range
1. In the Date field, select the range from the list or specify a custom date and time range.
2. Click Apply.
3. To display the full list, clear the Date field.
Export the activity log
To export the Activity Log:
1. Search for the records you would like to export by performing one of the searches above.
2. Click the Export to CSV icon
in the Action bar above the list.
3. Select the columns you want to export.
4. Click Save. The file will be downloaded to your workstation.
Find the Right Report
Find reports by report level
"Reports at Device Level" on page 377
"Reports at Site Level" on page 382
"Reports at Account Level" on page 412
Find reports by type
"Reports on Alerts" on page 428
"Reports on Activities" on page 423
"Reports on Endpoints" on page 434
"Status and Health Reports" on page 449
"User Reports" on page 473
Reports at Device Level
Permission to view or manage Sites > Report
Sites > select a site > Devices > select a Device > Report
The date format for all reports is dd/mm/yy.
Device reports report on one specific endpoint. The following reports are available at device level:
30 Day Device Activity Summary | 7 Day Device Activity Summary
Description
For the selected device, the report provides total activities and times by category of Jobs, Notes, Remote Shell
and Remote Support for the previous 7 or 30 days. Then
it lists details for each activity event, including username, date/time started and ended, and total time.
30 Day Device Alert Summary | 7 Day Device Alert Summary
Description
For the selected device, the report provides the total
number of alerts and average response time by category for the previous 7 or 30 days. Then it lists details
for each alert, including priority, alert date and time, end
time and time of response.
Device Change Log
Description
For the selected device, the report lists changes to the system
since the Agent was first installed, when software was changed,
added or deleted. It includes date and IP address.
Device Summary
Description
The report lists system, hardware and software information for the
selected device. It includes Agent version, domain, last user, last
audit date, last seen date, if the device is online and if the web port is
OK, manufacturer, model, operating system, service pack, and serial
number. It also reports on status of security options such as antivirus, firewall and updates, hardware information such as ID, motherboard, processor, memory, storage, display and network adapters,
and monitor information. It lists all software with version number.
Monitor Alerts Report (Device Level)
Description
The report lists each alert for the selected device by type
and includes alert message, priority and time of alert.
Reports at Site Level
Permission to view or manage Sites > Report
Sites > select a site > Report
Site reports report data on the selected site only. The following reports are available at site level:
30 Day - Executive Summary Report (Site Level)
For the selected site, this monthly report provides quick access
to information on the performance and health of your
IT systems. It provides an overview of the current status of your
servers (inventory, disk usage, patch status, approved pending
patches, % of time when connected to the platform) and workstations (replacement recommendations, operating systems in
use, inventory checks). It details your workstations' hardware
inventory, as well as their disk usage, patch status and
Description
approved pending patches. It lists your managed network
devices and managed mobile devices. It summarizes the monitoring alerts (by totals per category) and the activity on your
devices (by totals per category, total time and the number of
activities of the top 5 devices).
The report is also available in German upon request
by contacting Autotask Customer Support.
30 Day - Executive Summary Report - Only Servers and Workstations (Site
Level)
to information on the current status of your servers (inventory,
disk usage, patch status, approved pending patches, % of time
when connected to the platform) and workstations (replacement
recommendations, operating systems in use, inventory
Description
checks). It also details your workstations' hardware inventory,
as well as their disk usage, patch status and approved pending
patches.
30 Day Site Activity Summary | 7 Day Site Activity Summary
Description
For the selected site, the report provides total activities
and times by category of Jobs, Notes, Remote Shell and
Remote Support for the previous 7 or 30 days. It also
lists the top 5 devices associated with the site by number of activities. Then lists details for each activity, by
device.
30 Day Site Alert Summary | 7 Day Site Alert Summary
Description
For the selected site, the report provides the total number of alerts and average response time by category for
the previous 7 or 30 days. It also lists the top 5 devices
associated with the site by number of alerts. Then it lists
details for each alert by device, including priority, alert
date and time, end time and time of response.
30 Day Site Executive Summary | 7 Day Site Executive Summary
Description
For the selected site, the report provides a snapshot for the last 7
or 30 days of the site's overall health as measured by server
uptime and desktop anti-virus coverage. It lists the top 5 devices by
activity and by alerts. It summarizes activities and alerts by totals
per category, total time and average response time. It lists assets
and top 5 storage devices, broken down by servers and desktops.
Computer Summary
Description
The report lists the computers associated with the selected site. It includes name, processor, operating system
and service pack, memory, letter label, total drive space,
amount and percentage of free space.
Critical 3rd-Party Software Summary Report
Description
The report lists all Windows and Mac devices in the site
(sorted by operating system and device name) showing
the version or multiple versions of critical 3rd-party software. If no application is found, the cell remains empty.
Customer Health Summary
Description
The report lists health information for all devices in selected
site. It displays a summary about hardware, security and
maintenance software, and players and readers installed on
the devices. The summary section shows how many devices
have failed or passed the test and if there is any device with
a warning. The report also lists the results for each individual
device in the details section.
Detailed Computer Audit
Description
For the selected site, detailed information on each computer, including hardware information such as asset tag
and date, serial number, domain and username, virus
scanner details, Windows update, date of last contact,
OS, processor, memory, motherboard, BIOS, IP and
MAC addresses, video, and physical disk drive size and
free space.
Exception Report
Description
For the selected site, a summary of all MS Windows
devices, including warnings for devices without updated
anti-virus, MS updates, or firewall, and devices with low
free disk space or not online this month.
Health Report
Description
Summary for all devices associated with the selected site,
broken down by servers and workstations, with and without
warnings. The report lists alerts, jobs run, and remote
takeover minutes. It shows alert turnaround time summary. It
lists individual devices by hostname, IP address, and last
logged in user. It shows warnings for devices without
updated anti-virus, anti-spyware, MS updates or firewalls. It
also shows warnings for devices with low disk space and
not online this month.
Inventory Age
Description
Inventory age report on all devices associated with the selected
site. It displays replacement recommendations for the next 12
months to two years. It lists operating systems in use. It lists individual devices by name, last user, serial number and build date.
It includes warnings for low memory, free disk space or not
online this month.
Microsoft License
Description
Microsoft license report for devices in the selected site,
listing software type, Microsoft product name, and quantity of devices with that product installed.
Monitor Alerts Report (Site Level)
Description
Lists device name, alert type, alert message and priority,
and date/time of alert.
Patch Management Activity Report (30-days)
Description
For the selected site, the report lists all Windows devices and all
patches installed on them in the last 30 days. The devices are listed by
name, and the patches installed on each device are sorted by installation time stamp (newest on top). The patch information includes the
name, type, priority, publish date (the date when Microsoft made the
patch available), and install status of the patch. The total number of
patches installed in the site is displayed at the top of the report.
Patch Management Detailed Report
Description
The report lists each device in the selected site, with number of patches released, patches installed and approved
pending patches, percent of approved pending patches,
and number of alerts. It separately lists devices requiring
attention, and provides a summary and analysis of fully
patched/not fully patched devices. It includes a detailed list
of patches by device, with name, critical rating and installation status.
Patch Management Summary Report
Description
The report graphically shows percentage of devices in a site that
are fully patched or missing specific number of patches. It lists
devices with the number of approved pending patches. It lists each
device in the site with the number of patches released, patches
installed and approved pending patches.
Server Performance Report (Site Level)
Description
The report shows the CPU, Memory and Disk performance of the servers in a site over the last 30 days, including the average of the CPU
and Memory, and the delta of the available disk space.
Site Activity
Description
The report lists Jobs, Notes and Remote Takeover sessions for all devices in the selected site over the last 30
days.
Site Device
Description
The report lists all devices in the selected site with their
IP Address, last updated date, model, serial number and
last logged-on user.
Site Health
Description
The report displays the number of devices in the selected site by operating system, including build number. It
lists the number of devices without updated anti-virus,
MS updates or firewall, with low free disk space or
memory, and devices not online this month. It lists each
device by name with last logged-in user, and their individual status for previous mentioned criteria.
Site IP Information
Description
The report lists each device in the selected site with
adapter name and IP address.
Site Remote Takeover Report
Description
The report lists all the remote control sessions for a site
in the last 30 days. The report includes username, site
and hostname, start and end date and time, length, and
the icon of the remote takeover tool that was used.
Site Serial Numbers
Description
serial number.
Site Server Storage
Description
The report lists all servers associated with a site with
drive letter, size, amount and percentage of free space.
Site Software
Description
The report lists all software (excluding hotfixes and updates) for all
devices in the selected site, with number of installations.
Site Software and Hotfixes
Description
The report lists all software (including hotfixes and updates) for all
Site Storage
Description
The report displays fixed storage information for all
devices in the selected site. It lists device by name, with
drive letter, size, and amount and percentage of free
space.
Site User-Defined Fields 1-10
Description
Report on User-Defined Fields 1-10 in the selected site.
Description
Description
Software Audit Report
Description
For the selected site, for each device grouped separately, the report lists
all software installed on that device, including software package name
and version. The report displays Windows, Mac, Linux, and mobile
devices.
User Software Install
Description
For the selected site, the report lists all software installed
on all devices in the previous month, including software
name, version, whether the software was changed,
added or deleted, and the date the action was taken.
Webroot Report
Description
The report lists total number of devices targeted/not targeted by a Webroot policy. It shows number of devices
that require attention and number of devices that are currently infected. It displays number of active and removed
threats. It details security status of devices targeted by a
Webroot policy, including Webroot Console Group, Site
Key, Webroot status, whether remediation is enabled,
attention is required and if the device is currently infected.
Reports at Account Level
Account > Report
Account reports report data on everything in your account. The following reports are available at account
level:
30 Day Account Activity Summary | 7 Day Account Activity Summary
Description
For the previous 7 or 30 days, the report lists the top 5
sites by number of activities. Then for each site in the
database, it lists activities by category with totals and
detail amounts. Categories include Jobs, Notes, Remote
Shell and Remote Support.
30 Day Account Alert Summary | 7 Day Account Alert Summary
Description
sites by number of alerts. Then for each site in the database, it lists alerts by type with total number and total
time.
30 Day Account Executive Summary | 7 Day Account Executive Summary
Description
For the last 7 or 30 days, the report lists the top 5 sites
by activities and by alerts. Then for each site in the database, it lists totals for activities and alerts by category,
and individual user activity.
30 Day Account User Summary | 7 Day Account User Summary
Description
For the previous 7 or 30 days, the report lists activities
by category, with total quantity and details such as number of devices or total time. Then for each username, it
lists associated site, activity, time started and ended and
total time.
Account Server IP Information
Description
IP address information for all servers in the account, listed by site.
Account Server Storage
Description
Fixed storage information for all servers in the account,
listed by site. It includes drive label, size, amount and
percentage of space, graphically displayed.
Account Server Summary
Description
The report lists all servers in the account, with detailed
information including domain name, model, operating
system, serial number, motherboard, processor,
memory, storage and network adapters.
KES Report
Description
The report lists total number of devices targeted/not targeted by a Kaspersky Endpoint Security (KES) policy. It
shows number of devices that require reboot and number of devices that are currently infected. It displays number of active and removed threats. It details security
status of devices targeted by a KES policy, including KES
license key and activation code, KES status, whether
reboot is required and if the device is currently infected. It
lists number of detected threats and number of active
threats.
Monitor Alerts Report (Account Level)
Description
In order of number of active alerts, the report lists site,
device name, total number of active alerts, and number
of active alerts broken down by device and priority.
Remote Activity
Description
The report lists all the remote control sessions in the
account in the last calendar month. The report includes
username, site and hostname, start and end date and
time, length, and the remote takeover tool that was used.
Server Performance Report (Account Level)
Description
The report shows the CPU, Memory and Disk performance of the servers in the entire account over the last 30 days, including the average
of the CPU and Memory, and the delta of the available disk space.
Webroot Report
Description
Reports on Activities
Device and site reports: permission to view or manage Sites > Report
Account reports: permission to view or manage Account > Report
Sites > click on a site > Devices > click on a device > Report
Sites > click on a site > Report
Account > Report
Activities are the response to an issue or a proactive measure that involves a user. Activities include running
jobs, entering notes, or launching a RemoteShell or Remote Support Session using the Agent Browser.
Reports on activities can be run at device, site and account level.
30 Day Device Activity Summary | 7 Day Device Activity Summary
Description
For the selected device, the report provides total activities and times by category of Jobs, Notes, Remote Shell
and Remote Support for the previous 7 or 30 days. Then
it lists details for each activity event, including username, date/time started and ended, and total time.
30 Day Site Activity Summary | 7 Day Site Activity Summary
Description
For the selected site, the report provides total activities
and times by category of Jobs, Notes, Remote Shell and
Remote Support for the previous 7 or 30 days. It also
lists the top 5 devices associated with the site by number of activities. Then lists details for each activity, by
device.
Site Activity
Description
The report lists Jobs, Notes and Remote Takeover sessions for all devices in the selected site over the last 30
days.
30 Day Account Activity Summary | 7 Day Account Activity Summary
Description
sites by number of activities. Then for each site in the
database, it lists activities by category with totals and
detail amounts. Categories include Jobs, Notes, Remote
Shell and Remote Support.
Remote Activity
Description
Description
Reports on Alerts
Account > Report
An alert is the automatic response to a device operating outside of the parameters defined in a monitor.
Reports on alerts can be run at device, site and account level.
30 Day Device Alert Summary | 7 Day Device Alert Summary
Description
For the selected device, the report provides the total
number of alerts and average response time by category for the previous 7 or 30 days. Then it lists details
for each alert, including priority, alert date and time, end
time and time of response.
30 Day Site Alert Summary | 7 Day Site Alert Summary
Description
For the selected site, the report provides the total number of alerts and average response time by category for
the previous 7 or 30 days. It also lists the top 5 devices
associated with the site by number of alerts. Then it lists
details for each alert by device, including priority, alert
date and time, end time and time of response.
30 Day Account Alert Summary | 7 Day Account Alert Summary
Description
sites by number of alerts. Then for each site in the database, it lists alerts by type with total number and total
time.
Monitor Alerts Report (Device Level)
Description
The report lists each alert for the selected device by type
and includes alert message, priority and time of alert.
Monitor Alerts Report (Site Level)
Description
Lists device name, alert type, alert message and priority,
and date/time of alert.
Monitor Alerts Report (Account Level)
Description
In order of number of active alerts, the report lists site,
device name, total number of active alerts, and number
of active alerts broken down by device and priority.
Reports on Endpoints
Account > Report
Reports on Endpoints contain information about the hardware and software of endpoints, including OS, processor, memory, motherboard, BIOS, IP and MAC addresses, video, and physical disk drive size and free
space, installed software, Microsoft licenses etc.
At device level
Device Change Log
Description
For the selected device, the report lists changes to the system
since the Agent was first installed, when software was changed,
added or deleted. It includes date and IP address.
Device Summary
Description
At site level
Computer Summary
Description
The report lists the computers associated with the selected site. It includes name, processor, operating system
and service pack, memory, letter label, total drive space,
amount and percentage of free space.
Description
Description
free space.
Microsoft License
Description
Microsoft license report for devices in the selected site,
listing software type, Microsoft product name, and quantity of devices with that product installed.
Server Performance Report (Site Level)
Description
The report shows the CPU, Memory and Disk performance of the servers in a site over the last 30 days, including the average of the CPU
and Memory, and the delta of the available disk space.
Site Device
Description
The report lists all devices in the selected site with their
IP Address, last updated date, model, serial number and
last logged-on user.
Site IP Information
Description
adapter name and IP address.
Site Server Storage
Description
The report lists all servers associated with a site with
drive letter, size, amount and percentage of free space.
Site Storage
Description
The report displays fixed storage information for all
devices in the selected site. It lists device by name, with
drive letter, size, and amount and percentage of free
space.
Site Software
Description
Description
devices.
User Software Install
Description
For the selected site, the report lists all software installed
on all devices in the previous month, including software
name, version, whether the software was changed,
added or deleted, and the date the action was taken.
At account level
Account Server IP Information
Description
IP address information for all servers in the account, listed by site.
Account Server Storage
Description
Fixed storage information for all servers in the account,
listed by site. It includes drive label, size, amount and
percentage of space, graphically displayed.
Account Server Summary
Description
The report lists all servers in the account, with detailed
information including domain name, model, operating
system, serial number, motherboard, processor,
memory, storage and network adapters.
Server Performance Report (Account Level)
Description
The report shows the CPU, Memory and Disk performance of the servers in the entire account over the last 30 days, including the average
of the CPU and Memory, and the delta of the available disk space.
Status and Health Reports
Account > Report
The reports in this group assess the status and health of the account, sites or devices, and give warnings
about things like missing anti-virus software, critical 3rd-party software, low disk space or machines with lots
of alerts.
30 Day - Executive Summary Report (Site Level)
to information on the performance and health of your
IT systems. It provides an overview of the current status of your
servers (inventory, disk usage, patch status, approved pending
patches, % of time when connected to the platform) and workstations (replacement recommendations, operating systems in
use, inventory checks). It details your workstations' hardware
inventory, as well as their disk usage, patch status and
Description
approved pending patches. It lists your managed network
devices and managed mobile devices. It summarizes the monitoring alerts (by totals per category) and the activity on your
devices (by totals per category, total time and the number of
activities of the top 5 devices).
30 Day - Executive Summary Report - Only Servers and Workstations (Site
Level)
to information on the current status of your servers (inventory,
disk usage, patch status, approved pending patches, % of time
when connected to the platform) and workstations (replacement
recommendations, operating systems in use, inventory
Description
checks). It also details your workstations' hardware inventory,
as well as their disk usage, patch status and approved pending
patches.
30 Day Site Executive Summary | 7 Day Site Executive Summary
Description
For the selected site, the report provides a snapshot for the last 7
or 30 days of the site's overall health as measured by server
uptime and desktop anti-virus coverage. It lists the top 5 devices by
activity and by alerts. It summarizes activities and alerts by totals
per category, total time and average response time. It lists assets
and top 5 storage devices, broken down by servers and desktops.
30 Day Account Executive Summary | 7 Day Account Executive Summary
Description
For the last 7 or 30 days, the report lists the top 5 sites
by activities and by alerts. Then for each site in the database, it lists totals for activities and alerts by category,
and individual user activity.
Description
Customer Health Summary
Description
The report lists health information for all devices in selected
site. It displays a summary about hardware, security and
maintenance software, and players and readers installed on
the devices. The summary section shows how many devices
have failed or passed the test and if there is any device with
a warning. The report also lists the results for each individual
device in the details section.
Description
free space.
Device Summary
Description
Exception Report
Description
For the selected site, a summary of all MS Windows
devices, including warnings for devices without updated
anti-virus, MS updates, or firewall, and devices with low
free disk space or not online this month.
Health Report
Description
Summary for all devices associated with the selected site,
broken down by servers and workstations, with and without
warnings. The report lists alerts, jobs run, and remote
takeover minutes. It shows alert turnaround time summary. It
lists individual devices by hostname, IP address, and last
logged in user. It shows warnings for devices without
updated anti-virus, anti-spyware, MS updates or firewalls. It
also shows warnings for devices with low disk space and
not online this month.
Inventory Age
Description
Inventory age report on all devices associated with the selected
site. It displays replacement recommendations for the next 12
months to two years. It lists operating systems in use. It lists individual devices by name, last user, serial number and build date.
It includes warnings for low memory, free disk space or not
online this month.
KES Report
Description
The report lists total number of devices targeted/not targeted by a Kaspersky Endpoint Security (KES) policy. It
shows number of devices that require reboot and number of devices that are currently infected. It displays number of active and removed threats. It details security
status of devices targeted by a KES policy, including KES
license key and activation code, KES status, whether
reboot is required and if the device is currently infected. It
lists number of detected threats and number of active
threats.
Patch Management Activity Report (30-days)
Description
For the selected site, the report lists all Windows devices and all
patches installed on them in the last 30 days. The devices are listed by
name, and the patches installed on each device are sorted by installation time stamp (newest on top). The patch information includes the
name, type, priority, publish date (the date when Microsoft made the
patch available), and install status of the patch. The total number of
patches installed in the site is displayed at the top of the report.
Patch Management Detailed Report
Description
The report lists each device in the selected site, with number of patches released, patches installed and approved
pending patches, percent of approved pending patches,
and number of alerts. It separately lists devices requiring
attention, and provides a summary and analysis of fully
patched/not fully patched devices. It includes a detailed list
of patches by device, with name, critical rating and installation status.
Patch Management Summary Report
Description
The report graphically shows percentage of devices in a site that
are fully patched or missing specific number of patches. It lists
devices with the number of approved pending patches. It lists each
device in the site with the number of patches released, patches
installed and approved pending patches.
Site Health
Description
The report displays the number of devices in the selected site by operating system, including build number. It
lists the number of devices without updated anti-virus,
MS updates or firewall, with low free disk space or
memory, and devices not online this month. It lists each
device by name with last logged-in user, and their individual status for previous mentioned criteria.
Site Software
Description
Site Software and Hotfixes
Description
The report lists all software (including hotfixes and updates) for all
Description
devices.
Webroot Report
Description
User Reports
Account > Report
30 Day Account User Summary | 7 Day Account User Summary
Description
For the previous 7 or 30 days, the report lists activities
by category, with total quantity and details such as number of devices or total time. Then for each username, it
lists associated site, activity, time started and ended and
total time.
Remote Activity
Description
Description
Schedule and Run a Report
Permission to view Account > Report and/or Sites > Report
Account > Report
You can run reports at the account, site and device level either immediately, or at a preset schedule.
To schedule or run a report:
2. Navigate to one of the locations you can run a report from:
a. Account > Report
b. Sites > click on a site > Report
c. Sites > click on a site > Devices > click on a device > Report
3. To immediately run a report, click the PDF or Excel icon in the Run Now column.
4. Once the report is created, you'll see a notification appear in the top right of the browser window. Click
the Download link to download and view the report.
5. To create a schedule for running one or multiple reports once or on a recurring schedule, select the
report or reports you want to schedule.
6. Click the Schedule selected reports icon. The New Report Schedule page opens.
Field
Description
General
Name
Enter a name for the report schedule. Best Practice: Include the report level (account,
site, device, group or filter) in the name.
Field
Description
Description
Enter a more detailed description.
Schedule
By default, the report will be executed immediately. To schedule the report for later or
for recurring execution, click Click to change...
Immediately - The report will run as soon as it is saved.
At selected date and time - The report will run once at the selected date and time.
Weekly - The report will run every week on all selected days at the time indicated in
the Start field.
Monthly - The report will run in the selected months on the selected days.
Monthly day of week - The report will run in the selected months on the specified
occurrence of the selected days of the week.
Yearly - The report will run on the selected day (1 - 365) each year.
Click OK to close the scheduling window.
Enabled
By default, the report schedule is enabled. If you want to disable the report schedule
without deleting it, uncheck this option.
Reports
Select...
Select the reports you would like to run at the scheduled time. For each report, select
PDF or Excel output. The default is PDF.
Email Recipients
Subject
Enter the Subject line for the email the report will be attached to.
Body
Compose the text that will appear in the body of the email.
Default Account
Report Recipients
Checked by default. The email will be sent to all mail recipients that are identified in
Account Settings in the Mail Recipients section that also have Reports checked in
the Receives column.
Default Site
Report Recipients (at Site
level)
Unchecked by default. The email will be sent to all mail recipients that are identified
on the Site > Settings page in the Mail Recipients section that also have
Reports checked in the Receives column.
Additional Recipients
Click the plus icon to enter the name and email address of additional report recipients.
a-z, A-Z, 0-9, @, and !#$%&'`*+-|/=?^_{}~.
8. Click Save.
The report schedule is now created and, if the report was scheduled for immediate delivery, the report
is generated and emailed to all recipients.
If the report was scheduled for one-time delivery in the future, or was scheduled for recurring delivery,
it will appear on the Scheduled Reports > Active Reports tab. Completed reports or report
instances will appear on the Completed Reports tab.
Refer to "Manage Reports" on page 479.
Manage Reports
Permission to view or manage Reports
Scheduled Reports
About the Scheduled Reports Page
Tabs
The Scheduled Reports page has two tabs, Active Reports and Completed Reports.
l
l
Active reports are scheduled to be run in the future, or in the case of recurring reports, have instances
that will be run in the future
Completed reports have already been run, and the status shows Completed
The columns and list features are identical.
Views
The Views radio buttons allow you to filter the reports on each tab. By default, you will see all active or completed reports, but you can click the following views:
l
l
Run Once - This selection will display reports that were scheduled to run immediately or at a selected
date and time.
Recurring - This selection will display reports that were scheduled to run daily, weekly, monthly,
monthly day of week, and yearly.
For information on how to schedule reports, refer to "Schedule and Run a Report" on page 476.
Actions icons
Icon
Name
Description
Delete Scheduled Report(s)
Allows you to delete selected reports.
Refresh
Column Descriptions
Field
Description
Selection
check box
Check to select one or multiple reports.
Field
Description
Report Inform- Hovering over the information icon will show a tooltip with the details of this report schedule.
ation
Name
The name the report was given when it was set up. Click on the name to edit the report schedule. Refer to "Edit report " on page 480.
Schedule
Shows the schedule set up for the report. For information on how to schedule reports, refer to
"Schedule and Run a Report" on page 476.
Report Type
Indicates the report level: account, site or device. Refer to "Activity Logs and Reports" on page
364.
Reports
The number of reports that are included in this schedule.
Next Run
Time
Date, Time and Time Zone when the report is scheduled to be run.
Last Run
Time
Date, Time and Time Zone when the report was last run.
Status
The status of the report schedule: Scheduled or Completed. On the Active Reports tab, the
status will remain Scheduled until the last run has been completed.
Edit report
When you click this icon, the Report Schedule page will open in a collapsed view. Click Edit
in the header rows to change any settings. For field descriptions, refer to "Schedule and Run a
Report" on page 476.
Delete report
Click this icon to delete a report schedule.
Index
C
A
command prompt 38
compliant devices 189
active threats 205
component cache 34, 111
advanced integrated ticketing 345
component monitor 240, 338
agent
component profile mapping 333
deploy and install 50
components 266
agent browser mode 74
create or edit 301
agent deployment 20
download 268
agent deployment methods 51
manage 333
agent policy 74
ComStore 189, 268
alert details 239
connect to device 119
alerts 345
connection broker 20, 29, 32
manage 346
CPU monitor 239
overview 345
custom agent settings 20
app store 189
custom component monitor 338
apple push certificate 82
custom fields 20, 38, 119
approved pending patches 147
custom labels 20
audit 106
D
automatic suspension 125
B
dashboard 365
Datto 198, 202
backup management 198
Datto device 198
Backup Management 145
Datto monitor 242
Bash 306
delete device 127
Batch 306, 338
delete job 326
best practice monitoring policies 256
delete profile 9
branded reboot reminder 160
©2016 Autotask Corporation l Page 481 of 487
deploy agent
energy usage 16
Active Directory 53
enroll iOS 82
email or download 57
enrollment 82
LAN / Agent Browser 59
ESXi CPU monitor 243
LAN / Web Portal 62
ESXi data store monitor 243
detected threats 205
ESXi datastore monitor 243
device
ESXi devices 100
add discovered device as managed
device 92
ESXi disk health monitor 243
ESXi fan monitor 243
cloning 73
ESXi host 100
delete 127
ESXi memory monitor 243
manage using SNMP 92
ESXi monitoring 104
summary 119
ESXi policy 104
device activity 372
ESXi PSU monitor 243
device discovery 183
ESXi temperature sensor monitor 243
device movement 371
Event Log Monitor 241
device overview 42
export policy 256
devices 16, 42
F
ESXi 100
favorites 16
view discovered 92
favourites 16
devices list 115
disable Windows Updates 174
discovered network device 178
file / folder size monitor 241
filter definitions 130
filters 130
disk usage monitor 241
filters and groups 129
E
G
edit job 326
endpoint management 145
Gold List 189
groups 142
iPad 82
guest machine 100
iPhone 82
H
J
hibernate 261
job alert 329
hidden discovered device 178
job view 331
hide AEM icon 74
K
hide agent icon 74
Kaspersky 208
HTTP 27
Kaspersky Endpoint Security 205, 227
hypervisor 100
Kaspersky monitor 242
I
import policy 256
KES monitor 242
kiosk mode 365
input variables 315
install agent 66
L
license 106
Android 80
local cache 20, 34, 111
iOS 82
local storage 198
Linux 72
Mac 70
OS X 70
Windows 67
integrations
Datto 202
Kaspersky 208
iOS 86
iOS agent 82
iOS app 189
iOS software management 189
M
mail recipients 20
maintenance window 253
manage 100, 178
manage devices 115
manage monitors 239
manage policies 250
manage profiles 13
managed network device 178
Managed network device 96
Managed profile 7
MDM 78, 82
non-compliant devices 189
MDM policy 86
notes 16
memory monitor 240
O
message 124
offline monitoring 242
mobile 82
OnDemand profile 7
mobile app 189
online status monitor 239
mobile device management 78, 82, 86, 189
override 160
monitor 256
P
monitor types 256
passcode 86
monitoring policy 256
patch cache 34, 111, 160
monitoring policy file 256
monitors 232, 239
patch dashboard 147
patch filter 160
overview 232
patch management 147
N
network devices 178, 242
Patch Management 145
patch policies 174
manage 92
patch policy 160
monitor 92
patching 160
network management 92, 178, 183
pcy file 256
Network Management 145
policies 232, 250
network monitor component 96
Agent 74
network monitoring 242
ESXi 104
network monitors 96
Monitoring Maintenance 253
network node 92, 100, 183
overview 232
network printer 92
Patch Management 160
network scanning 92, 183
Power 261
Ninite 313
Windows Update 174
node score 29, 32
policy refresh 265
R
power options 261
RDP 119
power plan 261
reboot 160
power policy 261
redemption code 189
power rating 20
reg edit 38
PowerShell 306
regedit 38
process monitor 240
registry editor 38
profile 13
remove with MDM 189
add 9
reports
summary 16
device level 377
profile credentials 20
find 376
profile device groups 142
introduction 364
profile policy 250
manage 479
profile settings 20
on activities 423
profiles 7
on alerts 428
overview 7
on endpoints 434
protected devices 198
profile level 382
protection status 198
run and schedule 476
proxy details 27
status and health 449
proxy server 27
system level 412
proxy settings 20, 27
user reports 473
proxy type 27
S
push policy 265
scheduled job 319
Q
scripting 306, 313, 338
QR code 16
security 16
quick fix 189
Security Center monitor 241
Quick Job 319
security management 205, 227
Security Management 145, 218
summary
profile 16
security management command 218
support 345
security management monitor 242
suspend monitoring 125, 239
security management policy 205, 227
suspended devices 125
security status 16, 365
system activity 371
service monitor 240
system dashboard 365
shut down 261
system device groups 142
simple network management protocol 92, 178
system policy 250
Site Key 218
system profile groups 142
sleep 261
system summary 365
SNMP 92, 96, 178
T
SNMP credentials 20
target a device 265
SNMP monitor 242, 256
threats 205
SNMP monitoring 96
ticket assignee 20, 358, 361
SNMP OID 96
tickets 345
SNMP setting 96
create in agent browser 361
Socks4 27
create in Web Portal 358
Socks5 27
manage 352
software management 189
overview 345
Software Management 145
types of policies 250
software management policy 189
software monitor 241
Splashtop 119
standalone ticketing 345
standby 261
U
uninstall agent 66
Android 80
iOS 82
Linux 72
subnet 29
Mac 70
OS X 70
Windows 67
unsuspend 125
user activity 373
V
variables 20, 315
vb script 338
virtual machine 100
virus 205
VMware 100
VNC 119
W
Web Portal 6
Webroot 218, 227
Webroot monitor 242
Webroot Security Agent 218
windows registry 38
Windows Update 160

The Autotask Endpoint Management Web Portal

Transcription

Similar documents

I`m helping to end MS by participating in the 2016 Jayman BUILT MS

The Board of Directors of Qatar Fuel (WOQOD) is pleased to invite

5 `S` Training Program at ABV-IIITM, Gwalior on 21.07.2016

Porky Expo Flyer

The NeuLion Report

Sept 30-Oct 2, 2016 Nov 4-6, 2016 @Camp Tadmor

4 star ALOE HOTEL, PAPHOS

the Guidelines for the registration on

Ticket plus hotel packages for the Chelsea Flower Show 2016

loyola institute for ministry on-campus open house thursday, may 12