Manage endpoint computers

This topic describes how to categorize and group computers that belong to a Set, and create different views according to customized criteria.

Overview

The EPM server provides flexible categorization and grouping of computers in your Sets. Computers running the EPM agent are known as clients. This feature allows EPM administrators to create groups of computers based on office location, department, OS, and other identifiable criteria.

Several built-in categories automatically place clients in certain groupings based on predetermined criteria such as agent status, agent version, Active Directory site, and system type. In addition, it is possible to create custom categories and groups based on your organizations specific requirements. Under each category, the administrator can create additional subset groups.

The My Computers page for EPM for Linux does not yet support all functionality. For example, currently it does not support active policies and most of the configuration options.

Organize the computers view

Use the Group By dropdown options to display the computers according to predefined categories.

Option

Description

None

Does not group the computers by any specific criteria.

Agent Status

Group computers by agent status.

Agent Version

Group computers by agent version. You can deploy multiple versions of the EPM agent in the same organization, and view computers according to the different versions.

First Letter

Group computers alphabetically by the first letter of the computer name.

Network

Group computers by Active Directory domain.

OU

Group computers by Active Directory OU (Organizational Unit).

PC Type

Group computers by PC type.

Common

Filter computers by the following common categories. Click any column title to reorganize the details and view them from different aspects.

Category

Options

Name

Name of the computer

Logged In

Name of the user

Agent Connectivity Status

The status of the EPM agent connectivity, and the time when a policy was last requested by the agent.

Valid values are:

  • Alive
  • Deployment
  • Disconnected
  • Initializing
  • Upgrading
  • Maintenance mode

Agent Operational Alert

Indicates when your attention is required to repair the agent or contact support. Click the warning icon to view more details and see a recommended action, as shown in the following example.

IP From/To

The IP range of the computer

Application Catalog

The status of the agent process of moving the Application Catalog from the Agent to the Server database

  • Not started
  • Collecting
  • Uploading
  • Waiting for processing
  • Processing
  • Completed
  • Failed
  • Failed with retry

For further details, refer to Manage events.

Threat Protection

The status of the Threat Protection process on the computers

  • All
  • Running
  • Not Running
  • Running with issues

Predefined groups

EPM Server has several predefined groups, such as OS types (Windows 7/8 and so on) or 32 or 64-bit.

Filter predefined computer groups

You can filter computers by predefined computer groups.

  • Select the criteria to use for filtering, then click Apply.

  • To remove all filters and reset the display to its original state, click Reset.

Customize categories

You can customize the available categories that appear in the Predefined Groups list.

  • From the Organize drop-down list, select Customize Predefined Groups... .

Custom computer groups

When you manage large numbers of advanced policies or automated event collections, you can simplify policy browsing and organization by creating custom computer groups and assign specific computers to these groups.

Create a custom group

  1. From the EPM Management Console select My Computers.

  2. From the Organize dropdown list, select Manage Custom Groups....

  3. Click Create Group and replace the default name with a naming convention that makes sense for your organization.

    After you create a Custom Group, the group appears in the Custom Groups section.

  4. To create additional groups, rename, or delete custom groups, select Manage....

Assign computers to custom groups

After you create custom groups, you can assign computers to a custom group.

  1. Click the Computer drop-down list or right-click to select the requested computers.

  2. Click Assign to Group.... The Assign to Group dialog box appears.

  3. Select the requested custom group and click OK.

You can filter the Computer display to display only computers that are assigned to Custom Groups or that are not assigned to any group (Unbound). In the example shown in the images below, the display was filtered to show only Computers that are either Unbound or assigned to the Database Administrators Custom Group.

Manage custom groups automatically

You can create custom groups and assign computers to custom groups using an external file that you maintain.

 

Contact CyberArk support to allow the connection to the URL where the external file is found.

This is a .csv-like file. The first row in the file lists the column titles, and all subsequent rows specify the computer name and computer group names. Specify all computer group names for a single computer on the same line, and separate them with a comma and a space, as shown in the following example.

  
<Computer Name>,"<Custom Group name 1>, <Custom Group name 2>,..."

For example:

  
CompName,Groups
Comp1,"Superuser, Superuser2, IT, TS"
Comp2,"Superuser, IT"
Comp3,"Superuser2, IT, TS"

This file takes precedence over any custom groups that were created manually, and any computers that were assigned manually. Computers that are not assigned to any group (unbound) can be excluded from the file. You can create up to 3000 custom groups using the external file.

To manage custom groups automatically

  1. Go to Advanced > Server Configuration and click the link that represents the current value of the Synchronize Computer Groups parameter.

  2. In the Change Configuration Parameter Value window, set the following parameters:

    Parameter

    Description

    SyncOption

    Set From URL if your external file is found on a different site.

    Configuration file

    The URL of your external file.

    Sync interval

    The time, in hours, between attempts to synchronize your file with the data in the EPM service. If there are no differences, synchronization attempts continue until there are differences. Once the data is synchronized, the interval time starts again.

    LastSync

    The time of the last synchronization.

    Empty group deletion

    Set Enable to delete Custom Groups that have no assigned computers as part of the synchronization process.

Add custom computer groups to a policy

After you have created custom computer groups, you can apply policies to them.

To apply an advanced policy to a custom group

  1. In the Policies page, create a policy and specify the scope.

  2. Under Targets, in the Computers in this set line, click Edit, and then Add computer groups.

  3. Select the computer group you created to manage with this policy, then click Add and Done.

  1. Create the rest of the policy as described in Apply policies.

Move computers to a different set

You can move one or more computers from the current set to another.

 

You must have permissions to access the target set.

  1. Click the Computer drop-down list or right-click to select the requested computers.

  2. Click Move to Set and specify the name of the set to move the computer to, then click OK.

 

It may take a few minutes to move multiple computers to a different set.

Additional features

Show/hide extra columns

By default, only several of the available columns are displayed. The Show/Hide Extra Columns command enables you to display or hide additional, non-default columns.

Scan application files

EPM Application Control provides the Application Catalog, which displays information about applications installed on the end user computers managed by the EPM server. Use the Application Catalog to quickly discover new applications in the system, regardless of whether they have generated events or are monitored by any policy.

Use the Scan Application Files command, from the Computer menu, to select and scan a single computer.

 

The scan is not performed on computers that are currently being scanned, have been scanned in the last 24 hours, or are currently disconnected.

Enable process monitoring

Gather support information from agents using the Get Support Info option in the Notifications Area on the endpoint, and run the Process Monitor tool to recreate an issue on the endpoint.

  1. To enable process monitoring, right-click the end user computer and select Enable Support Mode. This elevates the Process Monitor tool and stops agent self-defense, enabling EPM to collect the relevant information.

  2. Select the time zone for the endpoint computer and enter the number of hours that support mode is enabled. It must be enabled for at least 1 hour and no more than 24 hours.

View computer details and update parameters

Click the end user computer name to display details.

Details

Description

Computer details

Computer details sent from the agent, including system information, local users and groups, network connections, and installed programs.

Policies

Policies that are active on the specific computer. Click a policy to display its details.

Agent configuration parameters

You can configure the parameters that apply to the specific computer. These changes are not overridden by changes made for all agents. For details, see Agent configuration settings.