Endpoint List Group

The Endpoint List ribbon group allows the creation, editing and management of endpoints and tags, the ability to execute or cancel a search and the ability to reapply a policy to an endpoint or tag.

In this article

Tag Button

A tag is a logical grouping used to organize endpoints for reporting, policy management, Roles Based Access Control, and other operations within the Console. Tags and endpoints can be automatically created based on Active Directory or LDAP information or from an IP address range. An endpoint can exist in any number of tags.

The Tag button allows you to create new top level or nested tags, edit, update or remove existing tags, and move a nested tag to the root of the Endpoint List.

You can assign one endpoint per tag or conveniently group multiple endpoints under a single tag. Grouping multiple endpoints under a single tag can be useful when you want to perform the same operations on multiple endpoints because you'll only have to perform it one time on the tag instead of individually for each endpoint. For example, if you have 10 endpoints in your finance department and want to apply the same policy to all 10 endpoints, creating a Finance tag will allow you to apply the policy to a single location - the tag - rather than to all 10 individual endpoints.

A listing of operations that can be performed on a tag that will in turn perform those operations on all of the endpoints in that tag include:

Create Tag

The Create Tag dialog allows you to create new tags to organize your endpoints. Each tag has a type that controls the method for how endpoints are added to and removed from the tag. Endpoints can be manually added to simple tags, automatically and dynamically populated with endpoints from an IP Range or an Active Directory/LDAP query, or be added to or restricted from Filter tags by defining specific criteria.

Endpoints are manually added to a Simple tag via drag and drop, the right-click menu or via the Endpoint ribbon button. Simple tags are grouped under the Simple tags panel.

Endpoints are automatically added to an IP Range tag using the IP addresses reported by the endpoints to the Console. As new endpoints report to the Console with an IP address in the specified range, they will be automatically added to the tag. The query for the IP Range can be specified in an IP range format (e.g., 192.168.100.0-192.168.250.250) or a CIDR notation format (e.g. 10.0.0.0/8). IP range tags cannot contain nested tags.

An endpoint must report at least one IP address to be included in an IP Range tag. Typically, unmanaged endpoints (e.g., those that have been searched remotely) will not report an IP address. IP range tags are grouped under the Dynamic Tags panel.

Endpoints are automatically added to an Active Directory or LDAP tag based on the results of the specified query. As systems are added or removed from the directory, the tag will be automatically updated to add or remove endpoints. The query for the Active Directory or LDAP tag can be any valid LDAP query. Any LDAP object returned where "objectClass=computer" will be automatically added to the tag. Active Directory / LDAP tags are grouped under the Dynamic Tags panel.

When an endpoint is in an AD tag and that system is removed from the AD or it is in an IP Address tag and its IP address is changed to no longer match the tag specifications, it will be automatically removed from the tag. The endpoint will continue to exist in the All Endpoints tag.

Endpoints are added to Filter tags based upon the type of filter or filters selected and the results of the specified criteria. A single Filter tag can contain multiple filters. Filter tags are grouped under the Filter Tags panel. For example, filter tags can be used to group endpoints by platform, by last poll time, or by result information.

To create a Filter Tag which will display only those endpoints running on a Windows platform and that have not polled within the past 30 days, follow the steps below.

  1. Select Create Tag, enter a name, select Filter as the tag type and then click on the ‘…’ button to the right of the Filter selection to open the Filter dialog.
  2. Select Endpoint Platform from the column name drop down list, Equals from the operation drop down list and enter ‘WIN’ in the value field.
  3. Next, add a second column filter to limit the results to those endpoints that have not been polled within the past 30 days. Click the gray split button on the right and a new column filter will appear.
  4. For the second filter, select Last Poll Time from the column name drop down list, select Older Than X Days from the operation drop down list and enter 30 in the value field.
  5. Above the column filters will be an operator which can be set to either ‘And’ or ‘Or. Make sure the operator is set to ‘And’. If you choose ‘Or’, your results would show you all endpoints running Win as well as all endpoints that have not been polled within the past 30 days.
  6. Click Apply when you have finished.
  7. Click OK to save the tag. Your newly created tag will be listed in the Filter Tags panel.

The following types of filters are available:

Note: If you have a filter tag which is defined as "Client Platform Equals Win+anything" or "Client Platform Equals Mac+anything" (e.g. "Client Platform Equals Win32" or Client Platform Equals MacIntel") in version 8 of the Console, when you upgrade to Console version 9, the filter will change to ““Client Platform Equals Win" or "Client Platform Equals Mac". This is because the Console does not display an endpoint platform with a value appended to "Win" or "Mac" (e.g. "Win32", or "MacIntel"), it displays only "Win" or "Mac". So a filter defined with any value appended to "Win" or "Mac" such as "Win32" or "MacIntel" would not return anything. The same logic applies to other "Endpoint Platform" filter operators (Does Not Equal, Contains, Does Not Contain, Begins With, Does Not Begin With, Ends With, Does Not End With.)

For example: If you have an existing filter tag which says “Endpoint Platform Begins With Win64”, after you upgrade from Console version 8 to version 9, the filter will change to “Endpoint Platform Begins With Win".

Restricted endpoints and tags.

If a user does not have permission to a tag or tags, then that is considered a restriction. Spirion Console uses Roles Based Access Control (RBAC) to authorize users to various Console functions. The permissions to perform certain operations or view certain tags and endpoints are assigned to a role. Users are assigned roles and through those role assignments the users acquire permissions for their Console activities.

If a user is restricted from certain endpoints and that user then creates an IP tag for a range of IP’s, then the restricted endpoint will not be included in the search results, even if it falls within the IP range.

The same is true for Filter tags. If a user creates a filter tag by Endpoint name, and the restricted endpoint matches the filter for that tag, then search results for the restricted endpoint will not be included.

Edit Tag

The Edit Tag dialog allows you to change the name of the tag as well as its type. If the type of a tag is changed, all of the endpoints assigned to that tag will be removed from the tag and all nested tags will be deleted.

Update Now

The Update Now option applies only to Dynamic and Filter tags. Because endpoints in Dynamic and Filter tags are automatically included or excluded based on the specified criteria, selecting Update Now ensures that you see the current list of endpoints tied to the tag. By default, the list of endpoints is updated hourly by the "Synchronize Tags" Service Task.

Below is a list of other ways that Filter and Dynamic tags get updated:

Remove Tag

The Remove Tag option provides a way to permanently remove a tag and cannot be undone. When selected, a confirmation dialog prompts you to ensure that you would like to delete the selected tag and all of its nested tags.

Create Nested Tag

The Create Nested Tag dialog allows you to create a new tag under the selected tag. The options are exactly the same as for a new tag. Tags can also be created at any level and moved later via drag and drop.

A nested tag is a grouping of tags and provides a way to further organize Endpoints. Your environment may have hundreds or thousands of endpoints and you may want to group all of these endpoints under one main tag and then further divide the endpoints under nested tags.

For example, you could create a tag called West Region and under that tag you could create two additional tags, which would be the nested tags. One called Finance Department containing all of the endpoints in the Finance department and one called HR Department containing all of the endpoints in the HR Department. This way you can see results for the entire West Region and individually for each department.

Move Tag to Root

The Move Tag to Root confirmation dialog prompts you to ensure that you would like to move the selected tag to the top level of the Endpoint List. Tags can be moved at any time via drag and drop.

 

Endpoint Button

An endpoint is any system or other logical location that can be searched. The most common endpoints are Windows and Mac computers with the Spirion endpoint software installed. Additionally, any remote machine, website, or storage device that is searched will also appear as an endpoint. Finally, with an Active Directory, LDAP or IP Range tag, any object returned where "objectClass=computer" will appear as an endpoint regardless of whether or not it has been searched. An endpoint can exist in any number of tags.

The Endpoint button allows you to edit or remove endpoints, add and remove endpoints from tags, move endpoints from one tag to another, merge multiple endpoints into a single endpoint, and create a Purge Logs or Purge Results service task.

The Console Administrator Tool (CAT) can be used for assigning Endpoints to an existing tag via the importation of a CSV file containing Endpoints, MAC addresses or IP addresses. Please see the CAT documentation for further details.

Edit Endpoint

The Edit Endpoint dialog allows you to edit the name of the endpoint as well as the list of associated IP addresses and MAC addresses. IP and MAC address information is reported to the Console during the initial registration process for an endpoint. If the endpoint was searched remotely, these values will likely be blank.

An endpoint's name is stored for display purposes in the Console UI as well as for internal usage. If it is necessary to change the endpoint's name, in most cases, you will only want to modify the display name by leaving the Rename Only the Display Name checkbox checked. The display name is used in the Endpoint List and for filtering, reporting, and everywhere that an endpoint name appears in the UI. The host name changes the identity of the endpoint and is used during the data import process. If both names are changed (the checkbox is cleared) and the Automatically update endpoint names setting is enabled, the display name will revert to the host name and overwrite your change. The host name can be viewed on the Status tab as part of the endpoint Details.

You might use an endpoint name to refer to a computer located in a specific location and as such that particular computer may be replaced or moved to a different network at some point. When it is, the IP address and/or the MAC address can change along with it. In this case you may want to keep the endpoint name the same but you would then need to update the IP and/or the MAC address that the Console associates with it.

Optionally enter an Endpoint Owner E-mail Address that can be used when sending Workflow notifications.

You may optionally specify Endpoint Owners which can be used when assigning results manually or via Workflows. Rather than manually entering the Endpoint Owners and E-mail addresses, you can import them via the CAT. For detailed information, please refer to Import CSV for Emails and Owners in the CAT. When a user synced from AD has been disabled, it will be displayed here in a gray italic font.

To add an IP address or MAC address to the endpoint, enter the address in the IP Addresses field or MAC Addresses field, respectively, and click on the green circular button with the plus in the middle. The new address will then appear in the list of addresses. Click OK when you are finished with all changes.

While IP and MAC addresses are automatically updated during GUID registration and when the endpoint sends search results to the Console, you may wish to manually add them so that offline endpoints appear in reports.

To remove an IP address or MAC address, highlight the desired address(es), click Remove Selected and click OK.

If there is an IP or MAC address that is no longer associated with an endpoint, perhaps because the network card has been remvoed or the IP has changed, you may manually remove it.

If you remove a valid IP or MAC address from the list of addresses, it will reappear in the list the next time the Endpoint sends search results to the Console.

To set an IP address or MAC address as the default address , highlight the desired address and click Make Default and click OK. The default address will appear in bold.

An endpoint can have multiple IP and MAC addresses as a result of having been merged or if the endpoint has multiple network adapters. When using DHCP, a new IP address will automatically be added to the endpoint. All of the IP addresses will be listed when editing the Endpoint, but only one can be the default.

The IP address marked as default will be used in Reporting when the Endpoints->IP Address column is used. The MAC address marked as default will be used in Reporting when the Endpoints->MAC Address column is used.

Remove Endpoints

Remove Endpoints allows you to permanently delete an endpoint from the Console

The Remove Endpoints confirmation dialog prompts you to ensure that you would like to remove the selected endpoint(s). You can select multiple endpoints by holding the CTRL key while clicking on endpoints. If the endpoint(s) currently have information associated with them, such as search results, the prompt will display, "The selected endpoint(s) contains data. Remove anyway?" to alert you to this fact.

Rather than removing that data at the time of the request, the Console schedules the removal for a later time. The removal will be created as a Service Task of type "Remove Endpoints" and will be automatically removed after successfully executing.

When an endpoint is in an AD tag and that system is removed from the AD or it is in an IP Address tag and its IP address is changed to no longer match the tag specifications, it will be automatically removed from the tag. The endpoint will continue to exist in the All Endpoints tag.

Once the Remove Endpoints service task has successfully executed, it will be necessary to manually refresh the endpoint list to reflect any changes since the last logon or refresh.

Unregister Endpoints

Unregister Endpoints allows you to remove all registration information for an endpoint.

When you unregister an endpoint, certain information (Endpoint Version, Platform, Platform Type, Policies State, Last Poll and Guid) for that endpoint will be removed from the Endpoint Status Detail tab and the endpoint icon will change to blank. The endpoint and any existing results for that endpoint will not be removed from the Console. The next time that the endpoint polls the Console, the endpoint will re-register and a new endpoint may be created depending upon the Automatically merge endpoints based on setting. You can select multiple endpoints by holding the CTRL key while clicking on endpoints. Note: Users must have the Edit or Remove Endpoint General Permission in order to unregister an endpoint.

Add to Tag

Add to Tag allows you to add the selected endpoint(s) to any existing tag.

The Select Tags dialog displays all of the tags and nested tags available in which the endpoint(s) can be placed. An endpoint can exist in any number of tags and this operation will not remove the endpoint from any existing tags. If the endpoint already exists in the destination tag, this operation will have no effect. You can select multiple endpoints by holding the CTRL key while clicking on endpoints.

Move to Tag

Move to Tag allows you to move endpoint(s) from one Simple tag to another.

You can move selected endpoint(s) from any existing Simple tag to one or more existing Simple tag(s). (IP, AD and Filter tag endpoints cannot be moved this way as they are all dynamic.) Once moved, the endpoint will no longer exist on the tag from which it was just moved. If the endpoint already exists on the destination tag, this operation will have no effect.

To move an endpoint, click the arrow to the left of a tag or double-click on a tag to show the endpoints associated with that tag. Select the endpoint to move by clicking on it. You can select multiple endpoints by holding the CTRL key while clicking on endpoints. Click on the Endpoint button and select Move to Tag.

The Select Tags dialog displays all of the tags and nested tags available to which the endpoint(s) can be moved. An endpoint can exist in any number of tags. Once you have made your selection click Move to complete the operation or Cancel to cancel the operation.

Remove from Tag

The Remove from Tag confirmation dialog prompts you to ensure that you would like to remove the specified number of endpoints from the specified tag(s). You can select multiple endpoints by holding the CTRL key while clicking on endpoints. The count is provided in the confirmation in the form, "Remove 3 endpoint(s) from the tag(s)?"

Merge Endpoints

The Merge Endpoints operation allows you to move all of the data from one or more endpoints to a selected endpoint and deletes all of the endpoints other than the selected endpoint. You can select multiple endpoints by holding the CTRL key while clicking on endpoints. The dialog reads, "Select the endpoint all other endpoints will merge into. Other endpoints will be removed."

Endpoints can also be merged automatically. The Endpoints Merging Service Task will merge endpoints based on the criteria set in the "Automatically merge endpoints based on" section of the Application Settings page. See Application Settings and Service Tasks for information on automatic merging of endpoints.

Endpoints are generally merged to consolidate results from a single endpoint that have been reported as multiple endpoints. For example, If the Spirion endpoint software is installed on SYSTEM1 and then that system is later re-imaged with the same name - when it attempts to register as SYSTEM1, the Console may note that there is already a SYSTEM1 and assign this endpoint the name SYSTEM1_<GUID> (where GUID is a unique number assigned to each endpoint). If this happens, it would be desirable to merge the original results into the SYSTEM1_<GUID> endpoint (the selected endpoint and the one that now exists) which will delete SYSTEM1 and then you can rename SYSTEM1_<GUID> to SYSTEM1.

In the dialog, it is important that the endpoint that is currently reporting results is specified as the Selected endpoint (and not to choose the endpoint whose Name you want to use).

Note: It is possible to prevent the scenario described above from occurring by configuring the Console to Automatically merge endpoints based on hostname.

Purge Logs

The Purge Logs operation allows you to create a Service Task which will delete log data from the selected tag(s) or endpoint(s). When the task executes, the specified log(s) will be purged.

For more detailed information, please refer to the Purge Logs article. For information about Service Jobs, please refer to the Service Tasks article.

To create a Purge Logs Service Task, click on the Purge Logs selection.

The Purge Logs confirmation dialog confirms that the task was created successfully.

Endpoint logging provides detailed information and it is recommended that logs only be sent to the Console during testing, troubleshooting or initial configuration. By default, endpoints do not send log information to the Console and to do so, this option must first be enabled in a policy. Because the logs are available on the endpoints themselves, it is generally not necessary to have the information in the Console database. Endpoint logs can produce a lot of entries, especially if logging for Locations Searched is enabled, and the database can fill very quickly and degrade performance. For this reason, when collecting logs on the Console, you may want to periodically delete the logs.

Purge Results

The Purge Results operation allows you to create a Purge Results Service Task which will purge results data from the selected tag(s) or endpoint(s). When the task executes, the specified results will be purged.

To create a Purge Results Service Task, click on the Purge Results selection.

The Purge Results confirmation dialog confirms that the task was created successfully.

The Purge Results Service Task is responsible for deleting results data. It may be desirable to clear out search results on a periodic basis if that data is not needed for reports or analysis.

You can also schedule a Purge Results service task to delete data that matches specific criteria. For detailed information about Purge Results, please refer to the Purge Results article.

For information about Service Tasks, please refer to the Service Tasks article.

 

Search Button

There are two methods to initiate a search on a managed endpoint. You can create a scheduled task within a policy or you can directly initiate a search on a tag, endpoint, or multiple endpoints via the Search button (or right-click menu).

Initiate Search

When initiating a search via the Search button, the Console will automatically create a policy with a task scheduled to execute immediately after the endpoint applies the policy. The endpoint will not start the search until it successfully downloads and applies the policy.

After selecting Initiate Search, the Search Now dialog is displayed.

Within this dialog, you can specify the following information:

The status of the task can be viewed on the Status tab.

Cancel Search

Cancel Search will not stop a search that is currently running. Cancel Search will remove any pending searches created by using the Initiate Search option. If the endpoint has already downloaded a policy that included the request to perform a search, you cannot cancel the search from the Console. Canceling a search that was initiated on a policy will also cancel a search that was initiated on an endpoint. Likewise, canceling a search that was initiated on an endpoint will also cancel a search that was initiated on a policy.

Policy Button

The Policy button allows you to apply or reapply a policy to an endpoint.

Reapply Policy

An endpoint will apply a policy only when there are changes to the policies to which the endpoint is associated. If the policy is deleted or modified on the endpoint system itself, the Console server will not be aware of the local modification and therefore will not send a policy update to the endpoint. The Reapply Policy operation will force the Console to update the policy for the endpoint. The endpoint will then download this policy at its next polling interval.

Add To Policy

The Add To Policy operation allows you to add the selected tag or endpoint to an existing policy. When you click on Add To Policy the Select Policy dialog opens and you can choose from one of the existing policies. If you add a tag to a policy then all endpoints in that tag will be added to the policy.