Management Rules

Create management rules to automatically move computers in your estate to an archived status. Archived computers can be deleted or moved to the active pool of computers; this can also be managed manually or automatically using rules.

Workflow

  • A computer shows as either connected or disconnected based on Computer Settings.
  • When disconnected for a period of time, the computer status changes to archived the next time the management rule triggers.
  • If the computer reconnects to EPM, the computer status changes to a connected state.
  • A computer is no longer displayed in the Computers list after the status changes to Archived.

A computer can go into a disconnected state if:

  • A user goes on short term leave. Shows as disconnected after the number of days configured pass. User returns before the archive rule is configured. When the user turns on the computer and the status changes to disconnected.
  • A user goes on extended leave and turns their computer off. When the user returns to work and turns the computer on, the status changes to Connected and the policy updates.
  • A computer is permanently decommissioned. Shows as Disconnected after the number of days configured pass. Computer is then archived and then deleted (after the deletion rule triggers).
  • Computer is deactivated before the deactivation option is removed from EPM. The status changes to Disconnected. Computer is archived after the archive rule runs. Then the computer is deleted when the delete rule runs.

Rules Processing

Change order of management rules in Endpoint Privilege Management.

The order of the rules in the list determines the priority and when the rules run. Select a rule to change the order.

When creating rules, consider the conditions in the rule before setting the order. If the action in one rule is set to Delete, and the action in another rule is set to Archive, be sure to set the archiving rule to run first.

A delete rule only deletes computers when the computers have already been archived (by another rule).

A rule triggers when a computer matches on all of the conditions configured in a rule.

The properties configured in a rule are joined with and logic. If you want to use or logic, create two rules. If the condition is not triggered on the first rule, then it will trigger on the second rule.

Create a Management Rule

A user must be assigned permissions to create and manage management rules.

There are preconfigured management rules:

  • Archive Rule: Archives computers after they are disconnected for 90 days. You can change and delete this default rule.
  • Deletion Rule: Soft deletes computers after they have been archived for 90 days. The computer still resides in the database. You can change and delete this default rule.
  • System Purge Computer Rule: Deactivates computers after they are deleted for 7 days; purges computers from the database after they are deactivated for 14 days. This rule cannot be deleted. You can adjust the number of days before deactivating computers (default value is 7 days).
  • System Purge Connector Rule: Purges local AD connectors from the database after the connectors are deleted. You can change the number of days since a connector was deleted; other properties of the rule cannot be changed.

To create a management rule:

  1. Click the Management Rules menu, and then click Create Rule.
  2. Add a name and description.
  3. Set the following rule details:
    • Conditions: Add the computer property that must be matched to trigger the rule on a computer. The list of properties available includes all computer properties collected by EPM. A rule triggers when a computer matches on all of the conditions configured in a rule.
    • Actions: Select either Archive or Delete.
    • Frequency: Select how often to run the rule. Select On Demand if you do not want the rule to run at regular intervals. To run a rule using the On Demand frequency, select Run Rule from the menu.

  4. Click Validate Settings. Validating rules ensures there are no conflicts in the conditions set and verifies properties are not used twice in the same rule.