topic Re: Prevent new servers from onboarding in Open Q&A

Prevent new servers from onboarding

John_McLaughlin — Wed, 22 Nov 2023 19:18:03 GMT

Is there any way to prevent users installing the OneAgent to an instance? When migrating from on-prem to SaaS, I'd like to be able to prevent anyone from adding servers to the on-prem environment(s); essentially closing it off.

I know I can remove the Installer Download scope from all of the existing access tokens which would prevent downloads, but what about for installs where the binary is already downloaded?

Re: Prevent new servers from onboarding

Romanenkov_Al3x — Mon, 27 Nov 2023 07:31:32 GMT

Hello.

Perhaps this can help. Changing the environment token in a few days + prohibiting/controlling the generation of new PAAS tokens. (This procedure needs to be performed carefully, as if you trigger the start and end within a short interval, you may lose some ActiveGates\OneAgents that haven't had a chance to update their token (for example due inactive/offline state or due network connectivity issues))

In this case already downloaded scripts will contain expired env. token. And after installation from old installation script agens will be rejected.

Regards,

Alex Romanenkov

Re: Prevent new servers from onboarding

John_McLaughlin — Mon, 27 Nov 2023 14:20:10 GMT

Thanks for the info. Seems kind of daunting to have to perform this on 4000+ hosts however.

Re: Prevent new servers from onboarding

gbaudart — Mon, 27 Nov 2023 16:06:24 GMT

Hi @John_McLaughlin ,

We have set up a check for the hosts on which the agent must be installed (and which allows us to deactivate those which must not be installed)

First, we implemented an “auto-tagging” rule in order to identify all the hosts that are supposed to be within our monitoring perimeter. (with values like "yes" or "no")
Depending on the size of the perimeter, this can be a little tedious, but once it's in place, you have peace of mind 🙂

And then, via a python script that makes API calls, we check all the hosts that do not have this tag, and we deactivate them by API.
This script can be called according to the frequency you want with a scheduler, or a pipeline, for example.

We even added an event on disabled hosts to track the action, and we send the list of disabled servers in a Teams communication channel to inform the teams.

Subsequently, we created a 3rd possible value, "temporary", for the servers where we were studying the interest of putting an agent there.

I remain available if you are interested in knowing a little more.
Good luck

Re: Prevent new servers from onboarding

John_McLaughlin — Fri, 26 Jan 2024 15:39:05 GMT

I'm not sure how this would work for my use case. I'd want to disable any future installs by any means, as I migrate to the SaaS platform. I'm not sure how I would set up a tagging rule to *only* tag servers that are currently on my managed environment; and to not have it also apply to any other systems that get added since the would presumably have all of the same requirements as those other machines.