22 Nov 2023 07:18 PM
Is there any way to prevent users installing the OneAgent to an instance? When migrating from on-prem to SaaS, I'd like to be able to prevent anyone from adding servers to the on-prem environment(s); essentially closing it off.
I know I can remove the Installer Download scope from all of the existing access tokens which would prevent downloads, but what about for installs where the binary is already downloaded?
Solved! Go to Solution.
27 Nov 2023 07:25 AM - edited 27 Nov 2023 07:31 AM
Hello.
Perhaps this can help. Changing the environment token in a few days + prohibiting/controlling the generation of new PAAS tokens. (This procedure needs to be performed carefully, as if you trigger the start and end within a short interval, you may lose some ActiveGates\OneAgents that haven't had a chance to update their token (for example due inactive/offline state or due network connectivity issues))
In this case already downloaded scripts will contain expired env. token. And after installation from old installation script agens will be rejected.
Regards,
Alex Romanenkov
27 Nov 2023 02:20 PM
Thanks for the info. Seems kind of daunting to have to perform this on 4000+ hosts however.
27 Nov 2023 04:06 PM
Hi @John_McLaughlin ,
We have set up a check for the hosts on which the agent must be installed (and which allows us to deactivate those which must not be installed)
First, we implemented an “auto-tagging” rule in order to identify all the hosts that are supposed to be within our monitoring perimeter. (with values like "yes" or "no")
Depending on the size of the perimeter, this can be a little tedious, but once it's in place, you have peace of mind 🙂
And then, via a python script that makes API calls, we check all the hosts that do not have this tag, and we deactivate them by API.
This script can be called according to the frequency you want with a scheduler, or a pipeline, for example.
We even added an event on disabled hosts to track the action, and we send the list of disabled servers in a Teams communication channel to inform the teams.
Subsequently, we created a 3rd possible value, "temporary", for the servers where we were studying the interest of putting an agent there.
I remain available if you are interested in knowing a little more.
Good luck
26 Jan 2024 03:39 PM
I'm not sure how this would work for my use case. I'd want to disable any future installs by any means, as I migrate to the SaaS platform. I'm not sure how I would set up a tagging rule to *only* tag servers that are currently on my managed environment; and to not have it also apply to any other systems that get added since the would presumably have all of the same requirements as those other machines.