Network Discovery
Security and navigation
SECURITY Refer to Sites > Sites in Permissions.
NAVIGATION Sites > All Sites > click the name of a site > Network Discovery (left navigation menu)
About
When configuring Network Discovery in a site, you can set up a Network Node, define network scanning ranges, provide credentials, and automatically or manually onboard discovered devices. The Network Node device that you select to perform the network scanning must have a Managed Agent installed, and it is recommended that this is a device that has a high uptime, for example, a server.
Requirements
Requirements to nominate a device as a Network Node
- Only desktops, servers, and laptops with up-to-date audit information may be nominated as Network Nodes.
- The following Operating Systems are supported: Windows, macOS, Linux. For more information on the supported versions of these operating systems, refer to Supported operating systems and Agent requirements.
NOTE Linux Network Nodes are not able to perform network scans. Manual network device enrollment must be used when using exclusively Linux Network Nodes. Refer to Enroll an SNMP-enabled device.
- For information about Network Node requirements for ESXi monitoring, refer to Managing and monitoring ESXi devices.
Requirements for a device to be discovered by a Network Node
| Type of Network Scan | Requirement |
|---|---|
| A Network Node scans its own subnet |
NOTE Devices without a MAC address can be manually onboarded but not automatically onboarded. Refer to Onboard Devices and Automatically Onboard within Site Settings. |
| A Network Node scans a user-specified additional subnet |
NOTE Devices without a MAC address can be manually onboarded but not automatically onboarded. Refer to Onboard Devices and Automatically Onboard within Site Settings.
|
Requirements to onboard a device
Devices that you want to onboard via Network Discovery must meet the requirements listed below.
Windows requirements
This method of deployment has prerequisites that weaken the overall security of the environment. It should only be used if Active Directory deployment is not an option.
IMPORTANT In the past, PsExec has been utilized by some viruses to remotely run malicious code. PsExec itself is not a virus, nor does it run malicious code on its own. Adding a registry key to enable access to the ADMIN$ share, making exceptions to any antivirus product, and opening ports is by definition going to weaken the overall security of the environment. By using this method of deployment, you acknowledge that you are aware of this.
NOTE After you have deployed the Agent, reverse all changes you made to allow Agent deployment.
| Requirement | Description |
|---|---|
| Enable remote access to the Admin$ share | Starting with Windows Vista, UAC has by default required elevated privileges to access the administrative shares. Details on this can be found here: Microsoft Support Article (951016). You can enable this share either by accessing the Microsoft support article above and following the instructions, or you can copy the following into an Administrative Command Prompt window: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f |
| File and printer sharing | File and printer sharing must be enabled on the devices you wish to deploy to. Ports 445 and 139 inbound must be open. |
| Password | You cannot authenticate as a user with a blank password. The user account with the correct permissions to enable an install must have a password to work using PsExec. |
| Antivirus | This process assumes that all antivirus programs are configured to allow the use of PsExec, which can stop the use of those programs. |
macOS requirements
NOTE After you have deployed the Agent, reverse all changes you made to allow Agent deployment.
| Requirement | Description |
|---|---|
| Remote Login | Needs to be ON. Navigate to Apple menu > System Preferences > Sharing and set Remote Login to ON. You can also use the Terminal or SSH and run the following command as root: systemsetup -setremotelogin on. If root is not enabled, make sure you run the command in the following format: sudo systemsetup -setremotelogin on. |
| Firewall | Needs to be OFF. If Firewall is ON, then Remote Login needs to be allowed to connect. Navigate to Apple menu > System Preferences > Security or Security & Privacy > Firewall > set Firewall to OFF. If it is set to ON, then configure the Firewall Options to allow incoming connections. |
Network Discovery
Initiate Network Discovery
In order for devices to be discovered on your network, an online device within your site must be nominated as a Network Node with scanning enabled. This device can be a Windows, macOS, or Linux device. Click Add Device. For more information about how to add a device, refer to Adding a device. 
Once one or more devices are added, Datto RMM will check for the first Agent to come online. If assigned Network Nodes with scanning enabled are offline, you will see the following list of those devices:
IMPORTANT It is strongly recommended that a device acting as a DHCP server NOT be nominated as Network Node with scanning, as network topology mapping requires UDP port 67 to be free for the identification of network devices using DHCP fingerprinting.
IMPORTANT If present, VOIP (for example, IP Phone) traffic should be VLAN-segregated from normal data traffic on the network as per industry practices. Doing so will limit any impact on call quality during network scanning routines.
NOTE Devices must support the industry-standards RFC 1493 and RFC 4363 in order for the network topology map to be created.
NOTE Datto Access Points do not support SNMP; therefore, mapping of these devices in the network topology is not supported.
NOTE If a Network Node is awaiting device approval due to an Agent encryption key change request, any associated network devices will appear offline until the Network Node is approved. For more information, refer to Agent Encryption Key Changed.
To initiate a network discovery, perform the following steps:
- Set up Network Nodes: Select the devices you wish to nominate as Network Nodes from the drop-down menu. The devices must be online.
Click Next to continue. - Additional Subnets: Click Add to enter subnets to scan in addition to the ones containing the designated Network Nodes. This step is optional. Enter the Start IP Address, End IP Address, and Description for each subnet and click Save. Subnet ranges must not overlap with any existing defined subnet ranges. To remove a subnet, click the delete icon
next to the subnet you wish to remove.
Click Next to continue or Go Back to return to the previous step. - Credentials: Select an existing credential or create one by clicking Create Credential. Refer to Credentials.
Click Next to continue or Go Back to return to the previous step. - Onboard: Select which device types to automatically onboard to Datto RMM as devices are discovered. Devices will appear within Datto RMM in the same way as other Managed devices, and any global or site Monitoring policies will be applied to the onboarded devices.
Devices can also be onboarded at a later date by configuring automatic onboarding after network discovery, or manually. For more information, refer to Automatically Onboard within Site Settings and Onboard Devices.
NOTE For additional information about nominating a device as a Network Node, refer to the Network Node field in the Summary card.
NOTE Network ranges can be modified later when editing a site. Refer to Creating or editing a site.
IMPORTANT For best results, it is strongly recommended that credentials are configured.
NOTE All options require credentials to be configured before onboarding. Refer to Credentials.
NOTE Devices without a MAC address can be manually onboarded but not automatically onboarded.
NOTE ESXi hypervisors are no longer included in automatic onboarding to prevent unintended lockouts of ESXi accounts when credentials are regularly tested from one or more Network Nodes on a site during Network Discovery scans.
- Click Next to continue or Go Back to return to the previous step.
- Review: Review the network discovery details and then click Initiate Discovery.
Once initiated, scanning will begin. It may take some time for the scan to complete depending on how large your network is. 
The network topology map will be available once the network discovery has been completed. You will need to refresh the page to view the results. Refer to Network Discovery topology map.
Network Discovery topology map
NOTE The network topology map in Datto RMM is solely a visual representation of the devices that the Network Node has discovered, and it is not to be taken as a network mapping tool. Datto RMM aims at displaying the layout of the devices within the network, but, depending on the information, this may not always be possible.
Select the topology icon at the top of the Network Discovery page.
There are various actions you can perform:
| Field/Icon | Description |
|---|---|
Search |
Enter a hostname, IP address, MAC address, manufacturer, or NIC vendor to search for a device. The search results will be narrowed as you type and non-matching devices will appear dim within the map. If an exact match exists within a group node, that node will be automatically expanded in the map; for partial matches, the group node will be highlighted. Refer to Group nodes. |
Filter |
Click the filter icon  to view the filtering options. Select to filter on device type, online/offline status, Managed/Unmanaged status, and whether or not devices have open alerts. |
Label |
Select how to label devices in the map. |
Device Legend |
Click to view the device legend. For more information, refer to Device legend details. Clicking a second time or clicking X will close the legend. The legend can also be clicked and dragged around the map. |
Topology Orientation |
By default, the map is displayed in landscape mode (left to right). Click to toggle back and forth between landscape mode and portrait mode (top to bottom), depending on how you prefer to view your discovered devices. Upon switching the orientation, the default size of the map is adjusted to fit on the screen. |
Zoom Out/Zoom In |
Zoom out or in on the map. Zoom limits are imposed in order to prevent you from losing sight of the map completely. |
Expand/Collapse All Nodes |
Expand or collapse all group nodes in the map. Refer to Group nodes. |
Fit to Screen |
Click to show the entire map within the page. |
Save Topology as Image |
Click to save a screenshot of the map as currently displayed within the page. |
Zoom Toggle |
Toggle to enable zooming in or out of the map using the mouse wheel instead of the zoom in/out buttons. |
Within the map, various icons represent different types of devices. 
NOTE If devices with the same MAC address but different IP addresses are detected, only one device will appear on the Network Discovery page based on the device's MAC address.
Group nodes
In addition, devices in the network topology can be grouped by similar type, network association, and management status into group nodes. A blue badge will indicate the number of devices contained within the group node. 
NOTE If scanning is turned off on the designated Network Node, the network topology map and devices will disappear after one week.
Device legend details
Visual indicators for devices within the topology map are as follows:
| Indicator | Description |
|---|---|
| Dashed circle | Indicates an Unmanaged device. |
| Solid circle | Indicates a Managed device. |
| Dashed rectangle | Indicates all the devices contained within a group (appears when hovering over the group of devices). Refer to Group nodes. |
| Solid line | Indicates the route from one device to another. |
| Green circle | Indicates the device is currently online. |
| Blue circle | Indicates the currently selected device. |
| Red exclamation mark | Indicates whether the device has one or more open alerts. It will also appear at the group node level if the device is contained within a group node. |
| Blue group node badge | Indicates a group node and the number of devices contained within. Click the plus icon to expand the group or the minus icon to collapse the group. |
Hovering over a device in the map will display additional details about the device.
Clicking a device in the map will open a pane to the right for viewing the device details.
The details displayed within the pane depend on the type of device. If the device is online, you can access it remotely via a Web Remote or Agent Browser session by clicking the respective action buttons at the top of the pane. Refer to Action buttons for more information. Clicking a hyperlinked device name will open the device summary page for that device. Refer to Device summary. If the device has open alerts, clicking a hyperlinked alert name will open the Single Alert View page for that alert. Refer to Single Alert View.
For discovered devices that have not yet been onboarded to Datto RMM, clicking a device in the map will open a pane to the right for viewing the details of the Unmanaged device. From here, you may onboard the device by clicking the Onboard button. Refer to Onboard Devices.
Network Discovery device list
Select the list icon at the top of the Network Discovery page.
The Column Chooser allows you to select which columns should be visible in the list. Refer to Column Chooser field definitions for descriptions of all of the available fields.
NOTE If devices with the same MAC address but different IP addresses are detected, only one device will appear on the Network Discovery page based on the device's MAC address.
There are various actions you can perform:
| Action Button | Description |
|---|---|
| Onboard Devices | To learn which requirements devices must meet to be onboarded, refer to Requirements to onboard a device. Select one or more devices in the list to onboard to Datto RMM. Datto RMM will then attempt to install the appropriate Agent on the devices (Windows or macOS) or to enroll the network devices (SNMP/ESXi). If there are no Network Nodes in the network, the button will be disabled. Enter the following information: Deploy from: The Network Node from which the Network Discovery was initiated is selected by default. A different Network Node can be selected if there are multiple available in the network. Type: Required field that cannot be left as Unknown. Choose from one of the following device types: • Desktop • Laptop • Server • ESXi Host • Network Device (Other) • Network Device (Router) • Network Device (Switch) • Network Device (UPS) • Network Device (Firewall) • Network Device (IP Phone) • Network Device (NAS) • Network Device (Network Appliance) • Network Device (SAN) • Printer NOTE Datto network device types (Datto Access Point, Datto Managed Power, Datto Switch, and Datto Continuity) are not supported. OS: Required field. Once a device type is selected, choose macOS or Windows. Applies to desktop, laptop, or server device types only. Click Onboard and then OK to confirm. |
| Export Selected Rows to CSV | In the confirmation dialog box, select whether to show table headers in the file by toggling the Show table headers in the exported CSV button. Click Confirm to download the file. Any column selections, filters, and sorting that have been applied to the table will also be applied in the CSV file. A maximum number of 500 rows can be exported to a single CSV file. The Export all (max. 500) rows to CSV action is available without selecting any row in the table. |
| Export All (Max. 500) Rows to CSV | |
| Uncheck All | Clears all selected rows. The number of selected rows is indicated next to the Row Actions icon. |
The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.
A note on how much load a Network Node can handle
Under heavy load, a Network Node may drop offline and become unable to manage and monitor network devices. Unfortunately, no one-size-fits-all solution solves this problem because many variables must be considered in each situation.
Therefore, our recommendation is to nominate a device as a Network Node, and then set up both a CPU and a Memory monitor against it. Refer to Memory monitor in Creating a monitor.
You can then proceed to add devices and monitors to the Network Node. Keep an eye on the CPU and Memory monitor metrics until the Network Node's resource utilization begins to breach limits. This can then be treated as a benchmark, and you can provision more Network Nodes in the same manner as necessary.
New device notification
Datto RMM checks for newly added devices at 00:30 UTC, 08:30 UTC, and 16:30 UTC. If newly added devices are found during these checks, an email notification will be sent to the email addresses configured at the global and site levels. Refer to Email Recipients in Global Settings and Email Recipients in Creating or editing a site.
