Creating an Agent policy - Legacy UI
SECURITY Refer to ACCOUNT > Policies and SITES > Policies in Security Level Details - Permissions
NAVIGATION Legacy UI > Account > Policies
NAVIGATION Legacy UI > Sites > select a site > Policies
Refer to Agent policy in Policies.
What is an Agent policy?
An Agent policy deploys settings to affect the operation and configuration of the Datto RMM Agent. An Agent policy may affect Privacy Mode, Agent installation and service, security, and the Agent Browser mode. For information about the Agent, refer to Datto RMM Agent.
How to...
- Agent policies can be set up in the Web Portal at both the account and the site level. Refer to Create a policy.
- On the Policies page, click New account policy... or New site policy....
- Give the policy a Name.
- Select the type Agent.
-
To copy an already existing policy to use it as a template, choose it from the Based on drop-down list. To create a new policy, select New Policy.
- Click Next.
-
Click Add a target... to target your devices through a specific filter or group.
If you want to target more than one filter or group, add another target to the policy. Multiple targets will apply the "OR" logic, that is, the policy will be run on a device if it is included in any of the targets. For more information about target types, refer to Filters - Legacy UI and Groups - Legacy UI.NOTE Device filters contain all Default Device Filters and Custom Device Filters. Devices of Unknown device type will not be targeted by the policy.
- Click Add.
- Choose one or more of the following options:
Privacy Mode Options
Option | Description |
---|---|
Activate Privacy Mode | Automatically turns on Privacy Mode for all devices targeted by the policy and will require end user permission when connecting to a targeted device. Once Privacy Mode is enabled on a device, the Datto RMM Administrator cannot disable this setting. Privacy Mode can only be disabled by the end user on the device itself. For further information, refer to Privacy Mode. |
Allow connections when no user is logged in | Allows you to connect to a device when no user is logged in but Privacy Mode is enabled on the device. NOTE This setting will apply to all remote connections. |
Only require endpoint permission for restricted tools | Allows you to configure Privacy Mode in a way that end user permission is only required when the following tools are used: VNC, RDP, Splashtop, Screenshot, or Web Remote. |
Service Options
Option | Description |
---|---|
Install Service only | No system tray icon or Start menu shortcuts will be installed. It is only available for Windows devices. When this option is selected, the gui.exe process (Agent Browser) will not start on the targeted devices. For more information, refer to Hide the Datto RMM Agent icon. |
Disable incoming jobs | Prevents the Agent from running jobs. NOTE Even if this option is selected, components enabled as User Tasks can still be installed. Refer to User Tasks. |
Disable incoming support | Prevents remote access to the targeted device from another device. NOTE Remote options for the targeted device will be visible on the device summary page and on device list pages but no remote request will be processed. |
Disable audits | Prevents the Agent from submitting audits to the platform. |
Agent Policy Options
Option | Description |
---|---|
Disable Privacy options | Removes access to Privacy Mode Options from the system tray icon. NOTE You cannot disable Privacy Mode in the Agent using this setting if Privacy Mode has already been activated. Once Privacy Mode is enabled on a device, it can only be disabled by the end user. For further information, refer to Privacy Mode. |
Disable Settings menu | Disables the following features: • Access to the Settings menu from the system tray. Refer to Settings. • The ability to edit the device description from the system tray. Refer to Device description. |
Disable Quit options | Removes the option for the user to exit the Agent. |
Disable Tickets tab | Removes the option for the user to log a ticket through the Agent. |
Show "Take screenshot and request support" menu entry | This option is only available if an integration with a PSA is enabled. When this option is selected, the Take screenshot and request support menu entry is added to the Agent. For more information about Autotask, refer to Autotask Integration. For more information about ConnectWise PSA, refer to ConnectWise PSA Integration. |
Show "Request support" menu entry | This option is only available if an integration with a PSA is enabled. When this option is selected, the Request support menu entry is added to the Agent. For more information about Autotask, refer to Autotask Integration. For more information about ConnectWise PSA, refer to ConnectWise PSA Integration. |
Agent Browser Mode
Option | Description |
---|---|
Disabled | Prevents any access to the Agent Browser window. |
User - No access to Support tab | Allows the user to open the Agent Browser window but prevents them from logging in. For more information, refer to Log in to the Agent Browser. |
Admin - can log in to Support tab | Allows full access to the Agent Browser window. Refer to Agent Browser. NOTE This is the default option. |
-
Click Save and Push Changes.
If you click Save Only, you'll be directed to your list of policies where you can click Push changes... next to the policy in question.
NOTE If you click Save Only (legacy UI) or Save and Deploy Later (New UI) instead of Save and Push Changes (legacy UI) or Save and Deploy Now (New UI) when creating or updating a policy, the changes will still be deployed at midnight in your time zone because policies are automatically deployed every 24 hours.
IMPORTANT This functionality is only available for Windows devices.
Sometimes you may want to hide the Datto RMM icon in the system tray because you do not want your end users to access all of the options it offers (for example, the option to create a ticket), or because you want to prevent end users from stopping the Agent or turning on Privacy Mode.
To hide the Agent icon from the end user, check the following option in the Agent policy: Service Options > Install Service Only.
When this option is selected, the gui.exe process (Agent Browser) will not start on the targeted devices, and the following features will not be available:
- Remote takeover toaster notifications. If the targeted device is using Privacy Mode, the end user will be unable to authorize remote takeover requests.
- Patch reboot toaster notifications
- Prompts to authorize the execution of jobs
- Chat
- Screenshot
IMPORTANT Selecting the Install Service only option will not close the gui.exe process if it is already running. The targeted device needs to be restarted in order for the gui.exe process to not start on boot.