Device approval

SECURITY   To approve devices, Administrator permission or a security level with Device Approvals enabled is required.

SECURITY  To enable New Device Approval, refer to Setup > Global Settings in Permissions.

NAVIGATION  Devices > Device Approvals

NAVIGATION  Setup > Global Settings > New Device Approval (Access Control section)

About

Device approval improves account security by giving users with Device Approvals access control over Agents that want to connect to their account.

This topic describes the following processes:

  • New Device Approval is enabled for the account and a device must be approved manually.
  • A device's Agent encryption key has changed and the encryption key must be approved manually.

New Device Approval is disabled by default in the Access Control section of Global Settings.

To enable New Device Approval, follow these steps:

  1. Navigate to Setup > Global Settings > Access Control.
  2. Enable New Device Approval. When this option is enabled, any new device added to the Datto RMM account will require approval before the device can participate in the account activity.

To view a list of new devices awaiting approval, follow these steps:

  1. Navigate to Devices > Device Approvals.

NOTE  An ! icon next to this section indicates that there are devices requiring approval.

  1. On the Device Approvals page, click New Devices.
  2. Select one or more devices and click Approve or Reject. The action will be performed upon confirmation.

    3. Approved devices will now be allowed to fully communicate with the platform.

    Devices rejected from the New Devices list will be deleted from the account. Refer to Manage deleted devices.

Devices awaiting approval will be able to do any of the following:

  • Submit audit data

Devices awaiting approval will not be able to do any of the following:

  • Run jobs
  • Apply policies
  • Download components
  • Submit performance data
  • Allow remote takeover

NOTE  Devices awaiting approval will be added to the managed device count and billed as such.

NOTE  Disabling device approval will immediately authorize all devices currently pending approval.

Datto RMM takes a layered approach to security and part of this is Agent encryption. A unique encryption key is generated for every Datto RMM Agent installation to ensure that when an Agent is communicating with the platform, we know the traffic is coming from the device where the Agent was originally installed, and no impersonation is taking place. For more information, refer to Agent encryption.

To view a list of new devices awaiting approval due to an Agent encryption key change request, follow these steps:

  1. Navigate to Devices > Device Approvals.

NOTE  An ! icon next to this section indicates that there are devices requiring approval.

  1. On the Device Approvals page, click Agent Encryption Key Changed. This list contains existing devices attempting to communicate with an incorrect or missing encryption key.

NOTE  You may need to restart the device's Agent Service (CagService) for the device to appear in this list.

IMPORTANT  For each Agent installation, Datto RMM generates an encryption key and exchanges it with the platform. In cases where an Agent's submitted key differs from the key the platform expects to receive or is missing, a mismatch will occur. A key change may indicate a legitimate reinstallation of the Agent or an attempt by an attacker to masquerade one device as another. It is recommended that all encryption key approvals are validated as an Agent should never change its key spontaneously. In the event of a mismatch, check the new device's audit records to see if they are as expected. If they are not or you are unsure, contact Datto RMM Support. Refer to Kaseya Helpdesk. For more information, refer to Agent encryption.

  1. Select one or more devices and click Approve or Reject. The action will be performed upon confirmation.

If a device is awaiting Agent encryption key change approval or is rejected, it will not receive any monitoring or Software Management data, and you will not be able to connect to it using Web Remote. Devices rejected from the Agent Encryption Key Changed list will be removed from the list and will be displayed in the list again an hour later; an Administrator can then approve or reject them. Alternatively, devices displayed in the list can be deleted from the account. Refer to Deleting a device.

Approved devices will receive monitoring and Software Management data an hour after approval. You will also be able to connect to them using Web Remote.

NOTE  If a Network Node is awaiting device approval due to an Agent encryption key change request, any associated network devices will appear offline until the Network Node is approved.

The Column Chooser icon allows you to select which columns should be visible in the list. Refer to Column Chooser field definitions for descriptions of all of the available fields.

The refresh icon allows you to reload the data while keeping existing filters when already configured.

The table density is set to condensed theme by default. To change it to relaxed theme, click the density toggle icon. The selection will persist across all pages.

The number of results displayed can be specified by selecting the desired number from the pagination control. This selection will persist the next time the page is accessed.