7.4. Devices

This chapter describes how devices are provisioned and managed within the Web Management Interface. The following topics are included in this chapter:

7.4.1. Manage devices

The Manage devices page provides a list of all devices provisioned in PxM. A device template is required to provision a device so it can be administered by PxM.

Device templates provide PxM with the necessary access control and account provisioning information for a device. Device templates can be expanded to include auditable parameters, delegated tasks and custom business process tasks. See Template library.

To provide device access to users through the PxM Client, profiles need to be created and devices, tools, tasks, users, user groups added to the profile. See Creating a new profile.

To view the Manage devices page, click Devices in the left-hand menu.

WebUI Manage devices table

The information presented in the table includes:

Heading Description
Device status icon

The following describes what the different device icon states mean within PxM:

  • Unknown Device icon Device has been successfully provisioned but not yet polled.
  • Usable Device icon Device is in a good state and reachable on the network. No alerts have been flagged.
  • Alert Device icon PxM raises the alert flag when a task run on the device fails. Look on the Device detail page > Recent System queue or the System queue for failed tasks against the device.
  • Unreachable Device icon Polling has failed. PxM’s Monitor Devices System task has failed to communicate with at least one of the devices available access methods. Therefore, some or all of the device tools may be unavailable.
  • Unmanaged Device icon This device is not managed by PxM but the username and password is saved in PxM. The only tool available for this device is Reveal Credentials.
Name This is the display name that will be given to the device, to identify it within the PxM Client and Web Management Interface.
Enabled

If the checkbox is Checked box icon checked then the device is enabled. Allows the user to access the device through the PxM Client.

If the checkbox is Unchecked box icon unchecked then the device access through PxM has been disabled for all users. The device will no longer be visible in any user’s PxM Client. But the device will NOT be removed from any profiles from PxM.

Last activity Represents the date & time the device was last accessed through PxM.
Hostname Is the unique label assigned to the device.
IP Address Is the network IP Address of the device.
Max connections

Allows you to set a maximum limit for the number of connections or users that can be connected to the device at any one time.

  • For RDP and SSH the maximum connections refers to the maximum number of connections to the device.
  • For HTTP/HTTPS connections the maximum connections refers to the maximum number of users. This is because the proxy cannot determine how many separate HTTP/HTTPS sessions a user has open to the device.

Leaving the field blank defaults to unlimited connections.

Note

This functionality is useful in cases when you:

  • Have device license limits.
  • Want to restrict the number of users that connect to a device.
Authentication Service

Indicates if an Authentication service is being used.

See Active Directory or see Manage static vaults.

Template

Name and version of the device template that is being used to manage the device.

See Template library.

Vendor Name of the device vendor.
# Profiles Displays the number of Profiles the device belongs to.
Meta-info Meta-cols allow you to attach many kinds of information against each device. For details on configuring meta columns, see Configure meta-info.

Device context menu options

A number of context menu options are available when you highlight a device and then right-click. Some of the more common options are described in the General usage section.

Action Description
Clear Alert

Once the alert has been investigated and resolved, the alert can be cleared from the using this option.

The MonitorDevices task and Lower Alert task is run against the device. if there have been no more failed tasks, then the Device status will be set to Usable Device icon

Migrate template

Allows you to migrate the device to a different template. See Migrating a template.

Note

You can’t migrate the template of a device which has been disabled.

Delete icon Unprovision

Unprovisioning a device removes the device from PxM so it can no longer be administered.

See Unprovision

Force remove icon Force remove

Deletes the device from PxM without attempting to delete any PxM accounts from the device or Active Directory.

Used in cases where the device has been taken off the network and will not be reinstated.

See Force remove.

Warning

Caution should be used if the device is still functional. If the device has been provisioned as Managed, then PxM will have changed the password. To recover the password you must generate a breakglass pdf so you have the password to log onto the device directly. See Generate breakglass PDF or KeePass file.


7.4.2. Control accounts

When provisioning a device, the SuperAdmin has a choice as to how the device will be managed within PxM.

The following diagram explains the control account options available when provisioning a device.

  On PxM On Device
Control account type Store password Change password Create account Delete account
Known Checked box icon      
Managed Checked box icon Checked box icon    
Fully managed Checked box icon Checked box icon Checked box icon Checked box icon

7.4.3. Adding a device

There are a number of ways PxM can interact with devices:

  • Adding a local device: PxM creates/uses a local account on the device.
  • Adding a device using an Active Directory: PxM creates/uses an existing Active Directory account which must have the correct level of priviledges.
  • Adding a device using an account listed in the static vault: an account is selected from accounts stored in the PxM static vault service. These accounts are preexisting on the device being provisioned.

7.4.4. Adding a local device

To add a device with local accounts:

  1. On the Manage devices page, click on the Plus iconNew device button. The New device window opens.

  2. In the Choose device template window, click on the correct template for the device.

    WebUI Choose device template window

  3. Click Choose.

  4. In the Connection details window, enter the device configuration information which PxM will use to make a connection.

    To resolve the IP address using the Glass icon icon on the IP address field, a valid DNS host name needs to be entered into the hostname field and the correct DNS Suffixes must be added to the System configuration > Settings tab, DNS Suffixes. See DNS search suffix.

    WebUI Connection details tab

    Note

    The fields within the Connection details page may differ depending on the device template selected.

    To validate the hostname use the following naming convention:

    • First character: alphanumeric (A-Z a-z 0-9)
    • Middle character(s): alphanumeric (A-Z a-z 0-9) and dash (-)
    • Last character: alphanumeric (A-Z a-z 0-9)
  5. Click Continue. The Device access details window appears.

    Device access details

  6. Within the Device access details window, enter a valid device account username.

  7. In the Authentication drop-down, select one of the following authentication methods:

    • Password: provisions the device with a password only
    • SSH Key: provisions the device with SSH key authentication only
    • Both: provisions the device with both SSH key and password authentication

    Depending on your selection, one or more credential fields display beneath the Authentication drop-down.

  8. In the available field(s), provide the authentication credentials:

    • Password: type a password.
    • SSH private key: click the field or Popup editor icon icon to upload an SSH private key.
    • SSH key passphrase: if necessary, type an SSH key passphrase.
  9. Click Proceed. PxM runs the DeviceVerifyTask:

    • PxM uses the credentials provided to connect to the device.
    • Checks the device version is compatible with the template selected.
    • Closes the connection to the device.

    Note

    At this stage, the device account details are not stored in PxM, but temporarily stored in your browser, saving you having to type them in again later.

  10. In the Create device window, on the left-hand side, enter a Device name to help identify the device within PxM.

    WebUI Create device tab

  11. Select a control account, for how you want to manage your device.

    WebUI Create device control account options screenshot

    Use the drop-down list box for the control account options available.

    Control accounts Description
    Fully managed

    Allows PxM to create its own management account on the device. This management account will be used by PxM to connect to the device and manage it.

    This can only be done if the device supports new account creations.

    Managed

    Warning icon Selecting this option will change the authentication credentials (SSH keys and passwords) of the selected account. You will no longer know the credentials, as they will be managed by PxM.

    To recover direct access to the device, you can either:

    • Generate a Breakglass PDF
    • Or change the control account to Known on the Account manage tab of the Manage devices page.

    Allows you to select an existing account on the device AND manage its credentials.

    PxM will NEVER delete this account but will manage the account credentials through the Device Password Refresh task.

    Known

    Allows you to select an existing account on the device which will be used by PxM to manage the device.

    PxM will make NO changes to the selected account and credentials.

    PxM will NEVER delete this account or change the credentials.

    The control account selected will be used by PxM to:

    • Create and delete PxM accounts on the device.
    • Run tasks on the device.
    • Refresh passwords.
  12. Click Create.

    The DeviceAudit task is run:

    • The control account is used to audit the accounts that exist on the device and populate the Inventory report.

    Note

    When the DeviceAudit task is initiated, a previously-defined user_show_all subtask runs, discovering all local users present on a device. Accounts from an authentication service are discovered when provisioning the authentication service. For more information, see Adding an Active Directory.

    • If any known accounts have been specified in the template using the <accounts> tag, they will be listed on the Manage accounts page and the Device detail > Account management tab, with a state of Approved.

      • All other device accounts found during the audit will have a state of Unapproved.

      WebUI Device account management tab

      The DeviceProvisionTask is also run during the provisioning process and the operations performed

      depends on the control account selected:

      Fully managed

      • PxM uses the devices authentication details provided during Test connection to create a PxM management account (osirium1) on the device. This account will be given the highest access level available on the device.
      • The device account used is NOT stored in PxM.

Managed

  • PxM uses the devices authentication details to connect to the device.
  • The selected account name is stored and it’s password managed by PxM.
  • The Managed account will be marked as the control account on the Manage accounts > Device accounts tab. The account State will be Password managed icon Managed.

Known

  • PxM uses the devices authentication details to connect to the device.
  • The supplied username and password are stored in PxM.
  • The Known account will be marked as the control account on the Manage accounts > Device accounts tab. The account State will be Password icon Known.

7.4.5. Adding an Active Directory member device using an Authentication service

PxM can interact with the Active Directory directly to offer the same range of single sign-on options that you have with a device with local accounts.

Adding member servers:

  1. Before member servers/clients can be provisioned using an Active Directory authentication service, the Active Directory must first be added to PxM. See Adding an Active Directory.

  2. On the Manage devices page, click on the Plus iconNew device button. The New device window opens.

  3. Click a template requiring an Active Directory authentication service.

    WebUI Choose member device template window

  4. Click Choose. The Connection details window appears.

  5. In the Connection details window, enter the member servers/client configuration information which PxM will use to make a connection.

    Webui Connection details tab for Windows

    Note

    AD Replication delay is available for Active Directory domains with multiple sites that may be using inter-site replication delay.

    For example:

    • An Active Directory domain has a Site A and Site B.
    • The inter site replication delay between these two sites is 15 minutes.
    • If a new group is added into Active Directory on the Domain Controller in Site A, it would take 15 minutes for the group to be replicated to Site B.
    • This means that if the authentication service is the Domain Controller on Site A, and a member server from Site B is provisioned, then the task would fail until the replication has taken place.
  6. Click Continue.

  7. In the Create device window, select a control account from the accounts listed which exist on the Active Directory, but not on the member servers.

    WebUI Create member device tab

    The following explains the affect on the Active Directory:

    Control accounts Description
    Fully managed Allows PxM to create its own management account on the Active Directory, PxM OUs. This management account will be used by PxM to connect to the member servers and manage it.
    Managed

    Warning icon Selecting this option will change the credentials of the Active Directory account selected. You will no longer know the credentials as they will be managed by PxM.

    To recover direct access to the device you can either:

    • Use the Reveal Credentials tool
    • Generate a Breakglass PDF
    • Or change the control account to Known on the Manage accounts Authentication service accounts tab.

    When an account is selected, if it is not in the correct state then you will be asked if you want to put the account into the correct state. Click Yes. Unless the account selected is in the correct state you won’t be able to proceed.

    WebUI Change account state window

    Changing the state of an account to Managed will allow PxM to change the credentials, you will be prompted to confirm you want to continue. Click Yes.

    PxM will NEVER delete this account but will manage the account credentials through the Refresh Account Credentials task.

    Known

    Allows you to select an existing account on the Active Directory to be the control account that PxM will use to manage the Windows Members.

    PxM will make NO changes to the selected account and credentials.

    PxM will NEVER delete this account or change the credentials.

  8. Click Create. The member servers provisioning process will be queued and perform different operations depending on the type of control account selected.

    The DeviceAudit task is run:

    • The control account is used to audit the accounts that exist on the Active Directory and the accounts that exist on member servers/client.
    • If any known accounts have been specified in the template using the <accounts> tag, they will be listed on the Manage accounts page and the Device detail > Account management tab, with a state of Approved.
    • All other Active Directory accounts found during the audit will have a state of Unapproved.

    The DeviceProvisionTask task is run:

    • PxM uses the Active Directory details provided during connection to create the osirium_deviceaccess_account on the Active Directory within the Osirium OU > Users OU. This account will be used to manage the member servers.

    • The selected Active Directory account is NOT stored in PxM.

    • The osirium_deviceaccess_account account will be marked as the control account on the

      Manage accounts > Authentication service accounts tab and linked to the user: Osirium Server.

      AD Osirium device access account screenshot

    • PxM uses the control account to create the Osirium OU > Users OU if it hasn’t already been created during the Active Directory provisioning.

    • The Group OU is created within the PxM OU on the Active Directory, and a group per accesstoken (derived from the template) is created. Each accesstoken is then added as a member of the appropriate built-in group in Active Directory.

      AD Osirium groups screenshot

      WebUI Windows member group template screenshot

      Note

      The osirium_deviceaccess_account may already have been created when the Active Directory was added, if the create account checkbox was checked.


7.4.6. Adding a device using a static vault authentication service

To provision a device to use an account store in the static vault:

  1. Before a device can be provisioned enusre the account has been added to the static vault. See Adding a static vault service.

  2. On the Manage devices page, click on the Plus iconNew device button. The New device window opens.

  3. Click a template requiring a static vault authentication service.

    WebUI Choose static vault auth service template window

  4. Click Choose. The Connection details window appears.

  5. In the Connection details window, enter the device configuration information which PxM will use to make a connection.

    Webui Connection details

  6. Click Continue.

  7. In the Create device window, select a static vault.

    WebUI Create device with static vault tab

    Once a static vault is selected, the Select control account window will update and list all the accounts available in the static vault selected.

    WebUI Create device with static vault account list

  8. Select an account from the list.

  9. Click Create. The device will be provisioned.

    The control account selected will be used by PxM to:

    • Create and delete PxM accounts on the device.
    • Run tasks on the device.
    • Refresh passwords.
  10. Click Create.

    The DeviceAudit task is run:

    • The control account is used to audit the accounts that exist on the device and populate the Inventory report.

    • If any known accounts have been specified in the template using the <accounts> tag, they will be listed on the Manage accounts page and the Device detail > Account management tab, with a state of Approved.

    • All other device accounts found during the audit will have a state of Unapproved.

      WebUI Device account management tab

    DeviceProvisionTask is also run during the provisioning process. As all static vault accounts are Known, the following will happen:

    • PxM uses the devices authentication details stored in the static vault to connect to the device.

7.4.7. Bulk importing

Devices can be bulk provisioned with the bulk import feature. You can download a preformatted CSV (comma separated value) for each device template and populate it with the relevant data.

To bulk import devices:

  1. On the Manage devices page, click on the Bulk import button. The Import from CSV window opens.

    WebUI Device bulk import window

  2. Click Download csv template.

  3. Within the Bulk import template download window, click on a device template to download the appropriate bulk import template.

  4. Click Download bulk import template. The CSV file downloads to your default download location.

  5. Open the downloaded bulk import template and populate with the required device information.

    The template requires the following information:

    Column name Description

    Vendor

    Template

    Version

    The device template information has to match a template which has been uploaded into PxM. You can find this information on the Template library page.

    See Template library.

    Name This is the display name that will be given to the device, to identify it within the PxM Client and the Web Management Interface.
    Username

    Enter the name of a valid device account. This account will be used by PxM to access and provision the device.

    Note

    For a Windows member server, leave blank as the Active Directory account details will be used.

    Password

    Enter the password of the device account used.

    Note

    For a Windows member server, leave blank as the Active Directory account details will be used.

    Control account

    Enter one of the following options depending on how you want to manage your device.

    • Fully managed
    • Managed
    • Known

    See Control accounts.

    Control username This field is only required if the control account selected is either Managed or Known. This is the account that will be used by PxM to communicate with the device.
    Control password This field is only required if the control account selected is either Managed or Known. This is the account password that will be used by PxM to communicate with the device.
    Authentication Service

    Required for devices using an Active Directory or static vault authentication service.

    If using Active Directory, enter the name given to the Active Directory in PxM.

    If using a static vault, enter the name given to the static vault in PxM.

    Hostname Is the unique label assigned to the device which is used internally by PxM.
    Address Is the network IP address of the device.
    Other columns This may vary depending on the device.
    Meta-cols Meta-cols allow you to attach many kinds of information against each device. See Configure meta-info
  6. Save the file.

  7. Go back to the Import from CSV window, within the Web Management Interface.

  8. Click Choose file to locate and select the completed updated bulk import template file.

  9. Click Import.

  10. The devices within the imported CSV file will be listed in the Bulk import devices window. Any data errors will be highlighted with a Close icon icon. If these errors are not fixed then that Windows Member will not be provisioned. You can also update any Windows Member devices settings by clicking on the Edit pencil icon icon at the end of each row.

  11. Click Import.

  12. Devices will be imported and queued for provisioning.

  13. Check the System queue page for progress. Refresh the Manage devices page to update the devices status icon.

    PxM will process each device in turn, exactly as if you had added them one at a time.

7.4.8. Unprovision

Unprovisioning a device removes the device from PxM so it can no longer be administered.

To unprovision a device:

  1. On the Manage devices page right-click on a device and then click Unprovision within the context menu.

  2. If the device belongs to a profile:

    • In the Action notification pop-up, click Continue.

    • You will be asked to supply new credentials for any accounts on the device which are in the Managed state. Alternatively, you can click Bulk apply, which will apply the same credentials to all the accounts.

      WebUI Device unprovision account passwords

    • Click Proceed. PxM runs the Refresh Account Credentials task to set the new credentials on the accounts on the device.

  3. Within the Question window, click Yes, if you are sure you want to delete the device from PxM.

    WebUI Confirm device unprovision question

During the deletion of the device from PxM, the following occurs depending the control account is set to:

UserDeviceAccountUpdateTask is run:

  • Before the device is unprovisioned from PxM, the device is automatically removed from all profiles. This allows all Fully managed user accounts to be deleted from the device or the Active Directory if unprovisioning member servers.

DeviceUnprovisionTask is run:

Fully managed

  • PxM connects to the device using the osirium1 management account and deletes the osiriumbg account. Applies to local devices only.
  • The PxM management account osirium1 will also be deleted if the device allows. Applies to local devices only.
  • Removes the device information from PxM, i.e. Manage devices, Inventory, Manage accounts, etc.

Managed

  • The Managed control account is NOT removed from the device.
  • Any Windows Member accesstokens are deleted from the Group’s OU on the Active Directory. Applies only to member servers.
  • Removes the device information from PxM, i.e. Manage devices, Inventory, Manage accounts, etc.

Known

  • The Known control account is NOT updated or removed from the device.
  • Any Windows Member accesstokens are deleted from the Group’s OU on the Active Directory. Applies only to member servers.
  • Removes the device information from PxM, i.e. Manage devices, Inventory, Manage accounts, etc.

7.4.9. Force remove

Devices which are stuck in an unprovisioned state Force remove icon can be removed by right-clicking a device or selecting multiple devices on the Manage devices page and then clicking Force remove from the context menu.

Force remove will delete the device from PxM without attempting to delete the PxM accounts on the device.

For member servers, force remove will delete the Window Member from PxM without attempting to:

  • Delete the PxM accounts from the Active Directory.
  • Delete the Windows member accesstokens within the Group’s OU on the Active Directory.

Used in cases where the device has been taken off the network and will not be reinstated.

Note

Caution should be used if the device is still functional. If the device has been provisioned as Managed, then PxM will have changed the password. PxM will ask you to provide a new password and attempt to change the password on the device. If PxM fails to reset the password, you can recover the password set by PxM by using the Reveal Credentials tool or generating a breakglass PDF so you have the password to log onto the device directly. See Generate breakglass PDF or KeePass file.

7.4.10. Reprovision

If a device has failed to provision or you have lost control of it, you can use the Reprovision button as a convenient shortcut. Reprovision allows you to retry provisioning the device without having to enter all of the device configuration information.

A control account must exist on the device to be reprovisioned. To check if the device has a control account, click the Account management tab on the device detail page. Otherwise, you will have to create a control account first. See Account management tab > Create account.

To reprovision a device:

  1. On the Device detail page, click the Reprovision button. The Question window appears.

    WebUI Device reprovision question

  2. Click Yes. The device reprovisions.

    During the reprovisioning of a device:

    • The tasks device_provision_start and device_provision_end in the template Reprovision are run. These tasks are used to bring the device into a known state, and do not create any accounts.
    • The DeviceAudit task is run to audit information to populate the Inventory report.

7.4.11. Device detail page

The Device detail page provides information relating to the device and allows you to administer the device.

To view the Device detail page, click on a name within the Name column which is a link to the Device detail page. Alternatively, highlight a device and right-click for the context menu. Within the context menu select Show device iconShow and you will be navigated to the Device detail page.

The Device detail page contains the following tabs:

  • Configuration tab
  • User access control tab
  • Account management tab
  • Tasks tab

WebUI Device detail screenshot


7.4.12. Configuration tab

The Configuration tab allows you to view and manage the internal device information and device parameters which are used by PxM to communicate with the device.

Internal device information

This information is internal information used to identify the device. Click on the Edit pencil icon icon at the end of row to edit the device information.

WebUI Device detail edit screenshot

Device parameters

Configuration: is essential for PxM to be able to connect to the device. Click on the Edit pencil icon icon to configure the Hostname, IP Address and other device configurations.

If changing these parameters, use the Test connection button to confirm that PxM can still connect to the device.

WebUI Device parameters screenshot

7.4.13. User access control tab

The User access control tab allows you to:

  • View all the profiles the device belongs to.

  • Add/remove the device from a profile.

  • View all the PxM users that have access to the device and their highest access token.

    WebUI Device user access control tab

Profile membership

Displays all the Profiles the device belongs to and allows you to manage them.

The link between a profile and a device is made with a specific permission, representing the level of permission that will be used when a user single sign-on to the device.

To add the device to an existing Profile:

  1. Within the User access control tab, in the PROFILE MEMBERSHIP area, click Manage or Click to add profiles. The Manager: profiles window appears.

    WebUI Device profile manager window

  2. Within the Manager: profiles window, tick the checkboxes next to the profiles you want the device to be added to.

    WebUI User groups manage profile window

  3. For each local device, select the Access level that will be granted. This can be:

    • Role: These are the available access levels PxM can use when creating personalised accounts. If a role is selected it will apply for every PxM user in the profile.

      When used with a member servers, the Role indicates the group membership of the account that will be created on the Active Directory.

      The accesstokens available will be on the Active Directory Users and Computers > Osirium OU > Groups OU.

      AD Osirium groups screenshot

      The personalised accounts will be created in the Active Directory Users and Computers > Osirium OU > Users OU.

    • Account: These are Managed and Known accounts that can be used to single sign-on to the device. If an account is selected it will be available to every PxM user in the profile. No personalised accounts are created.

      WebUI Device profile manager window choose access level

    • Patterns: These are predefined patterns that allow PxM user accounts

      to be linked to existing accounts on a device.

  4. Click Save changes.

User access summary

Displays all the users that have access to the device and their respective permission levels. Cannot be updated.

WebUI Device user access summary screenshot

The information presented in the table includes:

Heading Description
Expansion icon Click the arrow to reveal more information.
User The internal name of the PxM user which is used to reference and log user activity.
Via Indicates if the user has been added directly to the profile or via a user group.
Access roles

Indicates the access level granted to the personalized user created on the device, if a role is selected within the Profile.

If an Account is selected then this column will be blank.

Accounts

Indicates the account to be used when users single sign-on onto the device.

Only accounts which have a state of Known or higher on the Account management page, will be made available when the device is added to a profile.

If an Access role is selected then this column will be blank.

Recorded

Relates to Privileged Session Recording and if ticked, indicates that a user’s session to the device will be recorded.

See Privileged Session Management.

Last connection Timestamp of when the user last single sign-on to the device.

7.4.14. Account management tab

The information presented separates the authentication service device from a standard device.

WebUI AD Device account management tab

Authentication service section

Contains details of the authentication service used by the device. The information presented includes:

Heading Description
Name

The display name name given to the authentication service.

The name of the service is a link to the Active Directory detail page used by the device.

Scheme The type of authentication service, an example being “Active Directory”.
Vendor The authentication service vendor.
Domain Controller IP address(es): IP address(es) of the authentication service.
Domain (FQDN): The Fully Qualified Domain Name.
UPN suffixes: List the UPN suffixes that should be considered when auditing Active Directory.
Ignore A list of ignore strings to be tested against the DN of each account found by PxM. If any ignore string is present inside an account DN, the account will be ignored. This can be used to ignore certain CN/OU’s during the audit. For example an ignore string of “OU=Disabled Users” would ensure that no users from that OU are audited.”
# Devices The number of devices using the authentication service.

Click the Manage button to open the Active Directory detail page page, which shows the accounts on the authentication service.

The page is similar to the Active Directory accounts tab on the Manage accounts page with the authentication service set in the Authentication service column filter.


Device control account section

Contains details of the account used for making changes to the device. The information presented includes:

Heading Description
Account name

The account currently being used as the device control account.

See Active Directory accounts tab on the Manage accounts page with the authentication service set in the Authentication Service column filter.

State The type of account management being implemented by PxM. For more information, see Manage accounts.
Locked The boolean state of the account indicating if the account on the device is locked/unlocked. The enable/disable task must be in the device template in order to lock/unlock accounts.
Password changed Timestamp of when the account password was last changed by PxM.
Failed logon Timestamp of when PxM last failed to logon to the device.

Click the Select new button to open the Select new device control account window, from which a new device control account can be chosen.

The Select new device control account window contains a table. The information presented includes:

Heading Description
Device control account

The Device control account selected will be used by PxM:

  • Run tasks on the member servers.

Note

Only accounts with a state of Known or higher can be made a control account.

State

PxM sets a State for each of the accounts audited on the device.

See Manage accounts.

Account name Name of the account which exists on the device.
Locked The boolean state of the account indicating if the device is locked/unlocked. The enable/disable task must be in the device template in order to lock/unlock accounts.
Password changed Timestamp of when the account password was last changed by PxM.
Failed logon Timestamp of when PxM last failed to logon to the device.
Linked to user Name of the user in PxM that is linked to the account on the device.

7.4.15. Standard devices

The Account Management tab allows you to view and manage all the accounts that are present on the device.

WebUI Device account management tab

The information presented in the table includes:

Heading Description
Control account

The control account will be marked with an Checked box icon. The control account will be used by PxM to:

  • Create and delete PxM accounts on the device.
  • Run tasks on the device.
  • Refresh
  • Only accounts with a state of Known or higher can be made a control account.
State

PxM sets a State for each of the accounts audited on the device.

See Manage accounts.

Account name Name of the account which exists on the device.
Locked Indicates if the account on the device is locked/unlocked. The enable/disable task must be in the device template in order to lock/unlock accounts.
Credential(s) changed Timestamp of when the account credentials were last changed by PxM.
Failed logon Timestamp of when PxM last failed to logon to the device.
Linked to user Name of the user in PxM that is linked to the account on the device.
Password Indicates if the account is protected with a password.
SSH Key Indicates if the account is protected with an SSH key.

Account management context menu options

A number of context menu options are available when you highlight an account and then right-click within the Account management tab.

The context menu options available are:

Action Description
Show user icon Show linked user(s)

If the user is known by PxM you are navigated to the User detail page of the PxM user that is linked to the device account.

Note

If the user does not appear on the Manage users page within PxM, then this option will be greyed out.

Update stored credentials Allows you to update the stored credentials of any Known account.
Change state(s) Allows you to change the state of the account from what it is currently set to. See Changing states.
Reprovision

Only Fully managed accounts can be reprovisioned. This option can be used if PxM has lost control of the account.

To reprovision an account that is marked as a control account will require you to provide details of an account on the device that can perform the reprovision. The Reprovision account task is run.

Reprovisioning a Fully managed account that is not a control account does not require you to provide details of an account, as the control account will be used to logon to the device and reprovision the selected account(s).

See Reprovision.

Grey checked box icon Mark as control account If an account is marked as a control account (checkbox ticked) it means that this is the account that is used by PxM to communicate with and manage the device.
Reveal credentials

Allows the administrator to reveal the device account credentials (passwords and SSH keys) for individual accounts.

Credentials can be revealed for PxM, Known and Managed accounts only.

Force credentials refresh Allows you to force a credentials refresh on any Fully managed and Managed accounts.
Lock icon Lock Allows you to lock (disable) the account on the device so it can’t be used to log onto the device.
Unlock icon Unlock Allows you to unlock (enable) an account if it is disabled on the device so it can be used to log onto the device.
Delete icon Delete

Deleting an account will permanently remove the account from the device so it cannot be reinstated.

Note

Accounts marked as Controlled accounts cannot be deleted.


Create account

For local device, see Creating an account.

7.4.16. Tasks tab

Tasks that can be run on a device are defined within the device template and are specific to the device.

The TASKS section lists all the tasks which can be run on the device and are a combination of Users, System and Custom tasks.

The table lists all the tasks that can be executed on the device and includes:

Task Description
User Tasks

User Tasks can be:

  • Run by PxM users through the PxM Client.
  • Executed through the Web Management Interface.
  • Scheduled to run through profiles.
System Task

System Tasks can be:

  • Executed through the Web Management Interface.
  • Scheduled to run through profiles.
Custom Task

Custom Tasks can be:

  • Run by PxM users through the PxM Client.
  • Executed through the Web Management Interface.
  • Scheduled to run through profiles.

Custom Tasks require:

  • Task parameters to be configured in the Web Management Interface.
  • User input when executing the task through the PxM Client.

7.4.17. Execute tasks

To execute a task on a single device:

  1. In the Task list, click on the Execute now Execute icon icon for one of the tasks. The Execute task window appears.

    WebUI Device Details Tasks Tab Execute

  2. Within the Execute Task window, click Execute to run the task on the selected device.

    Note

    If you are executing a task which requires a task input, you will be asked to select the input first.

    WebUI Device Detail Tasks Tab input parameters

  3. Within the Question window, click Yes.

    Dialog window

  4. Within the Action queue window, you will be able to see the status of the task.

    Webui Tasks Action Queue

Note

Within the Action queue, the task output can be copied by highlighting and pressing CTRL+C.

Execute a Task on multiple devices

Tasks can also be run against multiple devices in one go, making bulk changes easier against devices that share the same templates.

  1. In the task list, click on the Execute now Execute icon icon for one of the tasks. The Execute task window appears.

    WebUi Device Details Tasks Tab Execute Select Tasks

  2. Within the Execute task window, click Choose devices.

    Note

    If you are executing a task which requires a Task input, you will be asked to select the input first.

    WebUI Device Detail Tasks Tab input parameters

  3. Within the SELECT DEVICES section, check the Unchecked box icon next to all devices in the list that you want to run the selected task against.

  4. Once you have selected all the devices, click Confirm. You are returned to the EXECUTE ON DEVICES window.

    WebUi Device Details Tasks Tab Execute Select Tasks

  5. Click Execute to run the task on the selected devices. The Question window appears.

  6. Click Yes. The Action queue window opens, showing progress of the task executed.

  7. Click Continue in background or Done once the tasks have completed.

    WebUI Device Detail Tasks Tab Execute Action Queue

    Note

    If the Regenerate Account Passwords for all credentials task is run within a Device detail page, only the credentials for that device will be regenerated.

Task Parameters

Task parameters allow you to define parameters for the custom tasks. Parameters need to be set before a Custom task can be executed.

Task parameters are picked up from the device template.

To update the Value of a Task parameter:

  1. Within the Task Parameters window, click the Edit pencil icon icon next to a task parameter.

  2. Insert a value. If the field allows multiple values, an Edit Value window opens, which will allow you to add multiple entries.

    WebUI Device task parameters screenshot

    WebUI Edit value window

    Once a task parameter has been configured, when a Custom Task is executed the configured Task Parameter > Value is applied to the device. If there are multiple parameters available then a list box will be presented and the user will be required to make a selection.

Bulk importing Task parameters

Task parameters can be bulk uploaded by downloading and populating the bulk import CSV (comma separated value) template format for that task parameter.

To bulk import task parameters:

  1. On the Manage devices page, double-click a device.

  2. Within the Tasks tab, in the Task parameters section, click on the Edit pencil icon icon.

  3. Within the Edit value window, click New and then select Import CSV.

  4. Within the Import from CSV window, click Download csv template.

    WebUI Task CSV import window

  5. Save the bulk import template to a preferred location.

  6. Open the downloaded bulk import template and populate with the required device information.

    The columns within the bulk import template will vary depending on the task.

  7. Save the file.

  8. Go back to the Import from CSV window, within the Web Management Interface.

  9. Either paste the CSV file contents or click Choose File to locate and select the updated bulk import template file.

  10. Click Import.

  11. The task parameters within the imported CSV file will be listed in the Edit value window. You can update any values by clicking on the Edit pencil icon icon at the end of each row.

    WebUI Edit value window 2

  12. Click Save changes.

  13. The values are added to the Value column.

    WebUI Device task parameters screenshot 2

Copy settings

Copy settings allows you to apply the task parameters for one device onto other devices that have the capability to run the task.

To copy the task parameter settings of a device to other devices:

  1. Click on Devices in the left-hand menu.

  2. Open the Device detail page of the device you want to copy the settings from by clicking on the device name.

  3. On the Device detail page, click Copy settings next to Task Parameters.

  4. Within the Copy setting(s) to device(s) window, select the settings you want to copy.

    WebUI Copy settings window

  5. Click Proceed.

  6. Select the devices you want to apply these settings to. They will be highlighted when selected. Only devices that have the capability to run this task will be listed.

  7. Click Copy.

  8. The settings are copied. Click OK within the Note window.

  9. Check the devices selected and confirm the task parameters have been copied.

7.4.18. Migrating a template

Provisioned devices within PxM can easily be upgraded to a newer version of a device template by using the template migration functionality.

Note

You can’t migrate the template of a device which has been disabled.

The updated device template must be uploaded through the Template library page before it can be used. See Uploading the template.

To migrate a device’s current device template:

  1. On the Manage devices page, right-click an individual device (or press CTRL and click multiple devices using the same template) and click Migrate template.

  2. In the Migrate template window, select the new template you want to migrate the device to. Only templates that are compatible with the device will be listed.

    WebUI Migrate template window

  3. Click Migrate device(s).

    • The devices will be queued for template migration. Check the System Queue.
    • During the template migration:
      • Existing DTPDs (Device Template Parameter Definitions) are checked and either updated or removed.
      • The Migrate Device task is run to migrate the device to the new template.
      • The DeviceAudit task is run to audit information to populate the Inventory report and Device parameter values.

Note

It is not possible to migrate a device from a Windows Domain template to a Windows Standalone template or from a Windows Standalone template to a Windows Domain template.

7.4.19. Editing a device

See General usage section for inline editing.