Secure Configuration Manager interacts with your IT assets according to each asset’s assignment within four specific categories: systems, agents, endpoints, and groups.
Systems are physical computers on a network that run an operating system and host applications or databases. Systems also host agents or endpoints. An agent resides on a system and monitors endpoints such as computers, devices, and applications. An endpoint represents an agent-monitored operating system, application, web server, or database instance. For more information, see Section 2.1.2, Agents and Section 2.1.3, Endpoints.
When you install Secure Configuration Manager, the setup program installs and registers a Windows agent on the Core Services computer. This agent and the endpoint representing the computer’s operating system become the first managed system in your asset map. If you upgrade your Secure Configuration Manager environment, the setup program either updates the existing agent on the Core Services computer or installs and registers a new agent.
You can automatically discover systems on your network. For more information about automatically discovering systems, see Section 2.2.3, Discovering Systems in Your Environment. You can also periodically discover systems on your network by enabling the Automatic System scheduled task. When you enable this task, Secure Configuration Manager automatically discovers available systems on your network according to the schedule you set.
Agents are hosted on systems and manage endpoints such as computers, devices, and applications. Secure Configuration Manager runs actions and reports on endpoints and groups of endpoints. For more information about endpoints, see Section 2.1.3, Endpoints.
When you add an agent to the asset map, Secure Configuration Manager attempts to register the agent. Registration of an agent assigns a unique identifier to the agent. If an agent is not registered, Secure Configuration Manager cannot communicate with the agent, preventing the product from collecting security information from the managed endpoints. If you add an agent, but the agent is not registered at that time, you can manually register the agent later. The agent could fail registration when you add it to the asset map for several reasons:
The network link to the agent is down.
A firewall exists between the agent and Core Services.
The agent is not running.
The agent is using a different port than what is configured in Secure Configuration Manager.
The agent requires a communication protocol that is not enabled in Secure Configuration Manager. For more information, see Section 2.4.2, Registering an Agent Manually.
Any Windows agent can be assigned as a Deployment Agent by modifying the settings in the Agent Component Properties window. To see which agents are Deployment Agents, expand IT Assets > Agents in the navigation pane and view the agents listed in the content pane. For more information about deployment, see Section 2.2.7, Deploying and Updating Agents.
Any time you are no longer using an agent, you should un-register the agent from Core Services and delete the agent from the asset map. If you no longer monitor a system’s security, you can delete the managed system, which removes all endpoints and agents on that system from the asset map. For more information about removing agents from Core Services, see Section 2.4.3, Un-Registering an Agent. For more information about deleting managed systems, see Section 2.2.6, Managing Systems in Your Asset Map.
Secure Configuration Manager analyzes security risks and ensures policy compliance for your endpoints and groups of endpoints. An endpoint is an entity that an agent manages and audits, and can be computers, databases, and applications. Endpoints are categorized into groups in the asset map according to the endpoint type, such as SQL Server 2012 or Windows. Each endpoint is mapped to one agent.
When you want to manage a specific computer, add that computer as an endpoint in the asset map. A computer can be a physical computer on a network that runs an operating system and hosts applications or databases. A system can have multiple endpoints, such as the operating system and a SQL Server database, and is referred to as a managed system.
Any time you are no longer managing or using an endpoint, you can delete that endpoint. You can also delete the managed system, which removes all endpoints and agents on that system from the asset map.
Groups contain collections of endpoints and other groups. By default, when you add an endpoint to the asset map, Secure Configuration Manager groups that endpoint by its platform. In Secure Configuration Manager, a platform refers to the endpoint type, such as Windows, UNIX, or SQL Server 2012. These built-in groups help you start to categorize your endpoints and cannot be modified. Secure Configuration Manager displays only the built-in groups that correspond with the agent and operating system types within your asset map.
You can create your own managed groups in Secure Configuration Manager to facilitate management of your environment. These user-defined groups in Secure Configuration Manager are nested, which means you can have groups within groups.
Ensure that you assign all endpoints to a managed group. Secure Configuration Manager uses your managed groups for the Asset Compliance View data. The Secure Configuration Manager Dashboard also displays policy template results according to your managed groups. For more information about the Asset Compliance View, see Section 5.4, Using the Asset Compliance View for Evaluation. For more information about the Secure Configuration Manager Dashboard, see the NetIQ Secure Configuration Manager Dashboard User Guide.
The entire set of groups is called a forest. Each top-level node is called a tree. Several rules apply to groups in Secure Configuration Manager:
A group can contain endpoints and other groups.
You can add an endpoint to a group, or remove an endpoint from a group at any time.
You can remove a group from another group at any time.
An endpoint can belong to many trees, but that endpoint can be a member of only one group in any given tree.
Any time your IT infrastructure changes, you can change or delete existing user-defined groups, and remove endpoints from those groups to add to other groups.