Secure Configuration Manager interacts with your servers and network devices according to each asset’s assignment within four specific categories: assets, also known as systems; agents; endpoints; and groups.
NOTE:The Web console uses the term asset, while the Windows console continues to use the older term system.
Assets, or systems, are physical computers on a network that run an operating system and host applications or databases. When you add an asset to Secure Configuration Manager, the computer hosts an agent, and possibly one or more endpoints. For more information, see Agents and Endpoints.
When you install Secure Configuration Manager, the setup program installs and registers a Windows agent on the Core Services computer. This agent and the endpoint representing the computer’s operating system become the first managed asset in your asset map. If you upgrade your Secure Configuration Manager environment, the setup program either updates the existing agent on the Core Services computer or installs and registers a new agent.
You can automatically discover assets on your network. For more information about automatically discovering systems, see Discovering Unmanaged Assets in Your Environment. You can also periodically discover systems on your network by enabling the Automatic System scheduled task. When you enable this task, Secure Configuration Manager automatically discovers available assets on your network according to the schedule you set.
Agents are hosted on assets and manage endpoints such as computers, devices, and applications. Secure Configuration Manager runs actions and reports on endpoints and groups of endpoints. For more information about endpoints, see Endpoints.
When you add an agent to the asset map, Secure Configuration Manager attempts to register the agent. Registration of an agent assigns a unique identifier to the agent. If an agent is not registered, Secure Configuration Manager cannot communicate with the agent, preventing the product from collecting security information from the managed endpoints. If you add an agent, but the agent is not registered at that time, you can manually register the agent later. The agent could fail registration when you add it to the asset map for several reasons:
The network link to the agent is down.
A firewall exists between the agent and Core Services.
The agent is not running.
The agent is using a different port than what is configured in Secure Configuration Manager.
The agent requires a communication protocol that is not enabled in Secure Configuration Manager. For more information, see Registering an Agent Manually.
Any Windows agent can be assigned as a Deployment Agent by modifying the settings in the Agent Component Properties window. To see which agents are Deployment Agents, expand IT Assets > Agents in the Windows console, then view the agents listed in the content pane. For more information about deployment, see Deploying Windows Agents to the Managed Assets.
Any time you are no longer using an agent, you should un-register the agent from Core Services and delete the agent from the asset map. If you no longer monitor a system’s security, you can delete the managed system, which removes all endpoints and agents on that system from the asset map. For more information about deleting and unregistering managed assets, endpoints, and agents, see Removing Managed Assets.
Secure Configuration Manager analyzes security risks and ensures policy compliance for your endpoints. An endpoint represents an agent-monitored operating system, application, web server, network device, or database instance. Endpoints are categorized into groups in the asset map according to the endpoint type, such as SQL Server 2012 or Windows. Each endpoint is mapped to one agent.
When you want to manage a specific computer, add that computer as an endpoint in the asset map. A computer can be a physical computer on a network that runs an operating system and hosts applications or databases. An asset can have multiple endpoints.
Any time you are no longer managing or using an endpoint, you can delete that endpoint. You can also delete the managed asset, which removes all endpoints and agents on that system from the asset map.
Groups contain collections of endpoints and other groups. By default, when you add an endpoint to the asset map, Secure Configuration Manager groups that endpoint by its platform. In Secure Configuration Manager, a platform refers to the endpoint type, such as Windows, UNIX, or SQL Server 2012. These built-in groups help you start to categorize your endpoints and cannot be modified. Secure Configuration Manager displays only the built-in groups that correspond with the agent and operating system types within your asset map.
You can create your own managed groups under the My Groups tree in the console to facilitate management of your environment. The console nests these user-defined groups, which means you can have groups within groups.
Ensure that you assign all endpoints to a managed group. Secure Configuration Manager uses your managed groups for several data views. The Secure Configuration Manager Dashboard also displays policy template results according to your managed groups. For more information about the Asset Compliance View, see Using the Asset Compliance View for Evaluation. For more information about the Secure Configuration Manager Dashboard, see Using the Secure Configuration Manager Dashboard for Evaluation.
Any time your IT infrastructure changes, you can change or delete existing user-defined groups, and remove endpoints from those groups to add to other groups.