Jump to content
Marcos

Future changes to ESET Security Management Center / ESET Remote Administrator

Recommended Posts

@fchelp Thanks for reporting. Deletion of multiple triggers was added to backlog, and option to reuse trigger (have trigger templates) was there, so I have linked it to your comment.

One note to the "reuse the same ASAP trigger" = ASAP does not equal "run now". It equals "run upon next connection of ERA agent, but not run, if the first connection is after a certain point (trigger expiration)". This will prevent us, from using the same "ASAP".

Edited by MichalJ

Share this post


Link to post
Share on other sites
2 hours ago, MichalJ said:

@fchelp Thanks for reporting. Deletion of multiple triggers was added to backlog, and option to reuse trigger (have trigger templates) was there, so I have linked it to your comment.

One note to the "reuse the same ASAP trigger" = ASAP does not equal "run now". It equals "run upon next connection of ERA agent, but not run, if the first connection is after a certain point (trigger expiration)". This will prevent us, from using the same "ASAP".

@MichalJ for adding my point to the backlog

About the ASAP, of course it's not run now, as the nodes first need to connect, it's just the best equivalent to run now, and about the expiration date, valid point, just a different idea how about deleting triggers after the expiration time?

Share this post


Link to post
Share on other sites

Description: ERA Accessible without internet access.

Detail: Would like to ensure that the newest versions of ERA will still allow a locally installed product that would not become unusable if internet access were lost. If our internet provider were having issues i would still like to be able to manage ESET products within our local network, receive threat notices, manage connected devices, etc.

 

Share this post


Link to post
Share on other sites

@jdashn Hello, I do not understand the issue you are talking about. ERA does not explicitly need internet to work, if all of the clients are available within the local network. However, there are some specific things you need to take care of:

  1. You need to add licenses via offline file (if even ERA does not have internet access)
  2. You need to create an update mirror, using the mirror tool, and let ERA, ERA components, and all security products update via this update mirror
  3. If ESET Security products are offline, important components like ESET Live Grid will not work properly, as they need internet to work. 

Recommended approach is, is to tunnel internet access for ERA, and for all connected security products by the means of a HTTP Proxy, which will forward the communication with all ESET cloud services (update servers, repository, licensing servers, Live Grid), and cache the communication (installers, update files) for all components that will communicate via the HTTP Proxy (ERA server, ERA agents + other ERA components, & security products).

We will soon release ESET Cloud Administrator, which will be fully cloud based version of our console, as of now limited for customers with up to 250 seats, and that will require internet access for all of the clients, as the management itself will be placed in Cloud. But for the local ERA, the things will remain the way they are now. Is this answer sufficient?

Share this post


Link to post
Share on other sites

@MichalJ

I had thought I had seen a post stating that the next version of ERA was planned to be fully cloud based. This will not work for our org. due to the issues I had mentioned, as long as ESET does not plan on ONLY offering ERA in the cloud then we've got no concerns.

 

Thanks!

 

Jdashn

Share this post


Link to post
Share on other sites

@jdashn I can assure you, that there will always be an on-premise version of our management console. ESET is an European company (actually number 1 in EU), and us from Product Management do travel / talk with customers worldwide a lot by conducting a direct, face to face customer research. Among the talks, one of the requirements we often face, & current "feature" that our customers explicitly like is the fact that our solution is available also on-premise (for various compliance / privacy regulations).

You are right, that there is a cloud based version coming (soon), initially for the SMB customers, but we have in the pipeline also enterprise version. But on-premise variant will always remain a valid option for us, as we do value the voice of our customers.

Share this post


Link to post
Share on other sites

Description: 
Trigger tasks based a definied activity time frame 

Details:
Maybe it would be useful a possibilities to create tasks for a group of computers wich were active in a specifield time frame. For example "if they were not active during on the last two weeks" or "if they are active at the moment".

 

Description: 
Delete the duplicated computers automatically 

Details:
Day by day I find "duplicated" computers on the system. I created a report to find these computers (Group by: Computer name and Count: Computer), then time to time I delete the older entryes. It is a bit confusing.

 

Description:
Make a task chain

Details:
It would be wonderful a new possibility to make a task chain. For example:

Task 1: Update the EES
Task 2: Trigger a pop-up window on the affected client (Please restart your computer or Your computer will restart in 60 minutes) 
Task 3: Wait 60 minutes
Task 4: Restart the client

  

Edited by Zoltan Endresz

Share this post


Link to post
Share on other sites

@Zoltan Endresz Thank you for your feedback. Points 1 & 3 are in the backlog, and we are working on a new "orchestration" framework, which should enhance the server side automation. It should enable "task chaining", and also more sophisticated triggering options based on tagging and IFTTT (If This Then That) principle. We anticipate this functionality to be introduced in future evolution of V7.

Concerning the point 2, in the upcoming version 7, we are greatly enhancing the system to detect cloning / re-imaging of machines, which should prevent creation of duplicates. Also, you can automatically remove them, by the means of "delete not connecting computers" task (if all of your other clients are connecting regularly).

Edited by MichalJ

Share this post


Link to post
Share on other sites

Description: Set default trigger to expire in a day
Details: Currently when creating a new trigger the default is to expire the same time the trigger is created, so basically the trigger will never run unless manually changed, please change this to either force us to put in an expiration time, or change the default expiration to at-least a day later.

 

Thanks

Share this post


Link to post
Share on other sites
1 minute ago, MichalJ said:

@fchelp Default trigger expiration is set for "one month" , not one day. I have attempted to create a new trigger now, and it sets expiration day for 19th February 2018.

trigger.png

Oh you're right, i didn't notice that it's a month later, i was only looking at the day and time, thanks!

Share this post


Link to post
Share on other sites

Description: IdP provider (like Okta, OneLogin, etc..) or SCIM support for user synchronisation

Detail: Modern, big companies doesn't necessary have classic AD and/or LDAP servers anymore. They are using Google Suite, different IdP providers, etc...  to manage their users. It would be nice to see support for these systems, either individually, or though SCIM, which is a supported by almost every one of them (including Google).

-----------

Description: SaaS ERA service from ESET for larger companies (more than 300 users)

Detail: It would be nice to see a SaaS ERA solution from ESET for companies with more than 300 users, since lots of companies live in the cloud now, and they don't want to run their own servers.

-----------

Description: Agent installer that installs the latest version by default

Detail: I think there should be an option to create an installer that would always install the latest version of the agent. I know you can modify the bash script, but still... Especially now since it even checks the checksum of the file.

------------

Description: Agent installer that is not a bash script / bat file

Detail: It's really hard for some users to ran bash scripts or bat files (it's a big point of failure at install even with a step by step guide) as administrator, so it would be nice to see a way to generate an actual installer that would elevate itself to the necessary rights, and take care of everything.

------------

Description: More detailed task status

Detail: It would be nice to see why certain task has failed, or what's the actual status of it in a more detailed way, etc...

------------

Description: More advanced/combined reporting 

Detail: It's really hard to get nice reports out of the interface with all the details that are otherwise there on the computer details page. It would be a good thing to have a more advanced reporting system

------------

Description: Dynamic group reevaluation trigger on server side

Detail: After modifying a dynamic group, you have to wait until the client connects again for the computer to get into that group. It would nice to have a button that would reevaluate the computers if the rule is based on something that is already known by the server, like the installed agent version, etc...

------------

Description: Failure reporting system

Detail: With High Sierra, ESET gets blocked a lot, but there are other reasons as well when the installation fails or when the endpoint is not running. It's really hard to see these cases from the console, even thought the endpoint detects it, and informs the user. It would be nice to have an interface, that would show us the problematic computers, why the endpoint is not deploying/running as it should, etc...

 

Share this post


Link to post
Share on other sites

@SysEPr Thank you for your feedback. Here are my comments & couple of questions, to get better understanding:

Description: IdP provider (like Okta, OneLogin, etc..) or SCIM support for user synchronization

  • We will add this into the feature backlog

Description: SaaS ERA service from ESET for larger companies (more than 300 users)

  • This is something, that is already in the process. I can´t comment on the availability, but it is among out top priorities

Description: Agent installer that installs the latest version by default

  • As of now, we are not able to do this due to legal restrictions (you pre-accept EULA upon generating, however each version can have adjustments in EULA). So legal department is against it. But improvement itself is being tracked. PS: do you mean agent = management agent, or the actual security product (ESET Endpoint Security) ?

Description: Agent installer that is not a bash script / bat file

  • In the next version, it will be possible to generate installer that will include only the management agent (.exe).

Description: More detailed task status

  • There are couple of improvements for this in the upcoming version, primarily for the software installation task (as this one is the most problematic). What are the other tasks, you would like to get more granular reporting for?

Description: More advanced/combined reporting 

  • Reporting framework, although powerful, have some limitations set by the DB scheme. What kind of information you want to get in particular? There are many improvements in this, but it you will be more specific, we can focus on them

Description: Dynamic group reevaluation trigger on server side

  • This is a bit more complex than in looks. DGs are evaluated on agent, and then agent needs to reports back to server, about if it is a member of a DG. So DG is not really a „filter“, it´s more like „condition template“ that is being evaluated locally, and being acted upon (regardless of the connection to the server). We are working on the new „orchestration“ framework, that will bring asset tagging, and server side automation, and it´s possible that will bring a solution to this use-case of yours.

Description: Failure reporting system

  • We have this item into the feature backlog, planned for the future versions. Not for the V7 (although some changes were made), but for versions after V7.
Edited by MichalJ

Share this post


Link to post
Share on other sites

Thank you for the fast response!

8 hours ago, MichalJ said:

do you mean agent = management agent, or the actual security product (ESET Endpoint Security)

I meant the ESET Remote Administrator Agent, because that's the one that the user has to install. We can make sure by manually changing the tasks that always the latest security product (endpoint) is deployed. It would be nice to always have the latest security product installed, and some auto update feature, but I can see it why it's not there (although, it could be an option).

8 hours ago, MichalJ said:

In the next version, it will be possible to generate installer that will include only the management agent (.exe).

Will it include the certificate, server ip, etc... as well embedded?

8 hours ago, MichalJ said:

What are the other tasks, you would like to get more granular reporting for?

That is the main one that we are having issues without any explanation.

8 hours ago, MichalJ said:

What kind of information you want to get in particular?

I would like to generate a report with the static group, mac address, serial number, manufacturer, model, computer name, computer description and the assigned user for example. It's probably something that involves multiple data source on the server side, but it would be a more meaningful/usable report to combine different sources.

Share this post


Link to post
Share on other sites

Description: 
Improved Dynamic Group Templates possibilities 

Details:
It would be useful a possibilities during the Dynamic Group Template creation a "but not" option. For example: "Security risk" but not "A computer restart is required" and not "Virus signature database is out of date".

An another solution would be a radio button field for choose the interesting and unnecesary warning/error messages.

For better understanding, I see a lot of "red" computers in my console because the reasons upper, but most of them are inactive for a couple of weeks. These clients will turn to "green" state shortly when they will connect to the network again. With the improved dynamic group options I would be able to define a group for check the really ineteresting issues. 

 

DC_template.PNG

Share this post


Link to post
Share on other sites

image.thumb.png.02c1c126d364068c61e08c9367d26e43.png

 

Description: Improvement / Features for "Web Control" menu
Detail: The fied "Blocked webpage message" shoud accept advanced HTML tags, after all, there are many business wich control internet navigation whitin this tool. Beside that url categorization works extremely poor in other languages than english.

Share this post


Link to post
Share on other sites
1 hour ago, raigorodski said:

Beside that url categorization works extremely poor in other languages than english.

Please create a new topic for this issue and clarify what you mean. Also provide a handful of examples of urls that you encountered some classification issues with.

Share this post


Link to post
Share on other sites

Description: Static group cloning

Detail:  Allow for a static group to be cloned, to duplicate the contained static/dynamic group structure but not duplicating the agents assigned to the original group.  This would make setup for an MSP much easier.  Setting up a static group for each of our clients, then dynamic groups in each to separate workstations/servers was a huge pain in the butt.

Description: Dynamic template operations for public IP

Detail:  Unless I'm completely missing it, I don't think there's a way to make a dynamic group filtering for a specific external IP as you could with ESET 5's console.  This is also useful for MSP setup when sorting out workstation machines that don't have a unique workgroup name.

Edited by Jboring

Share this post


Link to post
Share on other sites

Description: List devices without assigned users

Detail:  Currently, I think there is no way to list the devices without assigned users. You can only see the other way around (users without assigned devices).

Share this post


Link to post
Share on other sites

@Jboring

Fist thing is already in the backlog, with target release date in version 7.1

Second thing was requested couple of times, but it´s not easily achievable due to the way how DG membership is evaluated (on the agent side). We have however a backlog item in place for it, but as I have mentioned, currently there is no target version for it.

Share this post


Link to post
Share on other sites
On 1/24/2018 at 9:05 PM, SysEPr said:

Thank you for the fast response!

I meant the ESET Remote Administrator Agent, because that's the one that the user has to install. We can make sure by manually changing the tasks that always the latest security product (endpoint) is deployed. It would be nice to always have the latest security product installed, and some auto update feature, but I can see it why it's not there (although, it could be an option).

 


Currently, the installation packages are referring the particular version. However, in the upcoming version 7, you will be able to apply policy, that will automatically update all agents to match the server version. I will track improvement for this.

On 1/24/2018 at 9:05 PM, SysEPr said:

Will it include the certificate, server ip, etc... as well embedded?

Yes, it will include all of those components.

On 1/24/2018 at 9:05 PM, SysEPr said:

That is the main one that we are having issues without any explanation.

I truly believe that this will be improved in the upcoming version.

On 1/24/2018 at 9:05 PM, SysEPr said:

I would like to generate a report with the static group, mac address, serial number, manufacturer, model, computer name, computer description and the assigned user for example. It's probably something that involves multiple data source on the server side, but it would be a more meaningful/usable report to combine different sources.

It will be improved a bit in the upcoming version. I will track improvement for the additional "symbols" (Mac Address / Assigned User).

report.png

For the list of devices without assigned users, I have created a backlog improvement.

Edited by MichalJ

Share this post


Link to post
Share on other sites

Description: More advanced search function

Detail: It would nice if we were able to search other parameters as well, like serial number, or MAC address

-----------

Description: Assign computers from usermanagement

Detail: I think there should be a feature where I can assign or remove multiple computers from a user's details page - right now you can only do it from the computer's details page

-----------

Description: Jump to computer from usermanagement

Detail: I think it would be nice if I could easily jump from a user's details page to the computer's details page easily, and I wouldn't have to look it up separately.

Share this post


Link to post
Share on other sites

@SysEPr

  • Advanced search is planned for the future version. We are continuously improving the "search via filters", but that´s not a generic search bar you might have in mind.
  • Assign computers from user management  - This is coming in V7
  • Jump to computer from user management - This is coming in V7

Share this post


Link to post
Share on other sites
35 minutes ago, MichalJ said:

Advanced search is planned for the future version. We are continuously improving the "search via filters", but that´s not a generic search bar you might have in mind.

Yeah, I was thinking of the search box on the right top, it would be nice if it had more options, like MAC or SN, so it would be easier to find computers based on already known / usually fix parameters.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×