Managing your Blumira Agent devices

Overview

Devices running Blumira Agent send logs of remote activity on Windows, Mac, and Linux devices to Blumira for endpoint detection and response (EDR). With Blumira Agent, Blumira's security operations platform receives event logs directly from the device and enables you to act on threats directly from the app, including temporarily isolating a suspicious or vulnerable host while you determine the next steps as you investigate suspicious activity.

After installing Blumira Agent on your devices, the agent will continue to collect logs from each device until you remove it. Devices that are offline also continue to run the agent and backlog data as long as they are not shut down.

Below, you can learn the following methods for managing your agent devices:

• Viewing agent device details
• Designating a domain controller
• Managing agent limits and enabling notifications
• Deleting agents

Viewing agent device details

To view information about a device that is running the Blumira Agent, do the following:

1. In the app, navigate to Blumira Agent > Devices.
2. (Optional) Use the quick filters or search at the top of the page to narrow the table results to a specific device.
3. In the devices table, review the list of devices and the information shown, including the following:
   • Device hostname
   • Agent online/offline status
   • Platform type
   • Host isolation status
   • Exclusion from Automated Host Isolation
   • Domain controller designation
   • Last modified (the time of the last online/offline status change or isolation change)
   • Device installation key name
   • Last seen timeframe
   • Auto-delete enabled or disabled
4. Click a device row and then Device details to open the "Device details" window, which includes additional information such as IP address, Mac address, and date first seen.

From the "Device details" window, you can do the following:

• View the device’s logs in Report Builder, defaulting to the last 7 days of logs.
• Go to a list of unresolved findings triggered by activity collected from the device.
• Isolate the device and see a history of all isolation events for the device in the "Activity log" tab.
• Check the last time the device was online, isolated, or un-isolated.
• Delete the agent service and stop running Blumira Agent on the endpoint.
• View a list of devices that the agent failed to install on if you used a script to mass install.
• Add a description to identify, tag, or reference specific information related to the device for your team.

Designating a domain controller

You can designate a host as a domain controller in the Blumira Agent “Device details” window, which is important to do if using Blumira Threat Response on your endpoints. A domain controller is required to use the “Disable AD User” response action and for the “Disable User & Revoke Sessions” response action to extend to on-premises (i.e., Active Directory) users.

To designate a domain controller, do the following:

1. In the app, navigate to Blumira Agent > Devices.
2. Click the device’s row, and then click Device details.
3. In the Device details window, under Configuration, select the check box next to Designate device as a domain controller.
4. Click Save changes.

Managing and monitoring agent limits

If you decide to install Blumira Agent on many devices at once using an automation tool, it is important to avoid installing the agent on more devices than the account is licensed to use. Blumira connects only to the number of agents licensed for the account at the time of deployment.

Two values in the app represent the Blumira Agent limits, which are as follows:

• Maximum Deployable Agents: This is the total number of agent devices that Blumira can connect to, and it directly relates to the licensing terms for your account. It is a sum of the agents allocated per user (if included in your license) plus any additional agents purchased.
• Installation Key Device Limit: This is the total number of agent devices that can be deployed using a specific installation key.
  • This value can be managed in the "Installation key details" window.
  • If only one installation key exists in the account, the key limit must be kept equal to the Maximum Deployable Agents value. 

Verifying usage versus the limit

Administrators can verify in the app how agent deployment for an account compares to its agent limit. 

On the Blumira Agent Installation page, informational cards display the maximum number of allowed devices next to the number currently deployed. On the Devices page (Blumira Agent > Devices), you can view which specific devices have successfully connected to Blumira.

Managing an installation key limit

When creating a new key from the Installation page, you are prompted to type a limit for that key. You can edit the value on the installation key detail screen.

When an installation key's device limit is reached:

• The installation script and installation key fields are disabled and can no longer be copied.
• If a key is at its limit and the key has become disabled, tooltips appear to describe why that key is currently not available to view or use.
  
  
  

Monitoring for errors and enabling notifications

When an agent fails to check in to Blumira after an installation attempt, Blumira sends an email notification to alert users to the failure. See how to enable and configure user notification settings in About user notifications. Similarly, you can enable log failure notifications per agent on the Device details window to receive an email if the agent stops sending logs for more than four hours. Log failure notifications require that users also have personal user notifications enabled.

If you have received a notification that your account exceeded the deployable limit, you have these options for resolution: 

• increase your User count
• fix the limit of the installation key used by the script
• remove agents you do not need

Agents will automatically connect to Blumira when the deployable limit is greater than the number of devices installed. On the Devices page, you can see a full list and count of the endpoints that have the agent installed but cannot connect because they are over the limit.

Deleting agents

When an agent device is inactive for a long period of time or you no longer need to receive logs from the endpoint, you can remove the agent via the Blumira app. How you remove Blumira Agent depends on whether you want to remove it from an individual device or an entire group of devices.

Automatically deleting inactive agents

When enabled, Blumira can automatically delete inactive agents that exceed an expiration threshold, which is configurable per installation key used to deploy the agent to your endpoints. You can set the number of days you will allow devices in a group to be inactive, showing an "Offline" status. When the device was last seen determines the date on which Blumira will automatically delete those agent devices from your account.

To enable automated deletion of inactive agents, do the following:

1. Navigate to Blumira Agent > Installation.
2. Open the Installation key details window by doing one of the following under the "Installation Keys" section:
   • If you need to add a new key, click Add installation key.
   • If you need to enable auto-deletion for an existing key, click the row of the installation key you want to configure, then click Installation key details.
3. Click the check box next to Automatically delete agents after they've been idle the number of days specified below.
4. In the Days until auto-delete box, type the number of days an agent device must be inactive before it qualifies for deletion.
5. Click Save changes.

Manually deleting an agent

To manually remove Blumira Agent for a specific device, do the following:

1. Navigate to Blumira Agent > Devices. 
2. Click the row of the device that you want to remove.
3. In the actions menu, click Delete agent.
4. In the confirmation window, click Remove this device.