Device Group Setup

You can group devices that share common access methods and functionality. Though any devices can be member of a device group, group together functionally similar devices. Before you can add a device to a group, you must first configure a device with Password Management as its device type.
capam32
HID_ManagedDeviceGroupPanel
You can group devices that share common access methods and functionality. Though any devices can be member of a device group, group together functionally similar devices. Before you can add a device to a group, you must first configure a device with Password Management as its device type.
When using device groups, the action 
 
deny
 
 takes precedence, unless otherwise specified. The service is available at the group level only if it is available at the device level. The most restrictive policy is used when a conflict arises.
The following topics apply to device groups:
2
Credential Sources for Device Groups
credential source
 is a particular target device or set of devices that stores user credentials. An Active Directory Server is an example of a credential source. If you specify a credential source for a device group, 
Symantec PAM
 can find the credentials that are applicable to devices in that device group. 
Symantec PAM
 uses these credentials to enable a user to log in to any device in the group.
Using Multiple Credential Sources
You can assign more than one credential source for a particular device group. If you configure multiple credential sources, 
Symantec PAM
 gathers all available credentials from all sources. The appliance then creates a combined list of target accounts for a specific set of users or many users and applications.
A device group does not have to include the credential source device. If you exclude the credential source from the group, you can avoid creating a policy that provides direct access to the credential source. Instead, the group contains only the devices that rely on the credential source for authentication.
Credentials from any target account that is associated with any credential source can be used to access any device group member.
Using Credential Sources in a Policy
When you configure a policy for a device group, all accounts from the multiple credential sources are available for selection. When a user initiates a connection, these administrator-selected options are presented so that the user can select one. You can use all access methods and services configured for the devices in a device group with one or more credential sources.
Add or Modify a Device Group
  1. On the 
    Devices
    Manage Device Groups
     page, select 
    Add
    .
    The Add Device Group window opens.
  2. Enter a Name and Description for the group. Double-byte characters are supported.
  3. If you are using AWS, select the AWS 
    Provision Type
    . AWS groups are determined by settings in Configuration, 3rd Party, AWS.
    For AWS, the Device Group acts as a container for Devices that are created as a result of an import of AWS devices. Each device should have a tag Key of "
    PamGroups
    " and a Value of "[
    Symantec PAM
     Group Name]". Following import, the group cannot be deleted unless the 3rd Party, AWS Configuration is cleared or the group becomes empty. The group is updated according to the schedule in the AWS Configuration.
  4. Optionally, select one or more Credential Sources from the available device list.
  5. Optionally apply tags on the Tags tab, if available.
  6. On the Access Methods and Services (to Access Type members), select Access Methods and Services to enable them for group members.
  7. On the Enable tab, you can:
    •  
      Provide Credentials for 'Always Prompt For Password'
      : If a Windows device has this setting, you can automatically provide obfuscated credentials. See Enable a Password Push for RDP Password Enforcement for details.
    •  
      Handle 'Legal Notice' on Logon Screen: 
      Select this option to handle the "Legal Notice" during login. This option only works when 
      Provide Credentials for 'Always Prompt for Password'
       is enabled.
Create an AWS Device Group for Linux/UNIX Devices
In AWS, Linux and UNIX instances use AWS Key Pairs. If all instances in a planned Device Group use the same key pair, group policy can be provisioned to use that key pair for auto-connection.
  1. Create an AWS Type Device Group.
  2. Assign AWS instance imported Devices to it, all of which use the same key pair.
  3. Create a policy with that Device Group.
  4. From the SSH applet credential pop-up box, select the key pair that is held in common.
This key pair is used for auto-connection for any Device in the group.
Edit a Device Group from the Manage Policies Page
An administrator can edit a Device Group record by invoking it directly from the Manage Policies page.
  1. Open the Policy, Manage Policies page.
  2. Populate the Device (Group) field with a record name.
  3. Double-click the name to display its editing template in a shadow box window.
  4. When finished, select Save (or Cancel) to return to the Manage Policies page.
For information about importing an LDAP Group, see Import LDAP Device Groups.