Device Group Setup

Create Device Groups to group devices that share common access methods and functionality.
capam40
HID_ManagedDeviceGroupPanel
Create Device Groups to group devices that share common access methods and functionality. Though any devices can be member of a device group, group functionally similar devices. Before you can add a device to a group, you must first configure a device with Password Management as its device type.
When using device groups, the action
deny
takes precedence, unless otherwise specified. The service is available at the group level only if it is available at the device level. The most restrictive policy is used when a conflict arises.
The following topics apply to device groups:
2
Credential Sources for Device Groups
A
credential source
is a particular target device or set of devices that stores user credentials. An Active Directory Server is an example of a credential source. If you specify a credential source for a device group,
PAM
can find the credentials that are applicable to devices in that device group.
PAM
uses these credentials to enable a user to log in to any device in the group.
Using Multiple Credential Sources
You can assign more than one credential source for a particular device group. If you configure multiple credential sources,
PAM
gathers all available credentials from all sources. The appliance then creates a combined list of target accounts for a specific set of users or many users and applications.
A device group does not have to include the credential source device. If you exclude the credential source from the group, you can avoid creating a policy that provides direct access to the credential source. Instead, the group contains only the devices that rely on the credential source for authentication.
Credentials from any target account that is associated with any credential source can be used to access any device group member.
Using Credential Sources in a Policy
When you configure a policy for a device group, all accounts from the multiple credential sources are available for selection. When a user initiates a connection, these administrator-selected options are presented so that the user can select one. You can use all access methods and services that are configured for the devices in a device group with one or more credential sources.
Add or Modify a Device Group
  1. On the
    Devices
    ,
    Manage Device Groups
    page, select
    Add
    .
    The
    Add Device Group
    window opens.
  2. Enter a
    Name
    and
    Description
    for the group. Double-byte characters are supported.
  3. Leave the default
    Provision Type
    (
    Local
    ) for all device groups unless you are setting up the group for AWS or Server Control Utility Appliances.
    • For AWS, select the
      AWS
      Provision Type.
      AWS groups are actually determined by settings on the
      Configuration
      ,
      3rd Party,
      AWS
      page. AWS device groups act as a container for devices that are created as a result of importing AWS devices. Each device should have a tag Key of "
      PamGroups
      " and a Value of "[
      PAM
      Group Name]". Following import, the group cannot be deleted unless the AWS configuration is cleared from
      Configuration
      ,
      3rd Party,
      AWS
      or the group becomes empty. The group is updated according to the schedule in the AWS Configuration.
    • For Server Control Utility Appliances, select the
      Utility Group
      provision type. For more information, see Add Utility Appliance Devices to Utility Groups.
  4. Optionally, select one or more
    Credential Sources
    from the available device list.
  5. Optionally apply tags on the
    Tags
    tab, if available.
  6. On the
    Access Methods
    and
    Services
    (to Access Type members) tabs, select Access Methods and Services to enable them for group members.
  7. On the
    Enable
    tab, you can:
    • Provide Credentials for 'Always Prompt For Password'
      : If a Windows device has this setting, you can automatically provide obfuscated credentials. See Enable a Password Push for RDP Password Enforcement for details.
    • Handle 'Legal Notice' on Logon Screen:
      Select this option to handle the "Legal Notice" during login. This option only works when
      Provide Credentials for 'Always Prompt for Password'
      is enabled.
  8. The
    Server Control
    tab only appears for PAM SC devices. This tab has two sections:
    • Policies Assigned
      : Contains the list of policies assigned on the device.
    • Policies Deployed
      : Contains the list of policies deployed on the device.
    When assigning a server control policy on the server control device, it takes some time for the server control device to get this deployment information. All the assigned (queued) polices appear in the assigned table. Once the server control receives this deployment information, the policies appear the Policies Deployed list.
  9. The
    UNAB
    tab only appears for UNAB devices. Use this tab to add a UNAB Configuration Token to a device group. See Add a UNAB Config Token to a Device Groupfor more information.
Create an AWS Device Group for Linux/UNIX Devices
In AWS, Linux and UNIX instances use AWS Key Pairs. If all instances in a planned Device Group use the same key pair, group policy can be provisioned to use that key pair for auto-connection.
  1. Create an AWS Type Device Group.
  2. Assign AWS instance imported Devices to it, all of which use the same key pair.
  3. Create a policy with that Device Group.
  4. From the SSH applet credential pop-up box, select the key pair that is held in common.
This key pair is used for auto-connection for any Device in the group.
Edit a Device Group from the Manage Policies Page
An administrator can edit a Device Group record by invoking it directly from the Manage Policies page.
Follow these steps:
  1. Open the Policy, Manage Policies page.
  2. Populate the Device (Group) field with a record name.
  3. Double-click the name to display its editing template in a shadow box window.
  4. When finished, select Save (or Cancel) to return to the Manage Policies page.
For information about importing an LDAP Group, see Import LDAP Device Groups.
View the Utility Group Status
The
Status
button provides the specific status on the Utility Groups and the services running within that group. The
Status
button is available if you open a Device group whose Provision type is Utility Group, and you have permissions to view its status.
See View Utility Group Status for more information.