2.5 Reconciling Devices with existing Device Objects During Registration
Endpoint Management enables you to create a device object in the zone prior to actually registering the device with the zone. This feature allows you to pre configure all the variables and other configurations for a given device prior to booting the device.
You can create dummy device objects and register them in the Management Zone by importing their information from a comma-separated value (CSV) file. This creates managed workstation device objects in the database. Later, when the endpoint agent is deployed to these devices, the Endpoint Management Reconcile settings (hostname, serial number, and MAC address) are used to reconcile the new endpoint agent to the device object that has already been registered in the database. This helps you to avoid the possibility of duplicates in the database during the registration of the devices in the Management Zone.
Review the following sections:
2.5.1 Reconciling the Devices
You can reconcile a new device that is being registered to an existing device object with its own bundles and policies. Reconciliation occurs only if the GUID of the new device that is getting registered does not match the GUID of the existing device object. Reconciliation does not occur with every refresh or registration call.
NOTE:By default, Serial Number and MAC Address are selected with differentiation enabled. If you have enabled the AllowNonActiveNIC registry key, then the device can be reconciled with the MAC address of the non-active adapters.
For more information on AllowNonActiveNIC, see Endpoint Management Registry Keys Reference.
Device Reconciliation Settings
-
In Endpoint Management Console, click the tab.
-
In the Management Zone Settings panel, click , then click to display the Registration page.
-
Indicate the device attributes that are used in reconciliation.
You can choose to reconcile the new devices with the existing device objects by using one or more of the following attributes:
-
-
-
(hostname)
-
Enable Differentiation:
-
If differentiation is enabled, it uses AND logic, meaning that all the selected attributes must match for a device to reconcile.
-
If differentiation is disabled, it uses OR logic, meaning that any one of the selected attributes must match for a device to reconcile.
Differentiation disabled: If multiple device objects with matching attributes (such as Mac address or hostname) are found, the device object with the matching serial number gets the first preference, even if none of the attributes are selected.
-
-
-
Click .
By default, Serial Number and MAC Address are selected with differentiation enabled.
NOTE:For accurate reconciliation, we recommend that you select at least two attributes with differentiation enabled.
Sample Illustrations - Enable Differentiation and Reconciliation
Scenario 1
Serial Number and MAC Address are selected with differentiation enabled: For a device to reconcile to the existing device object, the Serial Number and MAC address of the existing device must match the Serial Number and MAC address of the new device.
Scenario 2
MAC Address and Machine Name selected with differentiation disabled: For a device to reconcile to the existing device object, the MAC Address or the Machine name of the existing device must match the MAC address or Machine name of the new device
Scenario 3
Serial Number and MAC Address selected with differentiation enabled and with device having multiple MAC addresses: The existing device object has multiple MAC addresses and the new device has multiple MAC addresses, which includes two new and one old. In this case, the new device object will still reconcile to the existing device object if any one of the MAC addresses and the Serial Number match the existing object.
Scenario 4
The new device and the existing device object have the same GUID but different passwords: Devices getting registered with new passwords, but with same device GUID was less secure option where password of any device can be updated. In order to provide security, by default, the password update of a device with same device GUID is not allowed. If this setting is set to false, by default, then a -34 is sent back to the device, when a registration request is received with incorrect credentials. If the device registration is failed due to this reason, it can be fixed by running the zac reg -r command where administrator credentials are required.
The default settings are as follows:
-
authreconcile disableAuthfailure = false [true: in case if above behavior is not desired]
-
enableReconcileignore = true [false: in case if configured reconcile settings are to be considered]
-
disableClientID = true [false: in case if device GUID needs to be considered for reconciliation]
-
createNewDevice = true [false: not to create new device object in case of reconciliation failure]
Devices getting registered with new passwords but with the same GUID is less secure. The option where the password of any device can be updated. To provide security, by default, the password update of a device with the same GUID is not allowed. This can be achieved by setting the disableAuthFailure flag to false.
In some scenarios, administrator credentials are required to update the password using the zac reg -r command.
NOTE:The authreconcile.xml file and it's settings that could be customized are considered only when there is a device which has the same GUID as the existing device object but with a different password.
The following table shows how different settings can help or fail device reconciliation:
|
Serial number(SN) |
Mac Address |
Hostname |
Expected |
|
|---|---|---|---|---|---|
|
Differentiation Enabled |
|
|
|
Success: The attributes of the new device must match all attributes of the existing object for successful reconciliation. Failure: If there is no match with even a single attribute, reconciliation fails and a new device object is created. |
|
|
|
|
|
The reconciliation settings are not set and thus, a new device object is created for every new device. |
||
|
|
|
|
Success: The Serial Number, as well as MAC address of the new device, must match the Serial Number and MAC address of the existing device object. Failure: If only one of the two attributes match, then reconciliation of the new device with the existing object fails. |
||
|
|
|
|
Success: The Serial Number, as well as the Hostname of the new device, must match the Serial Number and Hostname of the existing device object. Failure: If only one of these two attributes match, then reconciliation of the new device with the existing object fails. |
||
|
|
|
|
Success: The MAC address, as well as Hostname of the new device, must match the MAC address and Hostname of the existing device object. Failure: If only one of these two attributes match, then reconciliation of the new device with the existing object fails. |
||
|
|
|
|
Success: The Serial Number of the new device must match the Serial Number of the existing device object. Failure: If the Serial Number doesn’t match, then reconciliation of the new device with the existing object fails. |
||
|
Serial number(SN) |
Mac Address |
Hostname |
Expected |
|
|---|---|---|---|---|---|
|
Differentiation Enabled |
|
|
|
Success: The MAC address of the new device must match the MAC address of the existing device object. Failure: If the MAC address doesn’t match, then reconciliation with the existing object fails. |
|
|
|
|
|
Success: The Hostname of the new device must match the Hostname of the existing device object. Failure: If the Hostname doesn’t match, then reconciliation of the new device with the existing object fails. |
||
|
|
(multiple≥2) |
|
Success: If a device consists of multiple MAC addresses, all of them are queried and stored with the reconciliation request. Any one of the multiple MAC addresses and the Hostname of the existing device must match with any one of the MAC addresses and the Hostname of the new device for successful reconciliation. Failure: If none of the MAC addresses match, reconciliation fails. |
||
|
|
(same≥2) |
|
Success: If two or more devices have the same MAC addresses, then devices are distinguished by the Serial Number, and the device with the matching Serial Number is reconciled with the existing object. |
||
|
|
|
(same≥2) |
If two or more devices have the same Hostname, then the devices are distinguished by the Serial Number. The new device with the matching Serial Number is reconciled with the existing object. |
||
|
Serial number(SN) |
Mac Address |
Hostname |
Expected |
|
|---|---|---|---|---|---|
|
Differentiation Disabled |
|
|
|
Success: New device attributes must match with either the attributes of the existing object for successful reconciliation. Failure: If none of the attributes match, reconciliation fails and a new device object is created. |
|
|
|
|
|
If the settings for device reconciliation are not set, then a new device object is created for every new device. NOTE:If multiple device objects with matching attributes (such as MAC address or hostname) are found, the device object with the matching serial number gets the first preference, even if none of the attributes are selected. |
||
|
|
|
|
Success: Either the Serial Number or the MAC address of the new device must match the Serial Number or the MAC address of the existing device object. Failure: If neither of these two attributes match, then reconciliation of the new device with the existing object fails. |
||
|
|
|
|
Success: Either the Serial Number or the Hostname of the new device must match the Serial Number or the Hostname of the existing device object. Failure: If neither of these two match, then reconciliation of the new device with the existing object fails. |
||
|
Differentiation Disabled |
|
|
|
Success: Either the MAC address or the Hostname of the new device must match the MAC address or the Hostname of the existing device object. Failure: If neither of these two match, then reconciliation of the new device with the existing object fails. |
|
|
|
|
|
Success: The Serial Number of the new device must match the Serial Number of the existing device object. Failure: If the Serial Number of the new device doesn’t match, then reconciliation of the new device with the existing object fails. |
||
|
|
|
|
Success: The MAC address of the new device must match the MAC address of the existing device object. Failure: If the MAC address of the new device doesn’t match, then reconciliation of the new device with the existing object fails. |
||
|
|
|
|
Success: The Hostname of the new device must match the Hostname of the existing device object. Failure: If the Hostname of the new device doesn’t match, then reconciliation of the new device with the existing object fails. |
||