System Tree
Last updated
Last updated
The System Tree is one of the most important pieces of your managed environment. It is the logical representation of your managed environment. Your System Tree dictates:
How your policies for different products are inherited
How your client tasks are inherited
What groups your systems go into
The ePO server is responsible for managing exactly one System Tree. The System Tree contains all of the systems that ePO manages. A system is a managed machine, a server, workstation, laptop or an appliance. Within the System Tree, each system is represented by its NetBIOS name. Internally to ePO, each system is represented by its Globally Unique Identifier (GUID).
You can open the page two ways:
Click the System Tree category on the navigation bar
Select Menu > Systems > System Tree
The System Tree initially contains two containers (groups), but lets you create additional groups to meet your organizational needs. These groups display in the tree in a hierarchical manner.
My Organization: Top-level (root) group. It cannot be renamed or deleted. All systems are organized within it in logical containers called groups and subgroups.
Lost and Found: Default subgroup where systems with unknown locations are placed. It always appears last in the list and is not alphabetized among its peers. It cannot be renamed or deleted.
Although you can add all systems into one group in the System Tree, a flat list makes setting different policies for different systems very difficult, especially for large networks. By grouping systems, you can manage their policies in one place, rather than individually. You also can schedule system tasks (such as update of virus definition files) at any level of the System Tree, as well as sort systems by IP address or tags.
You can group systems based on:
Machine-type: Laptops, servers, or desktops
Geography: North America or Europe
Political Boundaries (Organization Departments): Finance or Development
Any other logical criteria that supports your needs
As a best practice, create only as much structure as is useful for the functionality of your ePO environment.
During this process, you create the groups to hold your managed systems and then add your systems to the appropriate groups. The groups you add are always subgroups within the top-level My Organization group.
There’s no single way to build your System Tree. Because every network is different, your System Tree organization can be as unique as your network layout. You can use more than one method to build and organize the System Tree, as shown in the figure below.
Inheritance
The manual build process is useful where no formal Microsoft environment exists (Example: using a NetWare-based network) or when the Microsoft Networking environment does not map well to the anti-virus management structure that you require.
From the System Tree, select a parent group. If this is the first group, the parent is My Organization.
Click the New Subgroups box at the top of the page, or select System Tree Actions > New Subgroups.
In the Name box, enter the group name, and click OK. If adding multiple groups, separate the names with a comma.
The new group appears in the System Tree. Repeat as necessary until you are ready to populate the groups with the desired systems.
After you add a system, note it initially has an Unmanaged State. You must wake up agents on the systems to change the status to Managed. The Agent Wakeup process is discussed in more detail later in the course
Whatever group is highlighted is the one the action will be applied to, so when selecting New Subgroups the new groups will appear under the highlighted group.
When adding more than one group at a time, the groups should be separated by commas.
To add systems manually, click on the New Systems button on the System Tree page.
In this example, the systems are added and the Trellix Agent is pushed at this time.
The systems will shows as Unmanaged in the System Tree until the agent is installed and has reported back to ePO that the installation is complete.
From the New Systems page in the How to add systems section, select one of these options. Note: The fields on the page vary, depending on your selection.
Push agents and add systems to the current group: Adds systems and deploys agent
Push agents and place systems in the System Tree according to sorting criteria: Deploys agents to the specified systems in the groups of the System Tree, according to sorting criteria
Add systems to the current group (TechLearn), but do not push agents: Adds systems but does not deploy agent
Create and download agent installation package: Creates a custom agent installation package in which you can embed credentials for the installation. The package can be distributed to managed node users for self-install. The package (FramePkg.exe or install.sh) is created when you install ePO or check in an agent package. Note: Node users require administrative privileges to install the agent.
Import systems from a text file into the selected group, but do not deploy agents: Imports systems from a properly generated text file but does not deploy agents to these systems
Create URL for client-side agent download: The administrator can create and distribute a custom agent URL to managed node users for self-install. Each user copies and pastes the URL into a browser. The user is directed to a specific site to download an installation package, then uses the Smart Installer to install the agent.
Another way to manually build the System Tree is with the Import Tree Structure function on the System Tree > Group Details tab. Using this function, you import a text file saved to a temporary directory on the ePO server.
You can add systems to existing groups or subgroups, as well add new groups, subgroups, and/or systems. Systems added to the System Tree have an unmanaged state until after an agent wakeup.
From the Group Details tab in the System Tree, select Actions > Import Tree Structure.
Import a text file from a temporary directory on the server.
Note: The text file must use UTF-8 file encoding to correctly import system names with double-byte or extended characters in them. There are third-party utilities available that can export a list of your computers into a text file. Windows 2000 and above provides CSVDE.EXE and LDIFDE.EXE, that you can use to export Active Directory objects, such as computers.
After you populate your system tree, you can move the existing groups/subgroups and systems.
Locate the system in the System Tree.
Mark the checkbox for the system.
Select Directory Management > Move Systems. A page displays a list that resembles your tree structure.
Select the new group or subgroup for the system.
Click OK.
Allows Enable/Disable for auto expanding of System Tree groups
New option to support System Tree structure customization (only when moving one system to another system)
This feature lets you populate your System Tree automatically by synchronizing entire NT domains with specified groups. This approach is an easy way to add all systems in your network to the System Tree simultaneously. The systems are imported as a flat list with no system descriptions.
If you are using containers within your ePO Directory, that correspond exactly with the name of domains or workgroups with your browse list, you can use the Synchronize Domains task to add and delete systems, manually or automatically, to or from these groups.
You can only synchronize the contents of domains or workgroups, within the browse list, with groups of the same name. If the domains or workgroups selected during task creation do not exist in the ePO System Tree, they are automatically added as groups.
If there is an existing group with the same name as a domain or workgroups you select, the computers in the domain are added to that group. In addition to placing the system into the ePO Directory, the Synchronize Domains task will install the Trellix Agents.
Click on the information (i) icons for detailed information on each field.
If you select Push agents to new systems when they are discovered, configure the Agent Push Settings. Click the Configure Settings button to display the Agent Push Settings page.
Select the agent version to install, decide which systems to include in the agent push, and determine the path that the agent files will be installed to on the client machine. In addition, you must provide local administrator credentials for installing the agent. Set the number of installation attempts desired, as well as the retry interval.
Installation options: Specifies the agent installation options available, including:
Install only on systems that do not have an agent: Sends the agent installation package only to systems without an agent installed. When deselected, sends the agent installation package to all selected systems, regardless of whether the agent is already installed on them.
Force installation over existing version: Replaces existing agents within the selected group with the selected versions. This option is not available when you select Install only on systems that do not have an agent.
Push Agent Using: Select the connection used for the deployment as either:
Selected Agent Handler: Select the server from the list.
All Agent Handlers: Use all handers.
This feature applies to the Active Directory and NT Domain Synchronization features.
It is recommended that you do not deploy the agent during the initial import if the domain is large. Deploying the Trellix Agent package to many systems at once may cause network traffic issues. Instead, import the domain, then deploy the agent to smaller groups of systems at a time, rather than all at once. However, once you have deployed agents, consider revisiting this page and selecting this option after the initial agent deployment, so that the agent is installed automatically on any new systems that are added to the group (or its subgroups) through domain synchronization.
This feature is designed for networks with an existing Active Directory. Like NT Domain Synchronization, it lets you import systems only as a flat list; however, it also lets you import systems and the Active Directory container structure to ensure your System Tree mirrors your Active Directory. It also imports system descriptions.
A registered LDAP server is required. If your server is not registered, complete this step prior to configuring AD Synchronization.
If you are using containers within your ePO Directory that correspond exactly with the name of domains or workgroups in your browse list, you can use the Synchronize Domains task to add and delete systems, manually or automatically, to or from these groups.
You can only synchronize the contents of domains or workgroups within the browse list with groups of the same name. If the domains or workgroups selected during task creation do not exist in the ePO System Tree, they are automatically added as groups.
If there is an existing group with the same name as a domain or workgroups you select, the computers in the domain are added to that group. In addition to placing the system into the ePO Directory, the Synchronize Domains task will install the agents.
Click on the information (i) icons for detailed information on each field.
After you specify Active Directory Synchronization or NT Domains at the Group level, you can continually maintain the listing of computers contained in the console tree by running an Active Directory Synchronization/NT Domain server task or by manually updating the synchronized group. This task synchronizes selected Windows NT domains and Active Directory containers that are mapped to System Tree groups.
