Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
To open the multi-tenant management UI for endpoint security, your Service Provider account must have an active WatchGuard Endpoint Security product license in its inventory.
In the Endpoint Security management UI, Subscriber accounts can create and assign security settings profiles to the computers and devices they manage. They might also receive settings that a Service Provider created and assigned to them. This topic describes settings inheritance when a Service Provider assigns settings to a managed Subscriber account.
For information on how to assign settings to managed Service Provider accounts, go to Multi-Tenant Management — Settings Inheritance for Service Provider Accounts.
Service Providers cannot assign security settings of delegated accounts in the multi-tenant management UI.
Settings profiles that Service Providers assign to a managed Subscriber account are read-only in the Subscriber account. The settings profile includes a green Service Provider label (
) to differentiate it from profiles created manually at the account-level.
Ownership of these settings profiles (that is, who can edit and delete them) is based on who created the settings profile (Service Provider or Subscriber). Refer to the appropriate section:
- Settings Profile Created and Assigned by the Service Provider
- Settings Profile Created and Assigned in WatchGuard Endpoint Security
- Settings Profile Created and Sent from the Multi-Tenant Management UI
Inherited Editable Settings
By default, the managed accounts to which you assign a settings profile cannot edit or delete the configuration. You can configure some settings profiles to allow the managed account to make additions. You can enable the account to make additions for these settings:
- Scan exclusions
- Authorized software
- Allowed IP addresses for Endpoint Access Enforcement
When you enable changes, the settings profile shows an Editable Exclusions, Editable Settings, or Editable Protocols label in the management UI of the recipient account. The managed account can make additions, but they cannot delete or edit the list you defined.
If you reconfigure the option to be non-editable, any additions that the managed account made no longer apply. Only the exclusions from your Service Provider account apply. If you change the option again to be editable, then the exclusions, authorized software programs, or allowed IP addresses that the managed account added are restored and applied.
When Service Providers assign settings to one or multiple tenant accounts, they are the owner of the settings. These settings are automatically assigned to the All group in the Endpoint Security management UI. When Service Providers delete these settings profiles in the multi-tenant management UI, the profile disappears in the Endpoint Security management UI. The group then inherits the settings from a group at a higher level or the All group.
Endpoint Security users cannot edit the settings or delete the profiles you create. Users can only edit the recipients. If a user edits the recipients in the Endpoint Security management UI, then the settings profile becomes co-owned. For more information on the co-ownership of settings profiles, go to Settings Profile Created and Sent from the Multi-Tenant Management UI.
If any sub-groups or computers in the All group have settings that were manually assigned in the Endpoint Security management UI, the settings the Service Provider assigns in the multi-tenant management UI do not overwrite them.
Settings created in the Endpoint Security management UI are owned by the creator. The Service Provider cannot view these settings.
When Service Providers create a settings profile in the multi-tenant management UI and send it to a tenant account, it appears in the Endpoint Security management UI with a green Service Provider label () to differentiate it from profiles created in the Endpoint Security management UI. If the Endpoint Security user then edits the recipients of the profile, the settings become co-owned.
Endpoint Security users cannot edit the settings or delete the profile. The recipients that they added or deleted do not change. For this reason, Service Providers cannot delete a co-owned settings profile. If Service Providers edit the settings, the settings are re-sent and reassigned to the All group, as well as any other recipients added by the user in the Endpoint Security management UI.
Changes made by a Service Provider to the settings assigned to a tenant account automatically reflect in the tenant account Endpoint Security management UI. The changes propagate to the target devices in real-time or within 15 minutes when real-time communication is disabled. For more information, go to Disable Real-time Communication.
Settings Exceptions
If the account group has devices with settings that were directly assigned, a yellow caution symbol shows beside the account name in the list. You are prompted to keep the settings that are directly assigned or to overwrite the local settings and inherit all settings from the account group.
When Service Providers assign a security settings profile to an account or account group, the settings are applied to the All group and inherited by any sub-groups. If any of the sub-groups, computers, or devices have manually assigned settings, an exception occurs and WatchGuard Endpoint Security does not assign the settings profile.
When Service Providers assign settings in the multi-tenant management UI, they can view exceptions on the Settings page. If the list of accounts shows a black number in the colored line, this part of the account list is collapsed and some accounts have exceptions to the settings profile they assigned. Double-click the number to show the accounts with exceptions.
To review manually applied settings, you must open the Endpoint Security management UI for the account.
Multi-Tenant Management of Settings Profiles
Multi-Tenant Management — Assign Endpoint Security Settings to Managed Accounts