The Endpoint agent policy settings in Nebula determine how the endpoint agent interacts with the device.
Endpoint agent settings
To locate the Endpoint agent tab in your policy:
- On the left navigation menu, go to Configure > Policies.
- Select a policy.
- Select the Endpoint agent tab to see the specific settings available for each operating system.
For the default settings, see ThreatDown recommended policy for Nebula.
User interface options
User interface options allow you to adjust the endpoint user experience. This controls what your end users see on their machines, and how they can interact with Nebula.
Options in this section are as follows:
- Show the ThreatDown icon in the notification area: Shows the endpoint agent icon in the Windows taskbar or Mac menu bar.
- Display real-time protection notifications: Shows pop-up notifications on the endpoint when a website or application is blocked by Real-Time Protection. For macOS, this setting also controls if the user receives a notification when a scan is completed. Toggle this off or disable it to prevent these pop-up notifications from appearing on the endpoint.
-
Allow users to run a User Threat Scan: Allows users to run Threat Scans with all detected threats put in quarantine. Users may cancel Threat Scans, but can't cancel scans controlled by the console. Threat Scans run by users are listed in the Events screen as On demand scans.
- Show ThreatDown shortcuts on Start menu and desktop to run Threat Scans: Creates shortcuts in the endpoint's Start Menu and desktop. User Threat Scan must be enabled to use this setting.
- Show ThreatDown option in context menus: Allows users to scan files by right-clicking them. These scans share the same properties as User Threat Scan, above.
- Allow only Administrator level users to interact with the ThreatDown Tray: Disables the Endpoint Agent Tray process from loading on standard-level user accounts. Only Administrator-level users will have access to the tray process and icon. For general end users, the endpoint agent icon won't display on the endpoint. This is useful for running Nebula in a more silent manner or for a multi-user environment such as Microsoft Terminal Services.
Endpoint agent updates
The Endpoint agent updates policy option in Nebula allows control over when endpoints receive software updates. This option only applies to Protection Service updates, Component Package updates are always automatic.
We use a ring deployment system to push updates to our endpoint agents. With this system, we initially send updates to a small subset devices, then over time to a wider group. We monitor closely for issues throughout the update process, and halt our rollout if a problem is identified. This allows us minimize any negative impact to endpoints customers when pushing out endpoint agent software updates.
Options in this section are as follows:
-
Automatically download and install ThreatDown application updates (Windows only): Enable this feature to allow automatic download and installation of Protection Service updates on endpoints. Protection Service updates are always automatic for macOS devices.
- For customers onboarded since March 2, 2021: This feature is enabled for all new and existing policies.
- For customers onboarded before March 2, 2021: This feature is disabled for existing policies and enabled for new policies.
- Pause endpoint agent updates (Windows only): Stops endpoint agent updates from being applied on endpoints for up to 31 days. After 31 days, endpoints resume receiving endpoint agent updates when they are released. When enabled, the policy screen shows the date and time when updates will continue.
If you have pending software updates before enabling Automatic Updates, then you must manually install the pending software updates so your endpoints can begin automatically updating.
Mobile performance
Mobile performance options control the impact of the endpoint agent on mobile devices. Options in this section are as follows:
- Use memory caching: Increase performance of the agent, but at the cost of using more memory in the background (not recommended on older devices).
Reboot settings
Reboot options control how Nebula handles requests from the console to restart endpoints. Reboots are sometimes needed to finish malware remediation or to apply system changes after software is updated or removed.
Options in this section are as follows:
- Automatically reboot endpoints when required: Choose if the endpoint automatically restarts as needed. If you turn this off, malware might not be fully removed from the endpoint and software updates might not be applied.
- Delay time before automatic reboot: The amount of time the endpoint will wait before rebooting.
- Message to display when a reboot is required: A customizable message displayed on the endpoint when it needs to reboot.
- Allow users to postpone a reboot: Enables a popup on endpoints that allows users to postpone a reboot by preset times of 10, 30, or 60 minutes. Users can also click the X in the top-right corner to dismiss the pop-up and honor the reboot timer displayed in the window. Reminders to postpone the reboot appear 10 minutes before and once the time elapses. If the reboot is not postponed, the endpoint automatically reboots 1 minute after the time elapses. Reboot postponements are displayed on the Events screen as an Audit event.
Inactive endpoints
The Inactive Endpoint Removal option in Nebula allows you to remove endpoints from your Nebula console that have been inactive for a set period of time. When enabled in a policy, endpoints that have not checked in with the console within the specified time frame are automatically removed. This setting can be adjusted to a range of 1 to 365 days.
Endpoints that are removed due to this option automatically reappear in Nebula with their historical data if they come online again. Some example scenarios are:
- Laptop devices kept in storage and then powered-on at a later date
- Desktop devices not used while employees are working remote for an extended period, but are powered-on at a later date once employees return to the office
Once you enable this option in a policy, allow up to 24 hours for the Nebula console to automatically remove endpoints that fall outside your specified time frame.
Startup options
Startup Options control how services behave on your endpoints. Options in this section are as follows:
- Provide all services with additional time to initiate: Enables extra time for services to finish loading at system startup before they timeout.
- Maximum time to wait for the services to initiate: Choose a preset timeout period. You may select 1, 5, or 10 minutes. The endpoint may need more time to start if it has many services loading at startup or is running additional security software
Health monitoring
Health monitoring provides additional settings to ensure the endpoint agent is running correctly. Options in this section are as follows:
- Enable service health monitoring: Allows the Endpoint Agent Monitor Service EAServiceMonitor.exe to monitor and restart the Endpoint Agent Service MBCloudEA.exe if it goes offline or is stopped. This setting currently only applies to Windows endpoints.