• Certificate-based Agent Authentication - Manual Configuration on Console & Monitor Machines

    This is the manual procedure for the running the script that is outlined in this article. This information gives you the details of what happens on each of your console and monitor machines when you run the automated script in case you want to troubleshoot the procedure or go through all the steps manually. 

    First read through Certificate-Based Agent Authentication to be sure you have all the prerequisites listed and that you create the certificates as recommended.

    You have to complete these manual steps for every machine or location running the ControlUp Console and the ControlUp Monitor.

    Apply Private Key Certificate to the Machines Running the ControlUp Console and Monitors

    1. Ensure the private key (.pfx file) you created is copied onto the machines running the ControlUp Console and Monitors, and that you have the password for the certificate stored in this file.
    2. Access the directory with the private key and double click the .pfx file. The Windows Certificate Import Wizard opens.
      CertImportWizard.png
    3. Select Local Machine and click Next.
      Note: You can select the Current User option if you want to require a certificate for each user separately for this console. 
    4. Confirm that the selected .pfx file is correct and click Next.
      CertImportWizardConfirm.png
    5. Enter the private key password and click Next.

    6. Store the certificate. Select Place all certificates in the following store and click Browse to select the Personal directory to store it there. Click Next.
      CertImportWizardStore.png

    7. In the next window, click Finish and the Certificate Import Wizard confirms that the import was successful.
      CertImportWizardSuccess.png

    Configure Registry Key on the ControlUp Console and Monitor Machines

    For the console and monitors to start using a client-side certificate, a registry configuration is required. The registry can be configured either under the HKCU or HKLM registry hives for the console and under the HKLM for the monitors. Each hive refers to the appropriate certificate store.

    Once you complete creating this registry key, you can export it to be used on any other ControlUp Console machines and the ControlUp Monitor machines.

    1. On the console machine, open the Registry Editor and go to: HKLM/SOFTWARE/Smart-X/ControlUp/ClientCert 
      Missing keys must be created manually. 

    2. Create a DWORD value named Enabled and assign it the value of 1.

    3. Create a string value (REG_SZ) named Thumbprint and assign it the same value as assigned in the Thumbprint in the private key certificate.
      You can find the Thumbprint in the private key certificate as follows.

        1. Access the Microsoft Management Console (mmc).
        2. Choose File Add/Remove Snap-in
        3. Select Certificates from the Available Snap-ins list and click Add > for it to appear in the Selected Snap-ins list.
        4. When prompted, select Computer account, and click Next, and then Finish.
        5. Click OK to close the Add or Remove Snap-ins window.
        6. Open the Certificates item and go to Personal Certificates.
        7. Locate the .pfx certificate file you imported. Double-click the file and open the Details tab.
          The Thumbprint field is shown in the list as follows:
          CertificateThumbprint.png
        8. Highlight the Thumbprint. In the details box, highlight the thumbprint sequence value and copy it into a Unicode text editor such as Notepad ++. 
          Note: If the sequence if not maintained as Unicode, it may not work when added to the registry key.
        9. Copy the Thumbprint value into the registry key you created above. It should look like this: RegKeyThumbprint.png

    Add Network Service to the ControlUp Monitor Machine Private Key

    All the machines running ControlUp Monitors in your environment must also have this private key certificate file and the registry key you created above.

    Additionally you must add the Network Service to the Security table for the certificate applied to the monitor machines. This is because the monitor runs in the context of the Network Service account.

    1. Access the Microsoft Management Console (mmc).
    2. Open the Certificates item and go to Personal > Certificates.
    3. Right-click the private key you applied to this machine per the above procedure. Select All Tasks > Manage Private Keys...ManagePrivateKeys.png
      Note: 
      If you have a non-standard deployment, you may have to search for the private key file.
    4. Add the Network Service to the Security table allowing Full Control (default option).NetworkService.png
    5. Restart the monitor machine.

    Once you have completed this stage of the procedure, restart the ControlUp Real-Time Console. When you log into the console, you should see a Certificate icon displayed at the bottom of the console window.
    ConsoleCertificateIcon.png
    You should repeat this for every machine running the ControlUp Real-Time Console. You can export the registry configuration and import it to the other machines running the console and the monitors. 

    You must now configure the ControlUp Agent machines per the instructions in this article: Certificate-Based Agent Authentication.

     

     

  • Agent Security Best Practices

    The ControlUp agent is a central component of the ControlUp architecture. It is a lightweight executable that is deployed on your managed machines to provide performance information and handle the execution of ControlUp actions on those machines.

    Security Best Practice Recommendations

    At ControlUp we care about your security and are committed to the protection of your infrastructure and data. These recommendations help reduce the risk of a potential attacker trying to manipulate a ControlUp Agent in case that potential attacker has already gained access to your internal environment.

    Follow these steps to secure the communication between ControlUp components so you can further minimize the risk of any intrusion into your organization’s networks and systems.

    Secure Communication between ControlUp Console/Monitor and ControlUp Agents

    The ControlUp agents deployed onto your machines must be able to communicate with the ControlUp Console and the ControlUp Monitors. You can secure this communication channel by performing these steps:

    • Make sure your monitored machines are running the ControlUp Agent version 8.2.5 or higher. This version includes important security enhancements.
    • Enable a Firewall Rule/Policy. This method is recommended as it’s relatively easy to implement and doesn’t rely on a ControlUp version.
    • Enable ControlUp Certificate-based agent authentication. To achieve the highest level of security, this requires ControlUp version 8.1.5 and higher.
    • Encrypt communication between the agents and all consoles and monitors.

    Firewall Inbound Rule

    On any computer running the ControlUp agent, you can enable a Firewall inbound rule that allows access to port 40705 only to authorized computers.

    Machines added to this firewall inbound rule should ideally use static IP addresses. Add all the following:

    • Machines running the ControlUp Monitor service
    • Machines running the ControlUp Console

    If you don't own a firewall for your network, we recommend using the built-in Windows firewall alongside a Group Policy to apply the firewall rule to all machines running the ControlUp Agent.

    Certificate-based Agent Authentication

    You can enable ControlUp Agent machines to communicate only with those machines that can be authenticated via signed security certificates.  

    From version 8.2.5 you can also enforce this certificate-based authentication using agent MSI deployment.

    For details on how to configure this certificate-based authentication between the agent machines and the ControlUp Console and Monitor machines, see Certificate-Based Agent Authentication.

    Encrypt Agent Communication

    You can select to encrypt the communication between all agents and all consoles and monitors within your ControlUp organization. This is an option you can select in the Agent Deployment Settings page of the Real-Time Console.

    For details on how to enable this encryption option, see Agent Security Options in Agent Settings.

     

     

     

     

     

  • Certificate-Based Agent Authentication

    You can enable tighter control over how the ControlUp Agent communicates with the ControlUp Console and ControlUp Monitors.

    The procedure below prevents other machines from accessing the agent unless they have been authorized via digital certificate. This is the highest level of security you can apply to the communication between the ControlUp Console and Monitors to the ControlUp Agents.

    You can read more about ControlUp Agent Security Best Practices and different configuration options.

    This article includes these topics:

    Prerequisites

    • ControlUp version 8.1.5.649 or higher
    • *.PFX certificate 
    • *.CER certificate 
    • GPO template to deploy the settings on the agent side. 
      Note: You can create your own GPO or use the attached zip file which contains a template for both this method of authentication and the ACL method described here.

    Create the Certificates

    You should assign a trustworthy member in your organization as the certificate authority administrator. This administrator should provide the public key and private key certificates.

    When creating the certificates, consider the following:

    • The supported bit keys are 2048/4096.

    • When a certificate is created, an expiration date is set with it. It’s important to keep this in mind for future renewals.

    • When renewing the certificate, the thumbprint must be replaced in the GPO deploying to the agents and also on the monitor/console machines.

    Run a PowerShell Script to Configure the ControlUp Console and Monitor Machines 

    The steps to configure the ControlUp Console and ControlUp Monitor machines can be accomplished by running the PowerShell script Assign auth certificates to CU that is attached to this article as a text file. 

    Note: If you want to understand the manual steps behind this script, see Certificate-based Agent Authentication - Manual Configuration on Console & Monitor Machines.

    Additional prerequisites and notes about running the script

    • You must have remote access from the machine where you are running the script to all the console and monitor machines where you are applying the certificate. You can use the -credential parameter described below to ensure that the account you specify has remote access to all the machines. 

    • You can use the script to either access a certificate that's already installed in the machine or specify a file for importing a certificate.

    • If using the -copyCertificateLocally parameter described below, the machine running the script must have read access to the certificate specified in the -certificatePath parameter. 

    • Requires PowerShell version 3 or higher on the machine running the script.

    Script parameters

    Here is a list of the script's parameters with descriptions:

    certificatePath

    Path to the .pfx certificate file to import. Can be a folder if there is only one .pfx file contained in the folder.

    certificateSubject

    Regular expression to match the name of an existing installed certificate if you want to use that existing certificate rather than importing one from a file.

    clearTextPassword

    Password for the private key in the .pfx certificate.

    secureStringPassword

    Password for the private key in the .pfx certificate as a secure string.

    computers

    A comma separated list of console and monitor machines you want to apply the certificate.

    If none is specified or the computersFile parameter is not used, the certificate is applied only onto the local machine.

    computersFile

    A path and name of the text file containing one machine per line. Blank lines and those starting with # are ignored as are any characters like space or # after the computer name.

    Use this parameter or the computers parameter to identify the machines where to apply the certificate. If not specified and the computers parameter is not used, the certificate is applied only onto the local machine.

    copyCertificateLocally

    Copy the certificate file specified by the -certificatePath parameter to the %temp% folder on the remote machine and delete the copy after import.

    credential

    PSCredential object to use for the PS remoting. If you assign a $null value to this parameter, while running the script you are prompted to enter the PowerShell remoting credentials.

    If you don't use this parameter, you must have remote access to the machines you are applying the certificate.

    useSSL

    Use SSL for PS remoting.

    noRestart

    Do not restart the ControlUp monitor service if present.

    port

    Use the specified port for PS remoting rather than the default.

    Use case examples of the script

    1. Configure the already existing certificate containing *.madonna.local in the subject for use by ControlUp on machines glcumonitor01 and glcumonitor02:

    & '.\Assign auth certificates to CU.ps1' -certificateSubject '*.madonna.local' -computers glcumonitor01,glcumonitor02

    2. Configure the already existing certificate containing *.madonna.local in the subject for use by ControlUp on the local machine:

    & '.\Assign auth certificates to CU.ps1' -certificateSubject '*.madonna.local'

    3.  Prompt for credentials to use for remoting to machines to apply the certificate. Use this parameter when the account running the script does not have PowerShell remoting permissions. Then configure the already existing certificate containing *.madonna.local in the subject for use by ControlUp on the local machine:

    & '.\Assign auth certificates to CU.ps1' -certificateSubject '*.madonna.local' -credential $null

    4. Import the certificate from the file c:\temp\controlup.pfx then copy it to each machine specified in the file C:\temp\cucertmachines.txt, one entry per line representing a console or monitor machine. Then import the certificate into that computer's personal certificate store and configure for use by ControlUp.

    & '.\Assign auth certificates to CU.ps1' -certificatePath c:\temp\controlup.pfx -Verbose -password "mypassword1" -copyCertificateLocally -computersFile C:\temp\cucertmachines.txt

    Verify the Certificate on the ControlUp Console Machines

    Once you have completed running the script, restart the ControlUp Real-Time Console. When you log into the console, you should see a Certificate icon displayed at the bottom of the console window.
    ConsoleCertificateIcon.png
    You should repeat this for every machine running the ControlUp Real-Time Console. 

    Verify the Certificate on the ControlUp Monitor Machines

    The machines running the ControlUp Monitors can be verified by checking the Registry Editor to see that the keys were imported to the machine and include the following:RegKeyThumbprint.png

    If you want to verify the communication to the monitor machine with a certificate, you can use a tool like log4net. Within the data the log supplies, you should see the following among the log lines:

    Client certificate read
    Enabled=True Thumbprint=<thumbprint value> key=HKEY_LOCAL_MACHINE
    Applying client certificate found on HKLM
    Client certificate was loaded

    Note: To stop the logging, stop the monitor service and remove the file that creates the logs (e.g. log4net). 

    Configure the ControlUp Agent Machines

    We recommend deploying the agent certificate and registry values via a GPO. The steps below describe how to install the certificate and registry values manually for testing purposes. 

    Both the manual setup and via a GPO require the public key (e.g. *.cer file). Each certificate should be stored in the Trusted Publishers certificate store of the local machine in scope.

    The ControlUp Agent supports multiple trusted certificates that can identify authorized consoles and monitors.

    Apply Public Key Certificate Manually to the Machines Running the ControlUp Agent

    1. Copy the public key certificate file (.cer) to the Trusted Publishers directory in the machine running the ControlUp Agent.

    2. On the agent machine, right-click the file and select Install Certificate. The Certificate Import Wizard opens.

      CertImportWizard.png

    3. Select Local Machine and click Next.

    4. Select Place all certificates in the following store.

    5. Click Browse to select the Trusted Publishers directory and click Next.AgentTrustedPublisher.png

    6. Click Finish, and the Certificate Import Wizard confirms that the import was successful. CertImportWizardSuccess.png

    Configure Registry Key on the ControlUp Agent Machine

    For the agent to start enforcing client-side certificate authentication, a registry configuration is required. The registry key should be configured under the HKLM registry hive. This configuration can be part of a GPO.
    Note: You can create your own GPO or use the attached zip file which contains a template for both this method of authentication and the ACL method described here.

    Here is the manual procedure you can use for testing.

    1. Open the Registry Editor and go to: HKLM/SOFTWARE/Policies/Smart-X/ControlUp/Agent/TrustedClients

      Note: Missing keys must be created manually.

    2. Create a DWORD value named Enabled and assign it the value of 1.
    3. Create a Multi-String value (REG_MULTI_SZ) named Certificates. This key must contain all of the trusted certificates' thumbprints.

      The added key should look something like this:

      RegEdAgentConfirm.png

    Your ControlUp Agent will now communicate with only those ControlUp Consoles and ControlUp Monitor machines that can be authenticated by their private key certificates.

    Enforce Certificate-Based Authentication 

    From version 8.2.5 and higher, you can enforce the use of this feature on the agent machine if you use the MSI installer to install the agents on monitored machines.

    Param name: CERTONLY
    Usage:  CERTONLY=True
    Usage example:   Agentinstaller.msi CERTONLY=True 

    We recommend adding this parameter to enforce using the certificate-based authentication. This means that the key-pair authentication that comes default from ControlUp for version 8.2.5 is not used but your own private/public certificates are used to authenticate communication between the agent and console and monitor machines.

     

     

     

    1.  
  • Agent Security Options in Agent Settings

    ControlUp is continuing to improve the security around the communication between ControlUp Agents and the Real-Time Console and ControlUp Monitors in your environment. 

    For more information on how to set up secure agents, read the ControlUp Agent Security Best Practices.

    The following enhancements are available for the ControlUp Agent when adding machines to the ControlUp Console:

    Encrypt Agent Communication

    In the Real-Time Console > Agent Deployment Settings page, you can select to encrypt the communication between all agents within your ControlUp organization where you select this option.

    AgentSettingsEncrypt.png

    Encrypt Communication with the ControlUp Agents

    This option is turned off by default. You can select this option in the Agent Settings page in the Real-Time Console.

    Prerequisites:

    • Only a user who is the Organization Owner or who has Roles Manager permissions as set in the Security Policy Panel can select this option.
    • .Net Framework 4.7.2 or later must be installed on the agent, console, and monitor.

    To Encrypt Communication with the ControlUp Agents:

    1. In the Real-Time Console > Settings menu, select Agents. The Agent Deployment Settings page opens.
    2. Select Use only encrypted communication.
    3. Restart the Real-Time Console and all monitor clusters.
    4. Update all agents to version 8.2.5 or higher.

    Troubleshooting

    If this option is selected and you get any of these messages:

    • The agent does not support encrypted communication EncryptError2.png
    • Failed to establish an encrypted connection with the agentEncryptError1.png
    • Operation timeout

    Ensure that all consoles, monitors, and agents are running:

    • .Net framework version 4.7.2 or higher
    • ControlUp version 8.2.5 or higher

    Agent Authentication Key

    ControlUp generates a unique authentication for every ControlUp organization. By default, all agents are configured with this public authentication key and accept communication only from trusted consoles or monitors that have the same corresponding private key.

    The authentication key is automatically configured for the agent machine during deployment.

    Access Key Value

    Because this is the default method of authenticating communication between the agents with the consoles and monitors, you don't have to take any action.

    If for any reason you do need to access the Agent Authentication Key, you can access it in the Real-Time Console > Settings > Agent Deployment Settings page. The same key is used for all agents deployed from this console.

    AgentSettingsKeys.png

    Click Copy to access the key value itself.

    On the agent machine, this authentication key is stored in the ControlUp Agent's registry in this path: HKLM\SOFTWARE\Smart-X\ControlUp\Agent\Communication\AuthKey

    The key can be manually set at any time and does not require the agent machine to be restarted.

    Add Key to Configuration Files that Install the Agents

    When installing agents using the Add Machine feature in the Real-Time Console, this key is automatically added to the agent machine by default.

    If you select not to deploy the agents automatically when the machines are added to the organization, you must manually add the same key as displayed in the Agent Deployment Settings page to whatever configuration file you are using to add the agent.

    To manually configure the key:

    Ensure that these registry key specifications are on every machine where the agent is deployed:

    • Path: HKLM\SOFTWARE\Smart-X\ControlUp\Agent\Communication

    • Name: AuthKey

    • Type: REG_SZ

    • Value: Public key string base64 encoded from the Real-Time Console > Agent Deployment Settings page. 

    To deploy agents along with the key using an MSI installer command parameter:

    The Agent MSI installer enables you to configure the Agents Authentication Key using an MSI PARAM.

    If you use the link to Download MSI Installer in the Real-Time Console > Agent Deployment Settings page, that MSI already comes configured with this parameter but you must update the key value.

    Param name: AUTHKEY 
    Usage:   AUTHKEY=agent authentication key 
    Usage example:  msiexec /i Agentinstaller.msi AUTHKEY=<AgentAuthenticationKey> /qb

    Installing an agent along with this parameter configures the specified authentication key for the agent.

     

     

     

     

  • ControlUp Agent Access Control List (ACL)

    You can enable tighter control over how the ControlUp Agent communicates with the ControlUp Console and ControlUp Monitors.

    You can read more about ControlUp Agent Security Best Practices and different configuration options.

    The procedure below prevents other machines from accessing the agent unless their URLs have been added to an Access Control List (ACL) on the agent machines. This IP restriction can be applied on the ControlUp Agent machines to inspect the client IP and cross-reference it with a whitelist configured in the registry.

    Configure the Registry with an ACL Whitelist

    The console and monitor IPs to add to this list can be specific (e.g. 10.20.30.40) or listed using CIDR notation (e.g. 10.20.30.40/24). This configuration can be part of a GPO.
    Note: You can create your own GPO or use the attached zip file which contains a template for both this method of authentication and certificate-based authentication described here.

    Here is the manual procedure.

    1. Open the Registry Editor.

    2. Navigate to: HKLM/SOFTWARE/Policies/Smart-X/ControlUp/Agent/IPACL
      Missing keys must be manually created. 

    3. Create a DWORD value named Enabled and assign it the value of 1.

    4. Create a Multi-String value (REG_MULTI_SZ) named addresses. This key contains the permitted origin addresses of all ControlUp Console and ControlUp Monitor machines that communicate with this agent machine.

  • Secure Your Organization

    Whether you are the only systems administrator in your environment or have a large IT team collaborating on management and monitoring tasks using ControlUp, it is important to make yourself familiar with the out-of-the-box Security Policy and adjust it to your needs.

    This article provides a brief overview of ControlUp’s Security model. For more information regarding ControlUp’s rights and permissions, see the Security Policy Pane article.

    Know Your Roles

    ControlUp’s default Security Policy grants permissions for two built-in user roles. You cannot delete or modify membership for these roles:

    Local Admins – a ControlUp user is considered a member of this role when they have local administrative privileges on the managed computer. By definition, your membership in this role may vary depending on the context. When performing a management action on multiple computers, a ControlUp user’s current Windows credentials are evaluated on each computer, so a user might be a member of “Local Admins” on one computer but not on another.

    Organization Members – this role includes all ControlUp users logged into your organization. When a user on your network launches ControlUp and logs on to your current organization, they become members of this group and remain so until logging off or exiting ControlUp.

    Review Default Permissions

    By default, Local Admins are granted permission to perform all management actions available in ControlUp. This means that before a ControlUp user can perform a management action, ControlUp checks whether this user’s current Windows account is a member of the local Administrators group on the managed computer. If this validation fails, the management action is not invoked.

    Organization Members are allowed to perform organization-wide actions but not management actions. For example, they can see the folder tree, create or modify folders, add or remove computers and connect to computers to see their performance information. However, they cannot perform any actions on the managed computers.

    Configure Custom Roles and Restrict Actions

    You can create custom roles for different teams or individuals on your network using the “Manage Roles” window. Active Directory users and groups from any domain or forest configured in ControlUp may be members of these custom groups.

  • Configure ControlUp UI & Features Using a Group Policy

    You have the option to restrict the display of the ControlUp Real-Time Console user interface components by using the Microsoft Group Policy. You can hide panes, views, actions, columns, and buttons, thus creating a limited view that may be useful for delegated administrators, such as helpdesk personnel. These restrictions are visual only in terms of what is visible in the console. They do not change any permissions the user might have to perform actions in ControlUp.

    Usage

    Download the administrative templates ZIP file from here and extract both files, the ControlUpConsole2020.admx and ControlUpConsole2020.adml to your policy definition folder.

    For a detailed explanation on Group Policy Templates refer to http://msdn.microsoft.com/en-us/library/bb530196.aspx

    After importing the template, your policy should look like this:

    GroupPolicy.png

    The policies are applied to users. Use the template in GPOs linked to Active Directory OUs in which your delegated ControlUp administrators’ user accounts are located.

    Under ControlUp > Console in the policy, there is a subfolder for each pane, view, ribbons, and settings window. The policy names are sorted alphabetically.

    The following user interface components may be hidden using the policy template:

    Advanced Settings

    • Disable process flat views
    • Prevent automatic agent deployment
    • Regulate information updates
    • Search box behaviour

    Controllers Pane

    • The controller pane can hide the entire pane or individual controllers

      Machines:
      Controller_Machines.png
      • Services
      • Registry
      • File System
      • Programs and Updates

    • Users:
      Controller_Users.png
          • Registry controller
          • User Registry

      Enterprise:
      Controller_Enterprise.png
        • Shares

    Events Pane

    • The events pane has only one policy ‘Hide’.

    Incidents Pane

    • The incidents pane has only one policy ‘Hide’.

    Monitor status

    • The monitor status view has only one policy ‘Hide’.

    My Organization Pane

    • Holds the majority of the policies, as the default view of ControlUp, it cannot be hiding.

    Accounts view

    • You can hide the Accounts View
    • In the subfolder “Accounts columns” you can ‘Hide’ each of the available columns
      • Computers
      • CPU
      • Memory (Private Bytes)
      • Name
      • Page Faults/sec
      • Processes
      • Sessions
      • Stress Level

    Agent Control

    • You can hide any of the actions you can perform on ControlUp Agents
      • Agent Control
      • Deploy .NET Framework
      • Properties context menu
      • Restart Remote Agent
      • Set Listening Port
      • Start Remote Agent
      • Stop Remote Agent
      • Uninstall Remote Agent
      • Upgrade Remote Agent

    Computer View

    • You cannot hide the Machines View.
    • In the subfolder “Machines columns” you can ‘Hide’ each of the available columns
    • You can hide the following actions:
      • Abort Shutdown
      • Admin$ Diagnostics Instruction
      • Disable Process Execution
      • Enable Process Execution
      • Launch Event Viewer On Remote Computer
      • Flush DNS
      • Import Registry Computer
      • NSLookup Diagnostics Instruction
      • Ping Diagnostics Instruction
      • Reboot machine
      • Refresh Machine Policy
      • Send Message (same as in sessions view)
      • Send Super Message (same as in sessions view)
      • Send Wake On Lan Signal
      • Shutdown machine
      • Run As User
      • Test WMI Diagnostics Instruction
      • Trace Diagnostics Instruction
      • Wake On Lan
      • XenDesktop site management >> Enable Maintenance Mode
        XenDesktop site management >> Disable Maintenance Mode

    Applications view

    • You can hide the Applications view
    • In the subfolder “Applications columns” you can ‘Hide’ each of the available columns

    Folders view

    • You can hide the Folders view

    • In the subfolder “Folders columns” you can ‘Hide’ each of the available columns
      • Avg Sessions per Computer
      • Computers CPU
      • Computers
      • Connected Computers
      • Critical Stressed Computers
      • Critical Stressed Processes
      • Critical Stressed Sessions
      • Description
      • Disconnected Computers
      • Folders Path
      • High Stressed Computers
      • High Stressed Processes
      • High Stressed Sessions
      • Low Stressed Computers
      • Low Stressed Processes
      • Low Stressed Sessions
      • Max Sessions per Computer
      • Mid Stressed Computers
      • Mid Stressed Processes
      • Mid Stressed Sessions
      • Min Sessions per Computer
      • Name
      • Page Faults/sec
      • Processes
      • Sessions
      • Stress Level
      • User Sessions

    Process view

    • You can hide the Process view
    • In the subfolder “Process columns” you can ‘Hide’ each of the available columns
    • You can hide the following actions:
      • End Process
      • Go To >> Session
      • Kill Process
      • PsKill
      • Set Process Priority

    Session view

    • You can hide the Session view
    • In the subfolder “Session columns” you can ‘Hide’ each of the available columns
    • You can hide the following actions:
      • Chat
      • Disconnect Session
      • Get Session Screenshot With Approval
      • Get Session Screenshot With Notification
      • Get Session Screenshot Without notifying the user
      • Go To >> Computer
      • Import registry user
      • Logoff session
      • Reapply group policy
      • Refresh user group policy
      • Remote assistance
      • Kill policy
      • Send message (same as in computers view)
      • Send super message (same as in computers view)

    Remote Desktop pane

    • You can hide the ALL Remote Desktop actions from ControlUp Console

    Ribbons
    Home.png

    • You can hide the following options from the Ribbons menus

      Buttons:
      • Add Cloud Connection
      • Add Computers
      • Add EUC Environment
      • Add Hypervisor
      • Add Incident Trigger
      • Add Monitor
      • Add NetScaler
      • Actions
      • Columns
      • ControlUp Insights
      • Display
      • Export
      • Linux Data Collector
      • Script Actions
      • Solve
      • Manage Monitors
      • User Permissions
      • Virtual Expert

    Security Policy pane

    • You can hide the Security Policy pane from ControlUp Console

    Settings
    Settings.png

    • You can hide all the settings or the following individual settings:
      • AD Connections
      • Active Application
      • Advanced
      • Agent
      • Alerts
      • App Load Time
      • Audit Log
      • Branch Mapping
      • Browser URLs
      • Controller Lists
      • Credentials Store
      • Data Upload
      • Display
      • Events
      • Export Schedule
      • Insights Access
      • Monitors
      • Proxy
      • Remote Assistance
      • Schedule
      • Security
      • Stress
      • Triggers
      • Virtual Expert