Table of Contents |
---|
Overview
The maintenance service Maintenance Service is a windows Windows service that is running on the server which has the Access Admin Portal site installed on.
The service name is "AGAT SphereShield Maintenance Service".
...
The Maintenance service service runs periodically to perform the following tasks:
- Sending emails and IMs
- Filling Filling in missing details of registered users from AD
- Blocking / deleting users that were disabled/deleted in AD
- Handling users' password expiration including sending alerts to the user before their password expires (when using SkypeShield SphereShield credentials)
- a periodical cleanup of database log tables (deleting old records)
Note: Starting with version 3.7.0 the Housekeeping was changed to
to Maintenance service, and runs as a service which is separate from the Access
Admin Portal.
The logs of the new Maintenance service will be registered to CD:\Agat\logs\maintenence service, Instead of C:\Inetpub\Access portal\logs.
...
There are two types of Maintenance service operation types: immediate operations and routine operations. Immediate operation includes IM sending for Ethical Wall and/or DLP events; this type of operation runs every few seconds. Routine operation includes other non-urgent Maintenance service activities such as AD syncing or sending email.
- Note : In case of MDM use, the running operation can be configured by using hours.
Please refer to the install guide for supporting multiple instances of Maintenance services on multiple AP servers.
...
In order to get to the Maintenance Service settings, we'll need to sign into the admin area of the Access Admin Portal → Settings → Maintenance service.
...
- Use Maintenance service service – The value here will determine Determines if the Maintenance service will run at all. Setting it to ‘Yes’ set sets the Maintenance service to run
- Maintenance service immediate operation interval – Determines how often the Maintenance service immediate operation will run (value represents seconds)
- Maintenance service Routing operation interval – Determines how Often often the Maintenance service routine operation will run (value represents minutes)
...
- Automatic Database cleanup – This setting determines if the Maintenance service will perform Database cleanup or not.
- Number of days to keep Activity Auditing records – The value defined here will determine how long Activity activity auditing records will be kept in the Database database (in days).
- Number of days to keep DLP log records – The value defined here will determine how long DLP logs records will be kept in the Database database (in days).
- Number of days to keep Ethical Wall calculation log records – The value defined here will determine how long Ethical wall Wall calculation log records will be kept in the Database database (in days).
- Number of days to keep sent messages records – The value defined here will determine how long Sent sent messages records will be kept in the Database database (in days).
- Number of days to keep manual approval log records – The value defined here will determine how long manual approval log records will be kept in the Database database (in days).
- Number of days to keep MDM maintenance records – The value defined here will determine how long DLP logs records will be kept in the Database database (in days).
- Number of days to keep Security Auditing log records – The value defined here will determine how long security auditing log records will be kept in the Database database (in days).
- Number of hours to keep Maintenance service maintenance log records – The value defined here will determine how long Maintenance service maintenance log records will be kept in the Database database (in hours).
- Number of minutes to keep Email outbox messages – The value defined here will determine how long Email outbox messages will be kept in the Database database (in minutes).
- Number of minutes to keep IM outbox messages – The value defined here will determine how long Instant Message message outbox messages will be kept in the Database database (in minutes).
- Number of minutes to keep pending SkypeShield App IDs – The value defined here will determine how long pending SkypeShield SphereShield App IDs will be kept in the Database database (in minutes).
- Number of days to keep not registered Managed Devices – Number of days to keep devices in Pre-Auth Status in Managed Devices Registration.
Policy Engine Calculation
...
The screenshot above presents the “Policy Engine Calculation” section of the Access Admin Portal, the Policy Engine Calculation is a feature of the Maintenance service which takes “Expired” Ethical wall Wall policy cache records and re-calculates recalculates them to make them in order to renew them
- Policy engine calculation operation interval – This setting determines how often the recalculation of expired Ethical Wall policy cache records will be re-calculated occur
- Policy engine Records taken in loop – This setting determines how many Ethical wall policy cache records will be “Checked” checked during each run
Active Directory
...
The above screenshot presents the “Active directory” section of the Maintenance service settings
This section is the section that is responsible on actions defines how the Maintenance service performs interacts with the LDAP and their behaviors:
- Number of users to check each interval – Specifies the number of users the Access Admin Portal will query for in each run
- Fill in missing user information from LDAP - Determines if the Access Admin Portal will use the LDAP queries to fill in missing user information (Display name, SIP Address, UPN,etc.)
- Block Devices devices for Disabled disabled Active Directory accounts – Setting this to ‘Yes’ will Block devices found in the “Registered devices” table that are registered under users that were found to be disabled in the AD
- Block devices for removed Active Directory accounts – Setting this to ‘Yes’ will Block devices found in the “Registered devices” table that are registered under users that were not found in the AD.
- Reset failed login after success sign in – This setting determines whether or not the Access Admin Portal will actively reset the lockout attempts in the failed login table after a user has registered their device.
- Synchronize SIP addresses from AD – Setting this to 'Yes' will cross-check the SIP address from AD and the device's SIP address and updates accordingly
...
- Interval of updating devices from MDM (hours) – This setting determines the interval in which that the Maintenance service will pull device information from the MDM server.
- Fetch device information from MDM – Determines if the Access Admin Portal will fetch devices from the MDM server and will populate the “Managed devices registration”.
- Complete missing managed device values into from MDM device table – If set to 'Yes', fills UDID from the MDM server based on the device type and username.
- Block Devices that are OOC in MDM – Changing this to “Yes” will block devices on the “Registered devices” with devices that were found to be Out of Compliance by the MDM queries. Notifications are available when this is enabled.
- Block devices that are not managed in MDM – Changing this to “Yes” will block devices on the “Registered devices” with devices that were not found in the MDM
- Block devices that did not download SfB from MobileIron catalog – Setting this to "Yes" will block devices that have downloaded the Skype for Business app from a public source (E.G: Google Play/IOS App Store) by not allowing them to register. Only allows devices with the Skype for Business app downloaded from the MobileIron catalog.
...
- Check SkypeShield Credentials expiration age – This setting resets SkypeShield password when expired and notify notifies the user by mail when this is about to happen
- Process email messages – This setting will determine defines whether the Email messages will be sent out as part of the Maintenance service operation
- Process IM messages – This setting will determine defines whether the Email IM messages will be sent out as part of the Maintenance service operation
- Log to windows event log – Enabling this setting will make the Access Admin Portal log information to Windows event log
- Inactive devices handling – Determines defines the behavior of the Access Admin Portal regarding old devices that have not been used recently
- Remove expired pending devices – When using “Self-registration” as the registration method endusersend users need enter the User area of the Access Admin Portal in order to create a “Pending device” record. If they do not register a device within the timeframe of the Pending device this “Pending device” record will become expiredexpire. This setting determines if the Access Admin Portal will clean these expired records up or not.
- Sync eDiscovery data warehouse – If set to "Yes", the Maintenance service will build or refresh the eDiscovery data by syncing to the eDiscovery data warehouse.
...
Field Display Name | Operation | Section |
---|---|---|
Autoatic Automatic database cealnupcleanup | Routine | Database cleanup |
Number of days to keep Activity Auditing records | Routine | Database cleanup |
Number of days to keep DLP log records | Routine | Database cleanup |
Number of days to keep Ethical all Wall calculation log records | Routine | Database cleanup |
Number of days to keep Ethical wall Wall load log records | Routine | Database cleanup |
Number of days to keep sent messages records | Routine | Database cleanup |
Number of days to keep Manual approval log records | Routine | Database cleanup |
Number of days to keep MDM maintenance records | Routine | Database cleanup |
Number of days to keep Security Auditing records | Routine | Database cleanup |
Number of hours to keep maintenance service log records | Routine | Database cleanup |
Number of minutes to keep Email outbox messages | Routine | Database cleanup |
Number of minutes to keep IM outbox messages | Routine | Database cleanup |
Number of minutes to keep pending SkypeShield App IDs | Routine | Database cleanup |
Policy calculation operation interval (minutes) | Based on setting | Policy calculation |
Policy calculation records taken in loop | Based on setting | Policy calculation |
Number of uses to check each interval | Routine | Active directory |
Fill in missing user information from LDAP | Routine/Immediate** | Active directory |
Block devices for disabled Active Directory accounts | Routine | Active directory |
Block devices for removed Active Directory accounts | Routine | Active directory |
Reset failed login after successful sign in | Routine | Active directory |
Synchronize SIP addresses from AD | Routine | Active directory |
Interval of updating devices from MDM | Routine | Mobile device management |
Routine | Mobile device management | |
Complete missing managed device values into from MDM device table | Routine | Mobile device management |
Block devices that are OOC in MDM | Routine | Mobile device management |
Block devices that are not managed in MDM | Routine | Mobile device management |
Check Sphereshield credentials expiration age | Other settings | |
Process Email messages | Routine | Other settings |
Process IM messages | Immediate | Other settings |
Log to Windows event log | Immediate | |
Inactive Device handling | Routine | Other settings |
Number of inactivity days to delete inactive devices | Routine | Other settings |
Remove Expired Pending Devices | Routine | Other settings |
Sync eDiscovery data warehouse | Immediate | Other settings |
...