What is the Maintenance Service?
Overview
The Maintenance Service is a Windows service that is running on the server which has the Admin Portal site installed.
The service name is "AGAT SphereShield Maintenance Service".
The default location of the Maintenance service is: C:\Agat\MaintenanceService
The Maintenance service service runs periodically to perform the following tasks:
- Sending emails and IMs
- Filling in missing details of registered users from AD
- Blocking / deleting users that were disabled/deleted in AD
- Handling users' password expiration including sending alerts to the user before their password expires (when using SphereShield credentials)
- a periodical cleanup of database log tables (deleting old records)
Note: Starting with version 3.7.0 the Housekeeping was changed to Maintenance service, and runs as a service which is separate from the Admin Portal.
The logs of the new Maintenance service will be registered to D:\Agat\logs\maintenence service, Instead of C:\Inetpub\Access portal\logs.
The logs can also be configured in SphereShield.MaintenanceService.log4net.config under C:\Agat\maintenance service\Configuration.
There are two types of Maintenance service operation: immediate operations and routine operations. Immediate operation includes IM sending for Ethical Wall and/or DLP events; this type of operation runs every few seconds. Routine operation includes other non-urgent Maintenance service activities such as AD syncing or sending email.
- Note : In case of MDM use, the running operation can be configured using hours.
Please refer to the install guide for supporting multiple instances of Maintenance services on multiple AP servers.
Maintenance Service Settings
In order to get to the Maintenance Service settings, we'll need to sign into the admin area of the Admin Portal → Settings → Maintenance service.
Alternatively we can use the URL /admin/settings?category=settings_housekeeping_service_category_header
In the above screenshot 3 settings are presented:
- Use Maintenance service service – Determines if the Maintenance service will run at all. Setting it to ‘Yes’ sets the Maintenance service to run
- Maintenance service immediate operation interval – Determines how often the Maintenance service immediate operation will run (value represents seconds)
- Maintenance service Routing operation interval – Determines how often the Maintenance service routine operation will run (value represents minutes)
Database Cleanup
The above screenshot presents the “Database cleanup” section of the Maintenance service:
- Automatic Database cleanup – This setting determines if the Maintenance service will perform Database cleanup or not.
- Number of days to keep Activity Auditing records – how long activity auditing records will be kept in the database (in days).
- Number of days to keep DLP log records – how long DLP logs records will be kept in the database (in days).
- Number of days to keep Ethical Wall calculation log records – how long Ethical Wall calculation log records will be kept in the database (in days).
- Number of days to keep sent messages records – how long sent messages records will be kept in the database (in days).
- Number of days to keep manual approval log records – how long manual approval log records will be kept in the database (in days).
- Number of days to keep MDM maintenance records – how long DLP logs records will be kept in the database (in days).
- Number of days to keep Security Auditing log records – how long security auditing log records will be kept in the database (in days).
- Number of hours to keep Maintenance service maintenance log records – how long Maintenance service maintenance log records will be kept in the database (in hours).
- Number of minutes to keep Email outbox messages – how long Email outbox messages will be kept in the database (in minutes).
- Number of minutes to keep IM outbox messages – how long Instant message outbox messages will be kept in the database (in minutes).
- Number of minutes to keep pending SkypeShield App IDs – how long pending SphereShield App IDs will be kept in the database (in minutes).
- Number of days to keep not registered Managed Devices – Number of days to keep devices in Pre-Auth Status in Managed Devices Registration.
Policy Engine Calculation
The screenshot above presents the “Policy Engine Calculation” section of the Admin Portal, the Policy Engine Calculation is a feature of the Maintenance service which takes “Expired” Ethical Wall policy cache records and recalculates them to make them in order to renew them
- Policy engine calculation operation interval – how often the recalculation of expired Ethical Wall policy cache records will occur
- Policy engine Records taken in loop – how many Ethical wall policy cache records will be checked during each run
Active Directory
The above screenshot presents the “Active directory” section of the Maintenance service settings
This section defines how the Maintenance service interacts with LDAP:
- Number of users to check each interval – the number of users the Admin Portal will query for in each run
- Fill in missing user information from LDAP - Determines if the Admin Portal will use the LDAP queries to fill in missing user information (Display name, SIP Address, UPN,etc.)
- Block devices for disabled Active Directory accounts – Setting this to ‘Yes’ will Block devices found in the “Registered devices” table that are registered under users that were found to be disabled in the AD
- Block devices for removed Active Directory accounts – Setting this to ‘Yes’ will Block devices found in the “Registered devices” table that are registered under users that were not found in the AD.
- Reset failed login after success sign in – This setting determines whether or not the Admin Portal will actively reset the lockout attempts in the failed login table after a user has registered their device.
- Synchronize SIP addresses from AD – Setting this to 'Yes' will cross-check the SIP address from AD and the device's SIP address and updates accordingly
Mobile device management
The screenshot shown above is of the “MDM” section of the Maintenance service settings.
- Interval of updating devices from MDM (hours) – the interval that the Maintenance service will pull device information from the MDM server.
- Fetch device information from MDM – Determines if the Admin Portal will fetch devices from the MDM server and will populate the “Managed devices registration”.
- Complete missing managed device values into from MDM device table – If set to 'Yes', fills UDID from the MDM server based on the device type and username.
- Block Devices that are OOC in MDM – Changing this to “Yes” will block devices on the “Registered devices” with devices that were found to be Out of Compliance by the MDM queries. Notifications are available when this is enabled.
- Block devices that are not managed in MDM – Changing this to “Yes” will block devices on the “Registered devices” with devices that were not found in the MDM
- Block devices that did not download SfB from MobileIron catalog – Setting this to "Yes" will block devices that have downloaded the Skype for Business app from a public source (E.G: Google Play/IOS App Store) by not allowing them to register. Only allows devices with the Skype for Business app downloaded from the MobileIron catalog.
Other Settings
The above screenshot presents the “Others” section of the Maintenance service settings
- Check SkypeShield Credentials expiration age – resets SkypeShield password when expired and notifies the user by mail when this is about to happen
- Process email messages – defines whether the Email messages will be sent out as part of the Maintenance service operation
- Process IM messages – defines whether the IM messages will be sent out as part of the Maintenance service operation
- Log to windows event log – Enabling this setting will make the Admin Portal log information to Windows event log
- Inactive devices handling – defines the behavior of the Admin Portal regarding old devices that have not been used recently
- Remove expired pending devices – When using “Self-registration” as the registration method end users need enter the User area of the Admin Portal to create a “Pending device” record. If they do not register a device within the timeframe of the Pending device this “Pending device” record will expire. This setting determines if the Admin Portal will clean these expired records.
- Sync eDiscovery data warehouse – If set to "Yes", the Maintenance service will build or refresh the eDiscovery data by syncing to the eDiscovery data warehouse.
Operation modes
Below is a table of each of the above settings with their operation mode.
This means that actions that are set to “Routine” will run as often as the “Routine” Maintenance service operation runs, and those that are set as “Immediate” run as often as the “Immediate” operation runs.
| Field Display Name | Operation | Section |
|---|---|---|
| Automatic database cleanup | Routine | Database cleanup |
Number of days to keep Activity Auditing records | Routine | Database cleanup |
| Number of days to keep DLP log records | Routine | Database cleanup |
| Number of days to keep Ethical Wall calculation log records | Routine | Database cleanup |
| Number of days to keep Ethical Wall load log records | Routine | Database cleanup |
| Number of days to keep sent messages records | Routine | Database cleanup |
| Number of days to keep Manual approval log records | Routine | Database cleanup |
| Number of days to keep MDM maintenance records | Routine | Database cleanup |
| Number of days to keep Security Auditing records | Routine | Database cleanup |
| Number of hours to keep maintenance service log records | Routine | Database cleanup |
Number of minutes to keep Email outbox messages | Routine | Database cleanup |
Number of minutes to keep IM outbox messages | Routine | Database cleanup |
| Number of minutes to keep pending SkypeShield App IDs | Routine | Database cleanup |
| Policy calculation operation interval (minutes) | Based on setting | Policy calculation |
| Policy calculation records taken in loop | Based on setting | Policy calculation |
| Number of uses to check each interval | Routine | Active directory |
| Fill in missing user information from LDAP | Routine/Immediate** | Active directory |
| Block devices for disabled Active Directory accounts | Routine | Active directory |
Block devices for removed Active Directory accounts | Routine | Active directory |
| Reset failed login after successful sign in | Routine | Active directory |
| Synchronize SIP addresses from AD | Routine | Active directory |
| Interval of updating devices from MDM | Routine | Mobile device management |
| Routine | Mobile device management | |
| Complete missing managed device values into from MDM device table | Routine | Mobile device management |
| Block devices that are OOC in MDM | Routine | Mobile device management |
| Block devices that are not managed in MDM | Routine | Mobile device management |
| Check Sphereshield credentials expiration age | Other settings | |
| Process Email messages | Routine | Other settings |
| Process IM messages | Immediate | Other settings |
| Log to Windows event log | Immediate | |
| Inactive Device handling | Routine | Other settings |
| Number of inactivity days to delete inactive devices | Routine | Other settings |
| Remove Expired Pending Devices | Routine | Other settings |
| Sync eDiscovery data warehouse | Immediate | Other settings |
**Fill in missing user information from LDAP – Some of the information is filled in as part of the routine operation and some is filled as part of the immediate.