Policy for Entire Device Group Completion Notifications

As an MSP, we need the ability to notify our customers when their scheduled device group is complete. Looking to the community to see if anyone has accomplished what we’re looking to do!

Currently, Automox has the ability to notify on an individual device basis, but not when an entire group is finished. This notification also does not discriminate between device groups or users, so if you subscribe to the notification, you get an email for every patch action for every device in the org vs a summary for the entire group when it completes.

To work around this, we’ve abstracted the patch execution into a PowerShell GUI that allows us to execute the policy, automatically check the command queue every so often for each individual device until we can ensure patching is complete, and then automatically pull a summary of each device’s status (e.g. outstanding patches, reboot required) in the group, wrap it all up into a nice email and then send that to our customer’s email address based on which customer is responsible for the devices in that group (this information is stored outside Automox in a ‘scheduling table’). However, this prevents us from being able to take advantage of out-of-box functionality like scheduling and other future potential enhancements.

I’ve thought about trying to ingest/parse the native email notifications to wrap up into a group summary, but still can’t think of a way to know when an entire device group is patching/complete without extracting the execution of the policy from the console.

Does anyone else need this or figured out a way to accomplish ‘Device Group complete’ (or Policy complete) notifications instead of individual device notifications?

5 Likes

Hello Hadrnero,
First I want to say this is a great idea. It would be very useful to be able to know when all systems running a policy finish the run of that policy (success or fail). Unfortunately there is not a way out of the box with Automox. I would like to write up a feature request for this so I would like to ask a few questions if you don’t mind.

Would you like to have Automox report when all devices finish the policy or would it be easier to know when a group of systems finishes the policy? The way I was thinking about it is if the group reports back when all the devices finish the policy it would report completion in stages. I.E. Group 1 finished the policy and then a few minutes later Group 2 finished the policy. Something like that. Would this be more of what you would like or would you like for you to be notified for all devices only being completed? Or both?

1 Like

Definitely would throw my vote on this one, let me know when it hits the product planning board thing. I think one of automox’s weakest points is reporting and slack notifications. Would love to see some backend work done on this type of stuff

2 Likes

Hey Brandon! Thanks for the response!

Device Group Notifications
By far, we would get the most value out of a Device Group level notification. Our Device Groups each represent different segments of our customers who have individual notification destination requirements. We’re currently creating individual Policies per Device Group to ensure we can understand when the Group has completed, but Group-level notifications could potentially enable us to merge Policies that are the same in scope and execution time but targeted at different customer’s Groups further simplifying our deployment while still allowing us to understand and notify when an individual customer’s Group has completed.

Example:
Policy A > Device Group A for Company A (ABC Application Team)
Policy B > Device Group B for Company A (XYZ Application Team)
Policy C > Device Group C for Company B

All three Policies have the same patching scope and execution schedule, but each Device Group is owned by a different Company or customer segment within the Company thus requiring separate notifications.

Policy Notifications
However, I could see this also being valuable from a Policy perspective at certain times where we need to execute 0-day patching across a lot of systems in different Groups, have Policies set to execute against multiple Groups, or need to understand when an ad-hoc Policy or Worklet has completed across multiple Groups.

Example:
Searching for a specific KB on the Software page, I can see 600 devices are impacted. Automox gives me the ability to ‘Patch Now’ - I want to know a summary of when those 600 devices have completed and which ones the patch failed on so we can immediately begin further remediation or communicate to customers/leadership that the security impacts have been resolved. I believe this would currently be a blast of 600 emails, some of which would be ‘Patches Applied’ and some ‘Patching Failed’, or waiting a while and rechecking the Software page and pulling a report of systems that are still outstanding. This use case is waaay less often than our recurring patch schedules, but would still be very useful.

This Policy-level notification may be supplemented with future Automox enhancements to do Multiple Device/Dynamic Groups - we could build a Dynamic Group to execute 0-day patches or software deployments and then leverage the Group-level notification to understand completion status instead of relying on our out-of-box execution process and individual Policies per Group. Using the above example, a Dynamic Device Group could be created for all Devices with the KB showing relevant with the notification set at that Dynamic Group level.

1 Like