SECURITY Refer to ACCOUNT > Policies and SITES > Policies in Security Level Details - Permissions
NAVIGATION Account > Policies
NAVIGATION Sites > select a site > Policies
What is an Agent policy?
Agent policies deploy settings to affect the operation and configuration of the Datto RMM Agent. They may affect Privacy Mode, Agent installation and service, security, and the Agent Browser mode. For information about the Agent, refer to Datto RMM Agent.
- Agent policies can be set up in the Web Portal at both the account and the site level. Refer to Create a policy.
- On the Policies page, click New account policy... or New site policy....
- Give the policy a Name.
- Select the type Agent.
To copy an already existing policy to use it as a template, choose it from the Based on drop-down list. To create a new policy, select New Policy.
- Click Next.
Click Add a target... to target your devices through a specific filter or group.
If you want to target more than one filter or group, add another target to the policy. Multiple targets will apply the "OR" logic, that is, the policy will be run on a device if it is included in any of the targets. For more information about target types, refer to Filters and Groups.
NOTE Filters will present you with a list of the device filters that are available in every account and any custom filters you've created yourself. Devices of Unknown device type will not be targeted by the policy.
- Click Add.
- Choose one or more of the following options:
Privacy Mode Options
|Activate Privacy Mode||Automatically turns on Privacy Mode for all devices targeted by the policy and will require end user permission when connecting to a targeted device. Once Privacy Mode is enabled on a device, the Datto RMM Administrator cannot disable this setting. Privacy Mode can only be disabled by the end user on the device itself. For further information, refer to Privacy Mode.|
|Allow connections when no user is logged in||Allows you to connect to a device when no user is logged in but Privacy Mode is active on the device.
NOTE This setting will apply to all remote connections.
|Only require endpoint permission for restricted tools||Allows you to configure Privacy Mode in a way that end user permission is only required when the following tools are used: VNC, RDP, Splashtop, Screenshot.|
|Install Service only||No system tray icon or Start menu shortcuts will be installed. It is only available for Windows devices. When this option is selected, the gui.exe process (Agent Browser) will not start on the targeted devices. For more information, refer to Hide the Datto RMM Agent icon.|
|Disable incoming jobs||Prevents the Agent from running jobs. For information on what kind of components can be installed if this feature is enabled, refer to User Tasks.|
|Disable incoming support||Prevents remote access to the targeted device from another device.|
|Disable audits||Prevents the Agent from submitting audits to the platform.|
Agent Policy Options
|Disable Privacy options||Removes access to Privacy Mode Options in the Agent.
NOTE You cannot disable Privacy Mode in the Agent using this setting if Privacy Mode has already been activated. Once Privacy Mode is enabled on a device, it can only be disabled by the end user.
|Disable Settings menu||Removes access to the Settings menu in the Agent.|
|Disable Quit options||Removes the option for the user to exit the Agent.|
|Disable Tickets tab||Removes the option for the user to log a ticket through the Agent.|
|Show "Take screenshot and request support" menu entry (Autotask PSA Only)||This option is only available if the Autotask PSA Integration is enabled. Refer to Autotask PSA Integration.
When this option is selected, the Take screenshot and request support menu entry is added to the Agent.
|Show "Request support" menu entry (Autotask PSA Only)||This option is only available if the Autotask PSA Integration is enabled. Refer to Autotask PSA Integration.
When this option is selected, the Request support menu entry is added to the Agent.
Agent Browser Mode
|Disabled||Prevents any access to the Agent Browser window.|
|User - No access to Support tab||Allows the user to open the Agent Browser window but prevents them from logging in. For more information, refer to Log into the Agent Browser.|
|Admin - can log into Support tab||Allows full access to the Agent Browser window. Refer to Agent Browser.
NOTE This is the default option.
Click Save and Push Changes.
If you click Save Only, you'll be directed to your list of policies where you can click Push changes... next to the policy in question.
IMPORTANT This functionality is only available for Windows devices.
Sometimes you may want to hide the Datto RMM icon in the system tray because you do not want your end users to access all the options it offers (for example, the option to create a ticket), or because you want to prevent the users from stopping the Agent or turning on Privacy Mode.
To hide the Agent icon from the end user, check the following option in the Agent policy: Service Options > Install Service Only.
When this option is selected, the gui.exe process (Agent Browser) will not start on the targeted devices, and the following features will be unavailable:
- Remote takeover toaster notifications. If the targeted device is using Privacy Mode, the end user will be unable to authorize remote takeover requests.
- Patch reboot toaster notifications
- Being prompted to authorize the execution of jobs
IMPORTANT Selecting the Install Service only option will not close the gui.exe process if it is already running. The targeted device needs to be restarted in order for the gui.exe process to not start on boot.