Viewing a device's events
On the History page, you can view a device's events over a particular period of time. The following types of events are available:
-
Location updated events -
Device usage events -
User updated events 
System updated events
Rule triggered events
Action events
Events that occurred on a device may take up to 15 minutes to show on the History page (assuming the device is online), while events that were triggered by a console user may take up to 1 minute.
Permissions
To view a device's History tab, your user role needs to be granted the View permission for Device Reports. To view location updated events and action events within a device's History tab, your user role needs to be granted the View permission for Audit Event History. All administrator roles are granted these permissions.
Accessing the History page
To view the event information for a device:
- On any page that shows linked device identifiers in the first column of the results grid, such as the All Devices page in the Devices area, click the link for the device that you want to view. Summarized information about the device shows in the page header.
- Click History.
A new page opens to show a timeline of the device's events, and an overview of the first event in the timeline.
About the timeline
You can use the timeline to view the device's events.
By default, the timeline shows a history of the device's events over the last 30 days, in descending chronological order, but you can change the date range. Events in the History page have the same data retention period as events in Event History.
Depending on the device's event history, one or more of the following items may show on the timeline:
Location updated events
A location updated event occurs when either of the following events are logged:
Location updated
An event that occurs when the device moves from one Wi-Fi, GPS, or OS location to another. Learn more
The timeline shows:
-
The full street address of the device's new location
If you don't have Address-level View permissions for Geolocation, the timeline only displays the name of the city the device moved to.
- The date and time when the location was detected on the device
-
The geotechnology used
- Location updated events are logged only when the Geolocation Tracking policy is activated in the device's policy group, and the device changes its location by more than 100 meters.
- For stolen devices, location updated events are not logged while the theft investigation is open. Note that after it's closed, location information that was collected during the investigation is not included in the device's location history.
Public IP location updated
If the Geolocation setting is enabled, and all other locations were unavailable or invalid when the location change occurred, an IP location is reported, and a Public IP location updated event is logged. Learn more
Note that IP locations are based on a device's public IP address, and location accuracy is typically low.
The timeline shows:
- The date and time when the IP location was detected on the device
-
The city, state/province, and country of the location. Street addresses are not available.
To filter the timeline to only show location updated events, click .
Device usage events
A device usage event occurs when a user's session state changes on the device. The timeline shows the type of device usage event that occurred. To filter the timeline to only show device usage events, click .
Device usage events only apply to devices with an active Device Usage policy.
Data is available for device usage events that occur after the activation date of the Device Usage policy. After activating the policy, you'll need to wait at least a few days before you can see data on the Usage page. Also note the following:
-
To capture logout and lock activities, the device must be running Secure Endpoint Agent version 7.23 or higher.
-
To capture sleep, wake, and shutdown activities, the device must be running Secure Endpoint Agent version 8.0 or higher.
The following types of device usage events are supported (depending on the device platform):
- Device login: A user logged in to the device, either directly or remotely, by entering their username and password on the login screen.
- Device logout: A user or system logged out of the device and all applications are closed.
- Device unlocked: A user unlocked the device, either directly or remotely, by dismissing the Lock screen (if applicable) and entering their password on the login screen.
- Device locked: A user or system locked the device. The user is still logged in to the device and open applications are still running, but a username and password is required to unlock the device.
- Device slept: A user or system put the device in sleep mode. The user is still logged in to the device, but all actions are paused.
Note that if multiple sleep/wake cycles occur during a 5 minute window, only one Device slept event is logged. However, if a Device slept event is followed by a Device login, Device logout, Device locked, or Device unlocked event, the 5-minute timer resets.
- Device woke up: A user or system woke the device up from sleep mode.
Note that if multiple sleep/wake cycles occur during a 5 minute window, only one Device woke up event is logged. However, if a Device woke up event is followed by a Device login, Device logout, Device locked, or Device unlocked event, the 5-minute timer resets.
- Device shutdown: A user or system restarted or turned off the device.
Device login and Device unlocked are the only activities that apply to Chromebook devices.
Depending on the device's operating system, power settings, and the method used to power off the device, you may see different events. For example, when you restart a Windows device and unlock it with a password, Device logout, Device shutdown, and Device unlocked events are recorded. When you restart a Mac device and unlock it with a password, Device shutdown and Device login events are recorded.
When the device is restarted using a hard reset (the power button is held down to restart the device), only a Device login event is recorded.
In addition, the total number of hours and minutes that the device's screen was unlocked during each 24 hour period shows as (xh xm in use) under the date.
A Windows or Mac device is deemed to be in use if it is unlocked. Activity ceases when the screensaver shows, the monitor is powered off, or the device is locked or shut down.
A Chromebook device is deemed to be in use if the display is active (not dimmed). Activity ceases when the display is dimmed, or the device is sleeping, locked, or shut down.
Note that if a device shuts down unexpectedly, the most recent activity is saved.
User updated events
A user updated event occurs when user information is updated on the device. The timeline shows what device user information was updated and the new value. To filter the timeline to only show user updated events, click .
The following types of user updated events are supported (depending on the device platform):
- Username A field and report column showing the username of the user who was logged in to the device when an agent connection occurred. If no user was logged in during the most recent agent connection, the last detected username shows. Note that if the device is shared by multiple users, the Username field shows the previous logged in user and the Current username field shows the most recent logged in user.
- Domain The name of the device's Windows domain, if applicable.
System updated events
A system updated event occurs when system information is updated on the device. The timeline shows the property that was updated and the new value. If multiple device properties were updated at the same time, all the changes show in the timeline event. To filter the timeline to only show system updated events, click .
The following events are supported (depending on the device platform):
- Connection blocked
- Connection unblocked
- Device unenrolled by Refurbishment partner
- Device became compliant
- Device became non-compliant
- Device compliance reason updated
- Refurbishment processing
- Refurbishment blocked
-
System information updated
In the timeline, the event label shows the name of the system information property that was updated (for example, Time zone updated or Device name updated.
Rule triggered events
Rule triggered events occur when a rule is triggered for the device. The timeline shows the rule that was triggered. To filter the timeline to only show rule triggered events, click .
To view rule triggered events, your user needs to be assigned a role with View or Manage permissions for Rules. In addition, the following permissions are required:
- Offline freeze rule events: Perform permissions for Freeze Device and Remove Freeze
- Location rules events: Address-level View permissions for Geolocation
Action events
An action event occurs when a device action is run on the device. The timeline shows the type of action that occurred. A single device action may create multiple events. For example, when a Freeze request is created for the device, a Device freeze requested event is logged for the device. When the device is actually frozen, a Device frozen event is logged for the device. Each of these events appears separately on the timeline and may have different dates. To filter the timeline to only show action events, click .
The following types of action events are supported:
- Cryptographic wipe events
- File Delete events
- Firmware wipe events
- Freeze and Remove Freeze events
- Manage Supervisor Password events
- Message events
- Offline Freeze rule events
- Reach Script events
- Reported missing or stolen events
- Run playbook events
- Unenroll events
No changesDays with no events show as follows in the timeline:
- No changes: no events were logged that day, but events were logged the day before and the day after
- No changes for <#> days: no events logged for two or more consecutive days
- No events to show in this time range: no events logged during the selected date range
The events listed are current as of the Last updated date and time located at the bottom of the timeline. You can refresh the timeline to show the most recent events by clicking 
(Refresh the page). The timeline reloads events based on the currently selected date range and filter settings.
Viewing event details
To view more information about an event, click anywhere in the event background. The event's overview opens to the right of the work area. The overview displays the type of event and the date the event occurred. Rule triggered events show the rule that was triggered instead of the device name.
In addition, the following information about each event type is available:
Location updated events
The overview area shows more information about the following event types:
Location updated eventsThe overview shows all location information available when the device's location changed.
If you don't have Address-level View permissions for Geolocation, the overview shows a warning that additional permissions are required.
Depending on the geolocation technologies available on a device, primary and supporting locations may be shown. For example, if Wi-Fi and OS Location are available, the Wi-Fi location is shown as the primary location and OS Location is secondary.
When multiple technologies are available, the following priority order is applied to Location updated events:
- Wi-Fi
- GPS
- OS Location
If a device changes its location by less than 100 meters, no event is logged.
The overview contains the following information:
-
Map: a map showing the device's current location
The following icons may show on the map:
Primary location 
Secondary location 
Secondary location more than 100 kilometers from primary location Secondary location markers are not shown for IP locations due to their low accuracy.
-
Location: the address of the location that the device moved to, and the geolocation technology used
Click the
icon to view more details, such as:- The estimated accuracy A report column showing the estimated accuracy of the geolocation technology used to locate the device. Values are expressed in the measurement system set in your user profile. of the location
-
Details about any other technologies that sent secondary location information (if available)
If the secondary location is less than 100 meters from the primary location, Similar results via <technology> is shown instead of a distance. Similarly, if the location is more than 100 kilometers from the primary location, and therefore may be inaccurate, the following warning shows:
Significant gap between locations. - The SSID and BSSID of the Wi-Fi access point the device is connected to, if applicable (indicated by a
icon) -
The count of nearby Wi-Fi access points that may have been used to calculate the device's primary location, if applicable
To view the SSID and BSSID of each nearby access point, click Show. A signal strength icon (e.g.
) indicates the strength of each access point's signal.Downloading an access point report
To download a report of all detected Wi-Fi access points, click Download. The report includes the following columns:
- Connected
- SSID
- BSSID
-
Signal Strength
The value in the Signal Strength column is always a negative number, and the higher the value, the better the signal. For example, -30 (dBm) is a very strong signal, while -85 (dBm) is very weak.
The report is sorted in descending order by the Signal Strength column.
If the device supports Wi-Fi, but a Wi-Fi location is unavailable in the payload, the detected reason shows (for example, Wi-Fi adapter is disabled or Location not found).
To view the detected reason for all devices without a Wi-Fi location, add the Geolocation technology > Wi-Fi error column to the Devices page.
-
Shows available IP addresses for each detected network adapter
- Public addresses The public IPv4 Internet Protocol address that identifies a device that is connected to the Internet.
- Username A field and report column showing the username of the user who was logged in to the device when an agent connection occurred. If no user was logged in during the most recent agent connection, the last detected username shows. Note that if the device is shared by multiple users, the Username field shows the previous logged in user and the Current username field shows the most recent logged in user.
- Device name The name assigned to the device in the operating system. For Chromebooks, device name is not applicable and therefore shows as "Chrome" in the Secure Endpoint Console.
Public IP location updated events
The overview shows:
- The date and time when the IP location was detected on the device
-
The city, state/province, and country of the location. Street addresses are not available. For this reason, the map is not shown.
-
A note about location accuracy
-
The public IP address and Internet Service Provider (ISP) associated with the location
Device usage events
| Property | Description |
|---|---|
| Default Gateway |
The name of the device that passes traffic from the local subnet to devices on other subnets The default gateway often connects a local network to the Internet, although internal gateways for local networks also exist. This property applies to Windows and Mac devices only. |
| SSID |
The identifier or network name that uniquely identifies the wireless local-area network (WLAN) that the device was connected to when the event occurred The SSID column is empty if the device had no WLAN connection when the event occurred. This property applies to Windows and Mac devices only, and Location services must be enabled on the device. For more information about enabling Location services, see Window or Mac documentation. |
| Local addresses | The local Internet Protocol (IPv4 and IPv6, if available) address of the device when the event occurred |
| BSSID |
The MAC address of the wireless local-area network (WLAN) that the device was connected to when the event occurred The BSSID column is empty if the device had no WLAN connection when the event occurred. This property applies to Windows and Mac devices only, and Location services must be enabled on the device. For more information about enabling Location services, see Window or Mac documentation. |
| Public addresses | The public Internet Protocol (IPv4 and IPv6, if available) address of the device when the event occurred |
| Active Directory OU |
The distinguished name of the Active Directory organizational unit that the device was associated with when the event occurred The distinguished name is read from right to left and includes the full path to the object. For example: CN=Mary Smith,OU=Employees,OU=Marketing,OU=Miami,OU=Sites,DC=ABC Company,DC=com This property applies to Windows and Mac devices only. |
| Domain | The name of the device's Windows domain, if applicable |
| User name | The username associated with the activity |
User updated events
- Updated property name
- Old value and new value of the property
System updated events
- Updated property name
- Old value and new value of the property
If multiple device properties were updated at the same time, each change is shown in the overview.
Rule triggered events
- Rule status (Active or Inactive)
-
Date of the most recent rule update (as a relative date, such as 23 days ago)
Hover over the relative date to view the exact date and time in a tooltip.
- User that last updated the rule
-
Rule configurations:
-
Event that triggered the rule
For Location rules, the specified locations and/or geofence names are listed. They are also shown on a map.
- Action that the rule performs
- Device groups that the rule is assigned to
The event overview shows the current rule configuration.
If the rule has changed since the event, it may no longer accurately describes the rule that triggered the event.
If the rule has been deleted, or the device is no longer assigned to the rule, no rule information is available. -
You can click Edit to edit the settings, activate or deactivate the rule, or delete the rule when it's no longer required.
Action events
-
The user that submitted the action request
- The request ID
- The action description (if provided)
- A summary of the action event details, including:
For requests with an action status of Failed, the failure reason
- (Freeze requests only) The unfreeze code associated with a Freeze request or Offline Freeze rule
Your user role must be granted the Perform permission for Remove Freeze to view unfreeze codes.
- (Theft reports only) The theft report status, the reason for the status, and the police report file name (if it was uploaded later)
- (Run Playbook requests only) The Initiated by field, which indicates how the playbook was initiated on the device:
Console: console-initiated
End user: device-initiated
End user (automatic): automated playbook
-
The configuration details that were used to create the action request
If a View... link shows, click it to view the action's configuration details in a dialog
For completed Cryptographic Wipe and File Delete (Delete All Files) events, you can download the Certificate of Sanitization. For completed Delete File events, you can download the log file.
If your role is granted the correct permissions, you can click View Action to open the device action request on the Action Requests page of the History area.
If your role is granted the correct permissions, you can click 
Find this event on other devices to find related events on the Events page of the History area. When you click this button, the Events page opens filtered by the event type. By default, only the last seven days of events are displayed. Modify the Date filter to expand the results.
Searching the timeline
You can search for events in the timeline using keywords.
To search the timeline:
Enter a keyword for the type of event you are searching for. You can use keywords from any of the supported event types. For example, to search for a change in the username, enter user name in the search field.
The timeline updates to show the events that match the search keywords within the specified date range.
Changing the date range
You can use the arrow keys to navigate between events in the select date range. You can change the page's date range using either the timeline or the date range field.
Adding more events to the timeline
On the timeline, you can quickly add an additional 30 days of events.
To add more events to the timeline:
At the bottom of the timeline, click Load an additional 30 days.
Any additional events are displayed in the timeline and the date in the date range field is updated to include the days that were added.
Selecting a predefined date range
To select a new predefined date range, click the date range field above the timeline and select one of the following options:
- Last 7 days
- Last 14 days
- Last 30 days
- Last 90 days
- Last 1 year
The current date is always included in the date range. For example, if you select Last 14 days, the page shows location changes that occurred today and in the 13 days prior.
Specifying a date range
To specify a date range:
- Click the date range field above the timeline and click Select.
- Click the calendar picker to open it.
-
Select a start and an end date in the calendars.
To pick a month, click the month name at the top of the calendar and select the applicable month. Alternatively, you can use the
and 
icons to navigate to it.To pick a year, click the year at the top of the calendar and select the applicable year. Alternatively, you can use the
and 
icons to navigate to it.
The calendar picker closes and the selected dates show in the date range field.
Exporting event data
You can export the device's events in CSV, Excel, or XML format. Separate reports are generated for location updated events, device usage events, and all other events. You can select a predefined date range or you can specify a custom date range.
If your user role isn't granted Address-level View permissions for Geolocation, the report that contains location updated events is not exported.
Depending on the total number of events included in your export, it may take a few minutes to export the report.
The exported reports include columns that show the following information:
Location updated events
| Column | Description |
|---|---|
| Identifier | The unique Electronic Serial Number (ESN) assigned to the Secure Endpoint Agent that is installed on the device |
| Device name | The name assigned to the device in the operating system |
| Serial number | The identification number assigned to the device by the manufacturer |
| Login Username | The name of the user that was logged in when the location was detected |
| Payload Created Timestamp | The date and time when the payload of location information was created on the device for upload |
| Location Change (Yes/No) | Indicates whether the device changed its location on a particular date |
| The following information about the last reported primary location: | |
| Primary Technology | The type of geolocation technology used |
| Latitude & Longitude | The latitude and longitude of the device |
|
Address
|
The address of the device |
| Accuracy | The estimated accuracy of the technology used to locate the device in feet (or meters, depending on your user preferences) |
| The following information about the last reported IP location: | |
| Latitude & Longitude (IP) | The latitude and longitude of the IP location |
|
Address
|
The address of the IP location |
| Internet Service Provider | The ISP associated with the IP location |
| The following information about the last reported secondary location, if available: | |
| Supporting Technology | The type of geolocation technology used |
| Latitude & Longitude (Supporting) | The latitude and longitude of the secondary location |
|
Address
|
The address of the secondary location |
| The device's IP addresses: | |
| Local IP | The local IP addresses (IPv4 and IPv6) of each detected network adapter when the event occurred |
| Public IP | The public IP address (IPv4) of the device when the event occurred |
| Public IPv6 | The public IP address (IPv6) of the device when the event occurred |
Device usage events
| Column | Description |
|---|---|
| Identifier | The unique Electronic Serial Number (ESN) assigned to the Secure Endpoint Agent that is installed on a device |
| Device Name |
The name assigned to the device in the operating system This column applies to Windows and Mac devices only. |
| Date | The date when the event occurred |
| Timestamp (Local Device Time) | The time when the event occurred, expressed in the device's local time zone |
| Usage |
Usage of the device presented in minutes of activity during a 24 hour period A Windows or Mac device is deemed to be in use if it is unlocked. Activity ceases when the screensaver shows, the monitor is powered off, or the device is locked or shut down. A Chromebook device is deemed to be in use if the display is active (not dimmed). Activity ceases when the display is dimmed, or the device is sleeping, locked, or shut down. |
| Activity | The type of device usage event that occurred |
| BSSID |
The MAC address of the wireless local-area network (WLAN) that the device was connected to when the event occurred The BSSID column is empty if the device had no WLAN connection when the event occurred. This column applies to Windows and Mac devices only, and Location services must be enabled on the device. For more information about enabling Location services, see Window or Mac documentation. |
| SSID |
The identifier or network name that uniquely identifies the wireless local-area network (WLAN) that the device was connected to when the event occurred The SSID column is empty if the device had no WLAN connection when the event occurred. This column applies to Windows and Mac devices only, and Location services must be enabled on the device. For more information about enabling Location services, see Window or Mac documentation. |
| Local IP address | The local Internet Protocol (IPv4) address of the device when the event occurred |
| Public IP address | The public Internet Protocol (IPv4) address of the device when the event occurred |
| Local IPv6 address | The local Internet Protocol (IPv6) address of the device when the event occurred, if available |
| Public IPv6 address | The public Internet Protocol (IPv6) address of the device when the event occurred, if available |
| Active Directory OU |
The distinguished name of the Active Directory organizational unit that the device was associated with when the event occurred The distinguished name is read from right to left and includes the full path to the object. For example: CN=Mary Smith,OU=Employees,OU=Marketing,OU=Miami,OU=Sites,DC=ABC Company,DC=com This column applies to Windows and Mac devices only. |
| User name | The username associated with the activity |
Other updated events
| Column | Description |
|---|---|
| Date | The date and time when the event occurred |
| Event |
The event that occurred If there are multiple property changes associated with an event, each change shows on a separate row in the exported report. |
| Actor |
One of the following:
|
| Device/Object |
One of the following:
|
| Secondary object | The name or identifier of the object that was also affected by the event, such as the request ID of a Freeze request |
| Property name | The field or property that was updated |
| Old value | The previous value associated with the property |
| New value | The new value associated with the property |
To export the History page:
- Above the timeline, click Export to open the Export History dialog.
-
Click the Format field and select one of the following options:
-
Click the Date range field and select one of the following options:
- Last 7 days
- Last 14 days
- Last 30 days
- Last 90 days
- Last 1 year
- Select
If you clicked Select:
- Click the calendar picker to open it.
-
Select a start and an end date in the calendars. You can select any end date in the past that is up to 365 days from the start date.
To pick a month, click the month name at the top of the calendar and select the applicable month. Alternatively, you can use the
and icons to navigate to it.To pick a year, click the year at the top of the calendar and select the applicable year. Alternatively, you can use the
and icons to navigate to it.
The calendar picker closes and the selected dates show in the date range field.
-
By default, all dates and times in the report are presented in the time zone set in your user profile. To present them in another time zone, click the Exported time zone field and do one of the following:
- To apply a new time zone to this report export only, search for a city in the desired time zone and select it.
-
To apply a new time zone to this report export, and set it as the default value to show in the Time Zone field for all future scheduled and exported reports:
- Search for a city in the desired time zone.
- Hover over the city name and click Set default.
The time zone under the field is updated to your selection.
To set it back to the time zone set in your user profile, select Use my time zone.
This setting is user specific; it does not update the Exported time zone field for other users. The report for device usage events always presents dates and times in the device's local time zone, regardless of this setting.
-
Under Options, select the event types you want to include in the export.
A separate report is generated for each option you select.
-
Click .
The export process starts. Depending on the size of the report, it can take a few minutes to download.
If you exported a report in error, you can cancel the export if it hasn't finished processing. To do so, click
in the export processing dialog. The report export is canceled. -
Open the downloaded reports. If the reports don't download automatically, follow the on-screen instructions that apply to the browser and operating system to save the reports to a location on your computer.
-
Navigate to the directory that you saved the report. By default, the file names include the report name, the device name, and the date and time of the export, in the following formats:
- Event_History_<device name>_yyyy-mm-dd-hh-mm(<time zone>).<file extension>
- Location_History_<device name>_yyyy-mm-dd-hh-mm(<time zone>).<file extension>
- Device_Usage_History_<device name>_yyyy-mm-dd-hh-mm(<time zone>).<file extension>
Depending on your operating system and browser, if the report names includes special characters, the special characters may be removed from the file names or replaced by underscore (_).
-
Open and review the reports using software that supports the reports' file formats. For example, you can use a spreadsheet application, such as Microsoft Office Excel or OpenOffice Calc, to view a XLXS file.
If you exported an XML formatted report that contains a very large amount of data, we recommend using Notepad++ to view its contents.
-
| Option | Description |
|---|---|
| CSV (.csv) with column names | Exports the report (including column headers) in Comma Separated Values (.csv) file format |
| CSV (.csv) without column names | Exports the report (excluding column headers) in Comma Separated Values (.csv) file format |
| Excel (.xlsx) |
Exports the report (including column headers) in Microsoft Excel Open XML Spreadsheet (.xlsx) file format If you select the Excel option when the report contains more than 1 million rows, the system automatically exports the file in CSV file format. Reports of this size are not supported in Excel. |
| XML (.xml) | Exports the report in Extensible Markup Language (.xml) file format |
