Creating Action rules

Depending on your Absolute product licenses, Action rules may not be available.

In the Policies > Rules area, you can configure and activate a rule that automatically triggers one or more actions when a device state change event is logged to Event History.

The following actions are supported:

Change policy group
Freeze
Run script
Send message
Email

Action rules can be assigned to all active devices in your account, or to individual device groups.

Examples
Unencrypted device rule You want to ensure that if a device's disk fails to be fully encrypted, the device is inaccessible and its data remains protected. You create an Action rule that freezes the device if its Encryption Status changes to any status other than Encrypted or Used Space Encrypted. Missing device rule You want to ensure that you can track the location of missing devices. Since you activated the Geolocation Tracking policy in only one policy group, you create an Action rule that automatically moves devices to this policy group when they are reported missing.

Depending on an Action rule's configurations, a rule may impact many devices or lead to unexpected results. To ensure that your rule works as expected, follow this best practice:

Test the rule using only the Email action for a sufficient period. This helps you assess:
- How often the selected device state change event is logged, and
- The devices that are affected.
Based on the test results, make any necessary adjustments to the rule’s configurations.
Once you are satisfied that the rule is working as expected, edit it to include other actions, such as Freeze.

Supported device states

You can create an Action rule based on the following device states and their associated events:

Device state	Associated events
Custom Data - <data point name> Both Default and Custom data points are supported, but only Active data points are available for selection.	Custom Data field updated
Custom field - <field name> Both fixed and custom device fields are supported.	Custom field updated
Device compliance status	Device became compliant Device became non-compliant Device compliance reasons updated
Device Freeze status	Device frozen Firmware freeze succeeded Device frozen timer expired Device freeze removed Device freeze removed by passcode Firmware freeze removed by passcode
Device location	Device location updated Public IP location updated (only applies when the Include IP locations option is selected) These events are not logged for stolen devices.
Device name	System information updated > Device name
Device reported missing	Device reported missing Missing device found
Device reported stolen	Theft report created Theft report closed Theft report reopened
Domain	Device user information updated > Domain
Encryption status	Device became encrypted Device became unencrypted
Local IP address	System information updated > Local IP address
Local IPv6 address	System Information updated > Local IPv6 address
OS > Build	Operating system updated > Build
OS > Edition ID	Operating system updated > Edition ID
OS > Name	Operating system updated > Name
OS > Product key	Operating system updated > Product key
OS > Version	Operating system updated > Version
Public IP address	System information updated > Public IP address
Public IPv6 address	System information updated > Public IPv6 address
Username	Device user information updated > Username

After an Action rule is activated, the rule isn't triggered for devices that are already in the specified device state. A device must change to the specified device state, which will log an event and trigger the rule.

Creating an Action rule

To create an Action rule:

Log in to the Secure Endpoint Console as a user with Manage permissions for Rules.
On the navigation bar, click Policies > Rules.
Click Create rule and click Action rule.
Click the title and enter a name for the rule.
[Optional] Click Add description and enter a description for this Action rule.
Under Rule, do the following:
1. Click the Select a device state field and select an option. For example, select Encryption status. Which events are associated with each device state?
  
  If you select Device location in this field, the Include IP locations checkbox may be shown. Learn more
  
  Note that if you do not select the checkbox, the Action rule will not be triggered when the device moves to an IP location. However, if the rule includes other device states that trigger the rule, the Device location device state is evaluated based on its most recent Wi-Fi or OS location.
2. Click the second field that shows and select a condition. The list of available conditions depends on the selected device state. For example, select is not.
3. If a third (and fourth) field shows, enter a value or select one or more options from the list. For example, select Encrypted and Used Space Encrypted.
  Note that values typed in these fields are not validated. Ensure that you enter a value that is valid for the selected device state.
  If a No toggle shows, you can click it to change the value to Yes.
4. To add a second device state, click AND and specify the applicable criteria in the provided fields.
  
  Note that both device states will need to be satisfied for the rule to be triggered. To trigger a rule when either device state applies, create two Action rules.
5. Repeat the previous step for each device state that you want to add. You can add up to 20. To remove an item, click its icon.
  You can't include the following device states in the same Action rule, because locations are not collected for stolen devices:
  - Device location
  - Device reported stolen
6. [Optional] After a rule is triggered for a device, you can prevent it from being triggered again, within a specified number of days, if another event occurs on the device that satisfies the rule.
  To do so, select the checkbox next to Set cooldown period and select an option between 1 and 4 days. The default is 1 day. During the cooldown period, no email notifications are sent, and the rule's actions are not triggered.
  The cooldown period is applied at the device level. If a rule is triggered for a device, the cooldown period doesn't prevent the rule from triggering on other devices.
Under Action, click Add action and select an action to perform when the rule is triggered:

To only log an event to Event History when the rule is triggered, skip steps 7 and 8 and go to step 9.
Email
Send an email notification to one or recipients.
1. Click Email.
2. The Email field is populated with your email address. To add additional email recipients:
  1. Click your email address and then click the field that opens.
  2. Begin entering each email address and then select it from the list.
    To send alerts to individuals that are not console users, enter their full email address, pressing Enter after each one. To remove an address, click its icon. When you're done, click outside the list.
3. If you selected Device location in step 6a, and you want to include a map in the email notification, select the Show device location on map checkbox.
Change policy group
Move devices to a policy group.
1. Do the following:
  - Ensure that you have tested this rule using the Email action only.
  - Review this action's important considerations.
1. Click Change policy group.
  If your user role is not granted the Manage permission for Policies, the Change policy group option is not available.
2. Search for and select a policy group.
3. Click Add. The policy group name shows in the Action area.
Freeze
Submit an on-demand Freeze request for the devices.
1. Ensure that you have tested this rule using the Email action only.
1. Click Freeze.
  If your user role is not granted the Perform permission for Device Freeze, the Freeze option is not available.
  The Freeze action is not available when any of the following applies:
  Your user role is not granted the Perform permission for Device Freeze.
  You added the condition Device Freeze status is Frozen in step 6.
  You added the condition Device reported stolen is Yes in step 6.
2. Configure an on-demand Freeze request and click Add.
  Note that the following options are not available for Action rules:
  
  Freeze at Firmware
  
  Generate a random code for all devices
For the action to be triggered on a device, the device must meet the feature's eligibility requirements.
Run script
Depending on the Absolute product licenses associated with your account, this action may not be available.

Submit a Run Script request for the devices.
1. Ensure that you have tested this rule using the Email action only.
1. Click Run script.
  The Run script action is not available when either of the following applies:
  Your user role is not granted the Run permission for Reach Script.
  You added the condition Device reported stolen is Yes in step 6.
2. Do one of the following:
  - To select a script:
    Search for the script and select it.
    [Optional] To ensure that you've selected the correct script, click View Script to view it in a dialog. Click to close the dialog.
    Configure the script's Script Variables (as required) and Advanced Configuration Options.
    Click Add.
  - To create a new script:
    Click Create Script.
    After you've uploaded the script and configure its Script Variables (as required) and Advanced Configuration Options, click Add.
For the action to be triggered on a device, the device must meet the feature's eligibility requirements.
Send message
Submit a Send Message request to send an end-user message to the devices.
1. Ensure that you have tested this rule using the Email action only.
1. Click Send message.
  The Send message action is not available when either of the following applies:
  
  Your user role is not granted the Run permission for Send Message.
  
  You added the condition Device reported stolen is Yes in step 6.
1. Configure a message and click Add. Note that the option to schedule the message for a future date is not available.
For the action to be triggered on a device, the device must meet the feature's eligibility requirements.
To add another action, repeat the previous step. Note that after you add a particular action, it is grayed out in the Add action list because your rule can't contain more than one instance of each action. To remove an action, click its icon.
Under Scope, note the following:
- If you can manage all devices, All Active Devices shows in this section.
- If you can manage the devices in select device groups only, your assigned device groups show.
To make changes, click Edit and do the following:
1. Click the field and select each device group you want to assign the rule to. To remove a device group, click its "x" icon.
  If you can manage the devices in select device groups only, a warning message shows when you add a device group. Learn more
2. If you selected All Active Devices in the previous step, you can exclude one or more device groups. Select the Exclude device groups checkbox and click the field to select each device group you want to exclude. To remove a device group that you added, click its "x" icon.
3. When you're done, click outside the field and click Close.
To save the rule without specifying a Scope, set the slider to Off (gray) in the next step.
To activate the rule now, click Save and activate. To activate it later, click Save.

The rule is created, and a Rule created event is logged to Event History.

Going forward, the rule is re-evaluated each time the relevant device state change event (or events) occurs on a device. If the event satisfies the rule, the rule is triggered and a Rule triggered event is logged to Event History.

If the device is in a cooldown period, the rule is not triggered.

The following events may also be logged:

Device freeze requested
Device added to policy group
Failed to add device to policy group

Script requested

End user message requested

If a Freeze request, Run Script request, or Send Message request is created, you can track the request's progress in Action Requests.