Configuring Playbooks policies

Depending on the Absolute product licenses associated with your account, the Playbooks policy may not be available.

When activating a Playbooks policy for the first time, you need to configure the following settings for the policy:

  • Automated playbook actions: enable this setting if you want to ensure that user-initiated playbooks can run on devices that are not physically accessible
  • System restart: customize the timing of any system restarts required by the Playbooks policy

For activated policies, you can update these settings at any time. The updated setting will be sent to the policy group's devices during their next connection to the Absolute Monitoring Center.

You can enable automated playbook actions (also known as Absolute Failsafe) to allow user-initiated playbooks to automatically run on devices that are not physically accessible to you or a device user.

How it works

Normally, to run a user-initiated Run Playbook request on a device, the device user needs to press F6 (or Fn+F6) and enter the device's playbook passcode. When automated playbook actions are enabled, these manual steps can be skipped. The request will be processed automatically after the device repeatedly fails to boot into Windows—an indication of a possible fatal system error. You can configure the number of consecutive failed boot attempts before the playbook runs. The default is 3, but values from 3 to 5 are supported.

Automated playbooks support all playbook types.

Best practices

If some devices in the policy group are not physically accessible, we recommend that you enable this setting when you activate the Playbooks policy. This ensures that an automated playbook will automatically run on a device when the following conditions are met:

  • After an automated Run Playbook request is processed for a device, its associated playbook is deleted from the server. Therefore, an automated playbook will not run again on the device until a new user-initiated Run Playbook request is submitted and the above conditions are met.
  • When the Automated playbook action setting is enabled for a policy group's Playbooks policy, you can still run user-initiated playbooks on the accessible devices in the policy group using F6 and the device's playbook passcode.
System requirements

The automated playbook actions setting applies to devices running Secure Endpoint Agent 11.0.0.4 or higher.

For policy groups assigned a lower agent version, user-initiated playbooks will not run automatically.

Tracking automated playbook requests

To determine if a user-initiated Run Playbook request was processed on a device as an automated playbook:

  1. Go to the device's History page.
  2. Find the request's Playbook completed event and review the value in the Initiated by field. Automated playbooks show End user (automatic) instead of End user.

The Playbook requested event associated with this Playbook completed event always shows End user in the Initiated by field because it's not yet known how the request will be initiated on the device.

From time to time, Absolute makes changes to the Bootloader and WinPE image to add improvements or fix issues. When these updates are sent to your devices, a system restart is required to apply the changes to each device. Device provisioning and deprovisioning also require system restarts. The system restart setting allows you to customize these restarts.

The setting is preconfigured to allow restarts to occur whenever a Playbooks policy update requires it. If a device user is logged in, a notification is displayed, warning them that the device needs to restart. They can restart immediately, or postpone the restart up to 3 times for 8 hours each time.

If this preconfiguration does not meet your needs, you can:

System requirements

The system restart setting applies to devices running Secure Endpoint Agent 11.0.0.1 or higher.

For policy groups assigned a lower agent version, devices will automatically restart whenever a Playbooks policy update requires it. If a device user is logged in, a notification is displayed, warning them that the device needs to restart. They can restart immediately, or postpone the restart up to 3 times for 8 hours each time. Note that this configuration can't be changed until the policy group is upgraded to a supported agent version.

To configure the Playbooks policy, your user role needs to be granted the Manage permission for Policies.

To configure the Playbooks policy:

  1. Log in to the Secure Endpoint Console as a user with the Manage permission for Policies.
  2. On the navigation bar, click Policies > Policy Groups.
  3. On the Policy Groups sidebar, click the policy group that you want to update. The policy group opens in the work area.

  4. Next to the Playbooks policy's activation slider, click Configure to open the Playbook configuration dialog.

    If the policy group is assigned agent version 10.0.0.2 or lower, the Playbooks policy is not supported and the Configure button is grayed out.

  5. To enable automated playbooks for the devices in the policy group:

    1. Select the checkbox under Automated playbook action.

    2. In the field next to Number of consecutive restart failures enter the consecutive number of times the device must fail to restart before a pending user-initiated Run Playbook request is run automatically. The default is 3, but values from 3 to 5 are supported.

    A system restart is required to apply your changes to each device's Playbooks policy.

  6. To control the timing of any system restarts required by the Playbooks policy, do the following under System restart:

    • To allow devices to automatically restart when a Playbooks policy update requires a system restart:

      1. Leave the radio button next to Restart device automatically after updates selected.

      2. Do one of the following:

        • To specify a custom time window, select the checkbox next to Restrict restarts to a time window and specify a time period using the Start and End fields. Note that after selecting a time in the time selector, ensure that you select AM or PM and click OK to apply your changes. Times are local device time A date and time expressed in a device's local time zone, as opposed to server time..

          Selecting Now in the time selector populates the Start (or End) field with the 30-minute increment closest to the current time. For example, if the current time is 4:41 p.m., the Start (or End) time will be set to 4:30 PM.

        • To allow devices to automatically restart whenever a Playbooks policy update requires it, leave the checkbox next to Restrict restarts to a time window unselected.

      3. Do one of the following:

        • To allow device users to postpone the restarts, leave the checkbox next to Allow user to delay restart selected and do the following:

          1. To update the number of times the device user is presented with the restart warning dialog, which allows them to postpone the restart, click the Delay attempts field and select a value. The default is 3, but values from 1 to 3 are supported.
          2. To update the number of hours until the device user is presented with the restart warning dialog again, click the Delay interval field and select a value. The default is 8 hours, but values from 1 to 24 hours are supported.
        • To not allow users to postpone the restarts, clear the checkbox next to Allow user to delay restart.

    • To disallow all automatic system restarts that are triggered by a Playbooks policy update, select the radio button next to Disable automatic restarts. The policy update will be applied when a device user or another application restarts the device.

  7. Click Save and activate, or click Save if the policy is already activated.

The updated policy configuration is sent to the device on its next connection to the Absolute Monitoring Center.

If you updated the Automated playbook action setting, a system restart is required to apply the change to the device's Playbooks policy.