Configuring Actions settings

You can configure the Actions settings to set defaults for the device actions performed on devices in your account.

Configure an Actions setting to manage the way scripts in a Run Script request are deployed to your devices. Specifically, you can:

  • Edit the start up folder that Reach scripts are downloaded to when you create a Run Script request.

  • Configure whether the Reach script signature is validated when you create a Run Script request to run a script on your Windows devices.

When a Windows or Mac device with a pending Run Script request connects with the Absolute Monitoring Center, the agent downloads the script to a startup folder and runs the script on the device from this location. By default, the agent uses the C:\ProgramData\ as the startup folder on Windows devices and /tmp/ as the startup folder on Mac devices. If these locations are unsuitable, you can customize the startup folder location.

You can change the startup folder to a local drive, an external drive, or a network drive. On Windows, the network drive must already be mapped to a drive letter. For example, H:\.

If the folder already exists on the target device, the agent checks the read-write permissions of the folder. If the agent can gain the required permission, the agent downloads and runs the script there.

If the startup folder (or any of the parent folders) doesn't exist, the agent tries to create them. If the agent has the create permission, the agent creates the folder or folders, and then downloads and runs the script.

If the agent doesn't have the correct permissions, or fails to create the startup folder, the Run Script request fails for the device. You can view the failure reason in Action Requests.

Although the agent deletes the script from the startup folder once the request is complete, it doesn't remove the folders that it created. The startup folder remains on the device for future use.

A valid startup folder complies with the following requirements:

  • The path must be a valid absolute folder path

    • On Windows devices, a valid path starts with <Drive Letter>:\

      For example: C:\ProgramData\ReachScript\

    • On Mac devices, a valid path starts with the root folder /

      For example: /tmp/ReachScript/

  • The folder has read, write, and execute permissions
  • The path doesn't contain Unicode
  • The path is 150 characters or less

Depending on your anti-malware product, you may need to add the folder as a policy exception or add it to an allow list.

To edit the startup folder:

  1. Log in to the Secure Endpoint Console with the Manage permission for Reach Script.
  2. On the navigation bar, click Settings > Account settings.
  3. Under Actions, do one of the following:
    • To change the Windows startup folder, click the field next to Windows and enter a new path.
    • To change the Mac startup folder, click the field next to macOS and enter a new path.
  4. Click outside the dialog to save your changes.

The startup folder is changed for all future Run Script requests. Existing Run Script requests use the folders that were set when the request was created.

If you've saved changes to the startup folders, you can reset them to the default locations.

To reset the startup folder location:

  1. Log in to the Secure Endpoint Console with Manage permissions for Reach Script.
  2. On the navigation bar, click Settings > Account settings.
  3. Under Actions, do one of the following:
    • To reset the Windows startup folder, click the field next to Windows and clear the path from the field.
    • To reset the Mac startup folder, click the field next to macOS and clear the path from the field.
  4. Click outside the dialog to save your changes.

The startup folders will now use the default location for all future Run Script requests. Existing Run Script requests use the folders that were set when the request was created.

All PowerShell scripts that are part of a Reach script are signed, either by you before you upload them, or by Absolute if they aren't signed when they're uploaded to the Secure Endpoint Console. If signature validation is enabled, the ANS component A lightweight software component of the Secure Endpoint Agent that is responsible for running a script on a device when a Run Script request is processed. validates the signature when the script is downloaded to the device as part of a Run Script request. This ensures that the script hasn't been altered since it was signed. By default, script validation is disabled. For improved security, we strongly recommend that you enable script validation.

Scripts are signed even if the script signature check is disabled.

To enable or disable signature validation:

  1. Log in to the Secure Endpoint Console with Managepermissions for Reach Script.
  2. On the navigation bar, click Settings > Account settings.

  3. Do one of the following:

    • To enable script signature validation, click the Script signature validation slider to set it to On.
    • To disable script signature validation, click the Script signature validation slider to set it to Off.
  4. In the dialog that opens, click Enable.

The signature validation setting is updated.

To limit the impact of a bad actor, a misconfiguration, or human error, you can set a maximum total number of actions that can be submitted per day for your account. Each device action has its own setting that's enabled by default. The only exception is the Remove Freeze action, which is disabled by default.

Depending on the needs of your organization, you can enable a daily threshold for one, some, or all device actions and then optionally assign a custom value to override the default value that is recommended by Absolute.

The following device actions support a daily threshold:

Device action Daily threshold default value

Delete File

(includes Delete All Files Wipe)

 500

Freeze

(excludes Offline Freeze rules)

 500

Remove Freeze

(excludes unfreezing using Unfreeze code)

100,000

By default, this daily threshold is disabled.
Run Playbook 500
Run Script 20,000

Send Message

(includes Resend message action)

 100,000
Unenroll Device 100,000

Wipe

(includes Cryptographic Wipe only)

 500

Note the following:

  • The daily threshold is per account, not per user.
  • The daily threshold is independent of any dual approval limit that has been applied to a custom role.
  • The daily threshold applies to:
    • Action requests submitted by users in the console
    • Action requests submitted via the Absolute API , including actions submitted via a ServiceNow® or Forescout® eyeSight integration
    • Actions triggered by an Action rule (applies to Freeze, Send Message, and Run Script actions only)
  • The daily threshold does not apply to:
    • Freeze actions triggered by an Offline Freeze rule

    • Unenroll Device actions associated with a Wipe request

      Mac devices are always unenrolled after a Wipe action is completed. Windows devices are unenrolled only if the Unenroll devices after the Wipe is complete option is selected in the Wipe request.

  • When a Wipe request contains both Cryptographic Wipe and Delete All Files actions, the request can't be submitted if either action exceeds its daily threshold.
  • If an action shows a status of Failed in the History > Actions area, it still counts towards the daily threshold. However, if the action failed because it was declined, it does not count towards the daily threshold.
  • If an action shows a status of Canceled in the History > Actions area, it does not count towards the daily threshold.
  • The daily threshold resets at 00:00 UTC each day.

When a daily threshold is enabled for an action, and the threshold is exceeded, the result depends on how the action was requested.

When a new action request causes its daily threshold to be exceeded, the Daily action threshold reached dialog is shown to the user when they attempt to save the request. The following information shows in the dialog:

  • Threshold: the daily threshold configured for the action
  • Available: the number of remaining actions available today
  • Devices in current request: the number of devices included in the action request

Users with the Manage permission for Account Threshold Configurations can override the threshold and save their request by clicking Proceed. An Over threshold action request approved event is logged to Event History.

For all other users, the request can't be completed. Click OK to close the dialog. Note that if the Available actions is not zero (0), a request for fewer devices can be submitted. Alternatively, the user can contact their System Administrator to request an increase to the action's daily threshold.

After the daily threshold for an action is reached, any action request submitted via the Absolute API will fail to be processed and a 429 RATE-LIMITED error will be returned. Details are provided in the error message. Note that no event is logged to Event History in the console.

After the daily threshold for an action is reached, any Action rule that includes that action will be impacted as follows:

  • If an event triggers the rule, the rule will fail to perform the action

  • A Rule-triggered action hit the account threshold event will be logged to Event History

This behavior will continue for the remainder of the day.

You can view the current daily threshold configurations for each supported action type.

To view your account's daily thresholds:

  1. Log in to the Secure Endpoint Console with the View or Manage permission for Account Threshold Configurations. All user roles are granted the View permission.
  2. On the navigation bar, click Settings > Account settings.
  3. Under Actions > Daily thresholds, review each action's daily limit under Thresholds. If the activation slider is set to On, the threshold for that action type is enabled. If it's set to Off, no daily limit applies.

To enable, configure, or disable daily thresholds:

  1. Log in to the Secure Endpoint Console with the Manage permission for Account Threshold Configurations.
  2. On the navigation bar, click Settings > Account settings.
  3. Under Actions > Daily thresholds, do one or more of the following:
    • To enable a daily threshold for an action, click its slider to set it to On.
    • To assign a custom daily threshold to an action, click the action's Thresholds field and enter the new value. The Absolute logo changes from grayed out to to indicate that the default value has been overridden.

      To assign a custom daily threshold, the action's slider must be set to On.

    • To reset a custom daily threshold back to the default value, click its icon.
    • To disable a daily threshold for an action, click its slider to set it to Off.

An Account-level daily threshold updated event is logged to Event History for each updated configuration.