Roaming Clients / Device Agents - Setup, Configure, and Manage

Roaming Clients / Device Agents - Setup, Configure, and Manage

ScoutDNS provides device agents for organizations what wish to cover devices with DNS layer protection on and off the network. The ScoutDNS device agent is an extremely lightweight application best installed on managed devices where administrative access is needed to stop and start services or remover software. The device agent performs essential tasks with keeping devices protected anywhere they are used such as at home networks, coffee shop, hotels, and more.  The ScoutDNS Device agent provides a number of benefits:

Zero Touch Silent Installs: Dynamically generated install files link profiles to imbedded keys meaning there are no extra inputs required to deploy

Encrypted DNS: ScoutDNS device agents utilize DNS-over-HTTPS or DoH to encrypt all DNS traffic from the device to our cloud service using port 443.

On and Off Network Protection: The device agent provides roaming client support to protect devices even off secure corporates networks.

User Level/Granular Reporting: With the device agent installed, operators get in-depth device and user level reporting

Dynamic Policy: Using profiles, operators can group users into groups for tracking and policy enforcement. Dynamic polices allow devices to use different policies based on their locations and on or off network.


Flow of queries with Device Agent

How the ScoutDNS Device Agent Works:

The device agent is made up of two services. The Device Agent and Device Agent Updater

Device Agent: On startup including any network changes, the device agent takes note of existing network DNS servers and any joined domains. This information will be used to properly handle local queries including those intended for local domains. The device agent will then check to ensure the ScoutDNS service can be reached and if so, binds to 127.0.0.1:53 for ip4 and ::1 for Ip6 on the installed device. If the ScoutDNS network cannot be reached, the device agent will fail open and set DNS back to the originally assigned network DNS servers. The device agent will continue to monitor for available service and will reset DNS back to the ScoutDNS network once the service is available. The device agent constantly monitors for network, user, and device changes and adjusts settings accordingly. The device agent will always fail open in case of any connection issues to the ScoutDNS network at any time in operation. 

Device Agent Updater: The Device Agent updater service operates separately to ensure the ScoutDNS device agent is always up to date for features and security. Once an update is detected, the device updater will make a backup copy of the existing instance. It will then download and install the update. Updates take place within seconds in the background without notice of the end user. If after an update the device agent were to no longer be able to connect to the ScoutDNS network, the updater service will roll back the device agent version to the previous working release. 

Setting Up the Device Agent

The ScoutDNS device agent is fully configured through the ScoutDNS UI. Setting up device agents is done in a couple of steps.

1) Configure Profiles
2) Install Device Agent on Clients

Configure Profiles

Profiles are objects in ScoutDNS that link polices to groups of client devices. In the profile settings, operators can configure how devices assigned to the profile adopt certain policies. You will need to create a profile and set a default policy.

Here are the profile options:
Profile Name: Give the profile a name that fits your group of client devices or users such as "Sales Team", "Office Staff" or "Engineers".
Default Policy: This is the default or fall back policy that any device will use outside of additional profile and policy settings. 
Profile Description: Used to describe the purpose of this profile for internal operations.
Block Page: Set the bock page template you wish to use for this group of devices.
Enable User Policies: Allows Active Directory based policies to override the Profile Default Policy on matching groups as configured in Personas.  
Dynamic Policy: When activated, operators can set policies based on the location of the client device. You can choose either a specific policy, or set the device to inherit the site/network based rules for any ScoutDNS network the client may be on.  You can also set a completely different policy for offsite/roaming. Sites are known based on your ScoutDNS configured sites and networks. 



Idea
You can use multiple profiles to assign policy by groups of devices for different user types. This works well when users are assigned a set device. Where possible, another option is to create one or fewer profiles where policies decisions are made based off Active Directory groups configured in the Users tab with Personas.   


Local Forwarding By Default

 By default Scout360 records the local resolvers discovered at each network join and automatically forwards requests in these instances:
  1. Local designated domains such as .local along with local reverse lookups
  2. Assigned domains such as those given to devices joined to an active directory server

In some cases operators require greater control over local forwarding and can use the local forwarding tab within the profile as needed.




Assign Local Forward Zones


You can designated local forward zones in the profile and set how queries are handled. Create a new local forward zone and set the following options:

Domain: enter the domain for which you want to forward requests for.
Resolvers set to Auto: in auto mode, the Scout360 agent will first attempt to forward requests to the discovered local resolvers first. If local resolvers fail to respond, requests are sent out the WAN to the ScoutDNS resolver network.
Resolvers set to specific IPs: You can enter a number of dedicated resolver IPs. In this instance, the Scout360 agent will forward only to these IPs in order. If these resolvers fail, the requests will be sent out the WAN to the ScoutDNS resolver network.  

 
Local forward zones with settings



NotesIn most cases default forwarding will works well however, assigning local forward zones can help when working with certain VPNs on offsite roaming clients, or when forwarding requests for clients not yet joined to an active directory service. 



Generate Install Files

In order to streamline deployment of device agents, install files are dynamically generated from the profile using install keys that are imbedded into the install file or packaged based on operator settings.  

Select "New Key" to get started and choose from the following options:

Platform: Windows or MacOS
Architecture: x86 (32 bit), x64 (64 bit) for Windows or x86 (32 bit), ARM (M series chips) for MacOS
Duration: Selects the length of time the install key will be active for auto registration into profile.
Installs: Sets the max number of registrations to be used with this key

Save the key settings and click the "Download" link to retrieve the install file. 

Edit existing Key

Existing keys can be edited in order to extend or shorten the time allowed to auto-register. You can also increase the max number of allowed resignations at anytime. 




Notes
Expired keys do not affect already registered devices. Keys are only used during the self registration process

Deploy Install Files

The ScoutDNS device agent is installed as a silent installation by default. There are no prompts at install and no tray icons or any other indicators once the service is running.  

For Windows:

ScoutDNS generates an .msi file that is used to install for Windows 10/11. This can be executed at the machine level, or pushed out through active directory using GPOs (Group Policy Objects).  As there are no command line options, keys, or tags needed, simply upload the MSI file to your network share and assign the file to the GPO desired.  Some admins will choose the option that hides the application from the add/remove application list on the workstation.

Alternatively, if you are installing on a low number of machines, you can simply copy the file through a network share or USB stick. It is recommended to install as machine admin so that regular users cannot stop the service themselves. 

Warning
Attempting to register with expired key still installs the agent but does not allow the agent to register. The client will use default resolvers while continuing to check if its key becomes active



Manage Installed Clients

Manage Clients View

Once the client is installed, it will check in with the client API service to register and associate to the correct profile. You will see all registered clients in the Manage Client view.  You can filter this view based on All, Online, or Offline clients only as well whether or not the clients are on or offsite. You can also select to view clients by a specific profile. 

Here are the additional details provided in the Manage Clients View:
OS: What OS the device is running
Client Name: The name given to the client. By default it will be the Host Name but a custom name can be given in the manage client detail section.
User: The most recent logged in user
Status: The most recent status based on latest sync
Last Sync: The last time the device agent was able to check-in
Profile: The assigned device profile
Version: Current device agent version
WAN: Last known WAN IP address
LAN: Last known LAN IP address
Site: Last known site. This is knows from your ScoutDNS managed sites.
Policy: Most recent policy governing the device

Client Status States

Online: Agent is Online with DNS traffic filtered and encrypted 
Offline: Agent is Offline. Heartbeat cannot be detected.
Disabled: When Disabled, agent sets DNS to network default and unbinds from the loopback address.
Uninstall: When set to Uninstall, agent will execute the uninstall script on next check-in.
Missing: Agent has not checked-in within the last 30 days. 







Client Details View

Select any client to enter the Client Details view. From here you can get more in depth information about the selected client. You will see a mini-dashboard that displays recent usage as well as highlights any identified threats within the selected time period. 





Device Info
Name: You can the client name giving it a custom name that might make it easier to identify in other views.  This only effects the name within ScoutDNS and does not alter the hostname.
Host Name: Hostname assigned at the device
Full Host Name: Fully qualified hostname including network domain if a member of one
Profile: Show current profile. You can move the device here into a new profile
Policy: Shows the current policy. Operators can choose a device level policy that over-rides the profile policy settings.
Last Sync: This is the last date/time the device was seen from ScoutDNS

Network Info
Status: Shows current device status
WAN IP: Last known WAN IP
LAN IP: Last know LAN IP
Username: last logged in user of the device
Site: Last know site of the device.
Domain: Network domain the device is registered on
  

Remote Client Actions

Operators can take several remote actions through the Manage Client view.



Disable: This action disables Scout360 by telling the device agent to unbind, setting the device DNS back to default network resolvers. The Scout360 agent remains active on the client awaiting the reenable command.  This action does not release the license/seat.
Forget: This action simply clears the current client from the Scout360 UI. If the agent is still running, it will reappear on the next client sync. This action will release the license/seat. Keep in mind, if the client attempts to rejoins at sync after all license/seats are used, it will be unlicensed and will be inactive until a license/seat becomes available.
Uninstall: This ques up a remote uninstall command for the selected client at next client sync. Once executed, the client can only be rejoined after a re-install of the agent. This action can only be canceled if done before the client syncs and receives the command. This action releases the license/seat.

Client Log Data


With the device agent deployed, operators are able to view additional log fields and pull log data just on specific clients if desired. The Client Name field can be chosen from the Advanced Options toggle down view.  Operators can select which fields to show and export set log view for any deployed client. 







Info
Choose what fields to show and in what order with the Column Selector icon




 

    • Related Articles

    • Relay - Setup and Configure

      ScoutDNS supports a Relay configuration which allows operators to install a lightweight service inside their network. The relay is a local forwarding resolver service that processes queries inside the operator network while relaying public queries to ...
    • Configure AD (Active Directory) Polices

      ScoutDNS supports policy by user groups as synced from Active Directory. This can be helpful when admins desire policy decisions to follow the user regardless of the device and device profile in use. This guide walks through how ScoutDNS performs the ...
    • Quick Start Setup Guide - WAN Forwarding

      There are three methods you can use to protect your networks and users with ScoutDNS. 1) WAN Forwarding: involves configuring ScoutDNS with your WAN IP address and then forwarding DNS queries from inside your network us our anycast resolver IPs. ...
    • Configure Custom Block Pages

      Admins have the ability to edit the default block page and to create multiple custom block pages to present to end users. Block pages are rendered in our block page service engine. You can assign custom block pages to WANs under Sites, and Roaming ...
    • Configurable Objects and Their Associations

      ScoutDNS is built around object-based configuration to make management and deployment at scale easier. In this article we will explore the different configurable objects and explain their associations. Allow/Block List Allow/Block List Description ...