Your Agent Management access choice can be dictated by whether or how often your client systems running the Carbon Black App Control Agent are connected to the Carbon Black App Control Server.

If a computer never connects to the server, you can provide access by choosing an Agent Management password before generating installation packages. This password is built into the agent, and can be changed by one of the following methods:

  • Install a new agent package generated after the password change.
  • Import a new configuration list from the Carbon Black App Control Server after you have changed the global password. See your VMware Carbon Black Support representative for instructions on importing a configuration list.

Another option for systems that never connect to the Carbon Black App Control Server is specification of a group that can be guaranteed to exist on all machines, such as Local Administrators for Windows computers. The suitability of this method depends on how your organization manages administrative accounts. However, it lets you control access to agent management commands by adding or removing users from the named group, independent of changes in Carbon Black App Control.

If a computer is occasionally connected to the Carbon Black App Control Server, you have more flexibility in selecting and changing client management access methods. Changes to a password, or to user or group definition, propagate to the agents the next time they connect.

If all computers are always be connected to the Carbon Black App Control Server (or can be), you have the most flexibility in configuring Agent Management access because changes go to your connected agents as soon as the agent and server connect. In this case, you might find it more convenient to select a well-known group, or define a new group, such as "App Control Local Administrators", and give its members access to the management commands. Groups also allow the use of such tools as runas, psexec, or sudo, to run commands using alternate credentials. You can also use a password.

Note: When running on Windows Vista and later operating systems, membership in pre-defined security groups like Administrators requires that the application run as administrator. If you are not certain that a user has this elevated privilege, using a built-in group for Agent Management access might not be a good choice if you are using computers that are running Vista or Windows 7.