Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Datto RMM
Environment: Huntress integration
Summary: Setup guide for Datto RMM notifications for alerts regarding Huntress agent uninstallation.
This article stems from partner feedback requesting the ability to be notified when Huntress is uninstalled (or installed) from an endpoint. In this article we will provide a tutorial on how to receive uninstall alerts via the Datto RMM and Autotask suite. It can easily be tweaked to provide notices when Huntress is installed as well. This article is an overview of some advanced RMM features of Datto RMM and may need to be tweaked to work within your environment. In this article we'll be utilizing the "Software Monitor (Windows Only)" feature of monitoring policies within Datto RMM.
NOTE: Huntress support may not be able to troubleshoot advanced RMM configurations. This information is provided as a general guideline on automating the agent install process. Please consult Datto's documentation for further details.
- In new Datto RMM UI, select the "Policies" and then "All" in the left pane
- Click the "Create" policy button in the right pane
- Provide a Name, Description, Scope, and Type. In the examples below we're using "Huntress Uninstall Alerts", a brief description, "Global" scope, and "Monitoring" type.
-
In the "Monitors" section, click "Add Monitor" (not pictured), click "Select", and click "Select" next to Software in the right pane pop-out.
-
Type in "Huntress Agent" for "software package matching", check "is uninstalled" and choose an appropriate alert severity ("High" in this example).
Note: You can also check "is installed" if you want an alert when Huntress is installed as well. We typically don't recommend this as it may produce a lot of noise during deployments, but your needs may vary. It may also be worthwhile to setup two separate monitors, one for installed vs. uninstalled, providing different alert severities (i.e. low for installed, high for uninstalled.) Separating the monitors also allows you to force a reinstall right after an uninstall occurs as outlined in the next step.
- In the "Response" section check "Create a ticket" and configure any custom ticket attributes based on your configuration. You can also select "Run a Component" and choose the Huntress component to force a reinstall immediately after an uninstall is detected.
- Once complete click the "Add Monitor" button in the bottom right to save your changes.
- In the "Targets" section click on "Add Target" and select the group of systems you want this to apply to. In our example below we have a "Site Group" titled "Huntress Clients" containing all of our Sites (clients) that we wish to have Huntress installed on.
- Finally click "Save and Deploy Now" to apply the changes to your RMM instance and push it out to the targets selected. You can choose "Save and Deploy Later" if you wish to delay the processing of the new policies.