Allocate Endpoints

Some of the features described in this topic are only available to participants in the WatchGuard Cloud Beta program. If a feature described in this topic is not available in your version of WatchGuard Cloud, it is a beta-only feature.

When an endpoint security license is activated by a Service Provider, the available license (WatchGuard Advanced EPDR, EPDR, EDR, or EPP) and endpoint allocation appear in the Inventory page in WatchGuard Cloud.

WatchGuard EDR Core is included in the Firebox Total Security Suite. It is available for a limited number of endpoints, based on the Firebox model. With a Total Security Suite subscription license, you will see an EDR Core license in WatchGuard Cloud. You can use WatchGuard Cloud to manage EDR Core endpoint allocation and to access the Endpoint Security management UI. For information on EDR Core features, go to WatchGuard EDR Core Features.

As a Service Provider, you can allocate endpoints to your own account or any account you manage. Subscriber accounts can only have one Endpoint Security product allocated to them. You can allocate more than one product to a Service Provider account.

If you have an active subscription license, you and your managed accounts can add any number of endpoints. You can limit the maximum number of endpoints for a managed account. For more information, go to Limit the Number of Endpoints for a Managed Account.

You allocate endpoints from the Inventory > Endpoint > Allocation page in WatchGuard Cloud. When you select Overview from Account Manager, the Inventory > Summary page shows a summary of the users, endpoints, and devices in your inventory. On the Overview > Inventory > Summary page, the Endpoints section shows this information:

• Next License Expiration — Next endpoint security license expiration date
• Unallocated Endpoints or Modules — Number of unallocated endpoints for an endpoint security product (WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, or EPP) or module (Advanced Reporting Tool, Data Control, Full Encryption, MDR, Patch Management , or SIEMFeeder)
• Allocated Endpoints or Modules — Number of allocated endpoints for an endpoint security product (WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, or EPP) or module (Advanced Reporting Tool, Data Control, Full Encryption, MDR, Patch Management, or SIEMFeeder)

If you manage delegated accounts, the Overview > Inventory > Summary page does not include any inventory that the delegated account activated. To view the inventory activated by a tier-1 Subscriber delegated account, you must select the account in Account Manager.

The Inventory > Endpoint > Licenses page shows the endpoint security products and modules you have licenses for, the type of license (for example, subscription, term, or trial), license key, quantity, expiration date, and the account the license is allocated to. You can filter the list to view Expired or Active licenses only.

To start trials for endpoint security products and modules, click Start a Trial. For more information, go to Start a Trial – Service Providers.

The Inventory > Endpoint > Allocation page shows the next license expiration date, as well as, for each endpoint security product and module, the number of endpoints allocated to managed accounts and the number of unallocated endpoints in your account.

If you cancel a license or a license expires, there is a seven-day grace period before the protection is disabled on the endpoints. For more information on expiration, go to Allocate Endpoints.

The Allocation page includes a table that lists your managed Service Provider and Subscriber accounts. Delegated accounts have a (Delegated) label next to the account name. To filter the table, select Subscribers or Service Providers. You can also enter text in the Search box to filter the table for a specific account or product.

Select an account in the table to edit the allocation or click Allocate Endpoints to allocate endpoints to an account. You can allocate more than one endpoint security product or module to a Service Provider account. When you allocate a term endpoint to an account, you can specify an allocation expiration date.

You can edit the allocation for delegated tier-1 Subscriber accounts only (they purchase and activate their own license). You cannot edit allocations for other delegated accounts. The allocation for other delegated accounts is read only. To view the inventory for tier-n delegated accounts, select the account in Account Manager.

Allocation Types

When Service Providers allocate endpoints from a license to their managed accounts, they select an allocation type which specifies how the managed account can use the endpoints .

Term Allocation

When you allocate endpoints as a term allocation, the managed account can allocate a specific number of endpoints to an account for a set duration or term from a term license or MSSP points.

Subscription Allocation

When you allocate endpoints as a subscription allocation, the managed account can allocate a specific number of endpoints or an unlimited number of endpoints . WatchGuard bills the account monthly based on the number of active endpoints .

Linked to License

When you allocate endpoints as Linked to License, the quantity and expiration date of the allocated endpoints are linked to the quantity and expiration date of your term license. Endpoint Security modules with the same license key are also allocated.

Mixed Allocation

To facilitate clear usage reporting down to tenant accounts, we no longer allow Partner accounts or Tier-1 Service Provider accounts to allocate endpoints as mixed. You can select a Term or Subscription allocation type only. Existing mixed allocations can still be used, but cannot be edited. Endpoints that were allocated as mixed show as subscription endpoints in the managed account. With the mixed allocation type, endpoints from the term license are used first, then when no endpoints remain in the term license, endpoints from the subscription license are used.

The Allocation table includes an Allocation Type column that can show Term, Trial, Subscription, or Linked to License. You can allocate multiple allocation types to a tier-n Service Provider account. For example, an account could have a term allocation and a subscription allocation.

Service Providers can activate licenses for delegated tier-1 Subscriber accounts. If the Subscriber account already has a term license for the same product, then an Allocation Owner column also displays in this table to help differentiate the licenses. When you allocate endpoints to a tier-1 Subscriber account that has already allocated endpoints to itself, the endpoints you allocate are added to the total number of endpoints that the tier-1 Subscriber account has.

You cannot allocate endpoints to a tier-n Service Provider account with the same allocation type as an existing allocation. If you set the allocation type for a tier-n Service Provider to be term allocation, you cannot add another term allocation (instead, edit the existing term allocation and change the quantity).

For accounts with a mixed or subscription allocation type, you can change the allocation type to term or subscription only.

As a tier-1 Service Provider, you cannot edit the allocation type for endpoints with a term allocation. To change the allocation type, you must deallocate the endpoints with term allocation, and then reallocate the endpoints with a subscription allocation. Before you deallocate the endpoints with term allocation, we strongly recommend that you contact your managed Service Providers to make sure that their accounts do not become overallocated.

When a tier-n Service Provider allocates endpoints to a managed account with the allocation type, Linked to License, the tier-1 Service Provider account cannot edit the allocation for the managed account.

Allocate Endpoints to an Account

Service Providers can allocate endpoints as term, Linked to License, or subscription.

If your Service Provider account has term and subscriptions licenses and the managed accounts with term allocations become overallocated, their management UI becomes unavailable. The accounts with subscription allocations are not affected.

To allocate endpoints to an account:

1. Log in to your Service Provider account.
   The Overview page for your Service Provider inventory opens.

2. Select Inventory > Endpoint > Allocation.
3. From the drop-down menu select Subscribers or Service Providers, depending on the account type you want to allocate users to.
4. To edit an existing allocation for an account, in the table, select the name of the account you want to update.
5. If the account does not have any endpoints allocated, click Allocate Endpoints.
   

6. From the Account Name drop-down list, select the account you want to allocate endpoints to.
7. From the Product drop-down list, select the product you want to allocate to the account. If you want to allocate modules only and not change the quantity for the endpoint security product, select No Product Change.
   The number of unallocated endpoints available in the license shows in the upper section of the page.
8. From the Allocation Type drop-down list, select Term, Subscription, or Linked to License.
   For more information on subscription allocations, go to Limit the Number of Endpoints for a Managed Account. If you select Linked to License, then from the Licenses drop-down list, select the friendly name of the license you want to link the account allocation to.The license key, quantity, and expiration date of the product and any bundled endpoint security modules show in the blue box.
   
9. In the Quantity text box, type the number of endpoints you want to allocate to the account.
   If you selected the Linked to License allocation type, the quantity and expiration date are automatically linked to the selected term license.

10. In the Modules section, select the check box for the modules you want to allocate to the account. There are no modules available with EDR Core.
11. In the Quantity text box, type the number of modules you want to allocate to the account.
    You cannot allocate more modules than the number of endpoints available in the endpoint security product license.
12. By default, the expiration date for the allocation is set to Never. To specify an expiration date, select Custom.
13. Select an allocation expiration date for all endpoints (1 month, 3 months, or a year). You can also select a date in the calendar.
14. Click Save.

Remove the License or Deallocate Endpoints

When you remove a license, the number of allocated endpoints becomes 0. There is a seven-day grace period before the protection is disabled on the endpoints. For more information, go to About Endpoint Security Licenses.

When you deallocate endpoints, you remove endpoint protection from the endpoints in an account. If an account becomes overallocated, you cannot access the management UI and you can no longer install the endpoint security product.

Tier-1 Service Provider accounts can become overallocated when an account they manage allocates more endpoints than there are available in the license. For more information, go to Overallocation.

To identify accounts that are over their limit, review Subscriber dashboards and audit logs. When an account is overallocated, we recommend that you reduce the number of allocated endpoints (deallocate), or increase the number of endpoints in the license.

To deallocate endpoints:

1. From the Allocation table, select the account you want to deallocate endpoints for.
   The Edit Allocation page opens.
2. To remove all endpoints, in the Quantity text box, enter 0.
3. Click Save.

To remove a license:

1. From the Allocation table, next to the account you want to remove the license from, click and select Remove License.

2. In the confirmation dialog box, click Remove License.
   When there are no licenses, the account displays an Unlicensed label. You cannot access the Endpoint Security management UI.

Related Topics

About Endpoint Security Licenses

About Subscription Licenses

WatchGuard Endpoint Security Modules