Multi-Tenant Management — Assign Endpoint Security Settings to Managed Accounts

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

To open the multi-tenant management UI for endpoint security, your Service Provider account must have an active WatchGuard Endpoint Security product license in its inventory.

As a Service Provider, you can assign security settings profiles to their managed Subscriber and Service Provider accounts, and account groups. You can assign recipients in the settings profile or you can drag setting profiles to accounts on the Settings page. When you assign recipients in the settings profile, it automatically applies to the All group in the Endpoint Security management UI of the target account.

When you do not want to automatically assign the settings profile to the All group, you can send the settings profile to an account or account group. In WatchGuard Endpoint Security, the user can then assign the settings profile to the appropriate recipients. For more information, go to Send the Profile to an Account.

You cannot assign security settings to delegated accounts in the multi-tenant management UI.

After you create a security settings profile, you can assign it to WatchGuard Cloud accounts and account groups. When you assign a security settings profile in the multi-tenant management UI, it is automatically applied to the All group in the Endpoint Security management UI.

To assign endpoint security settings in a profile from WatchGuard Cloud:

  1. From Account Manager, select a Service Provider account.
    To select your own Service Provider account, select Overview. Or, select a tier-n Service Provider account.
  2. Select Configure > Endpoints.
  3. On the Settings page, select the settings type for the profile you want to assign recipients to.
  4. Select the profile from the list.
  5. Click the existing recipients or, if there are no recipients, click No Recipients Selected Yet.
    The Recipients page opens.

Screen shot of Service Provider Endpoint Manager, Settings recipients

  1. Above the first Client Groups box, click The Add icon..
    The Add Clients dialog box opens.

Screen shot of Service Provider Endpoint Manager, Add Clients

  1. Select the WatchGuard Cloud account or account group you want to assign the profile to. Accounts that are already assigned are gray.
  1. Click Add.
    Repeat steps 5 to 7 to add another account or account group. The selected accounts and account groups display in the Client Groups box.
  1. In the upper-left corner of the page, click Back.
    The settings profile is automatically applied to the All group in the account's Endpoint Security management UI.

Send the Profile to an Account

To send an endpoint security settings profile to an account from WatchGuard Cloud:

  1. From Account Manager, select a Service Provider account.
    To select your own Service Provider account, select Overview. Or, select a tier-n Service Provider account.
  2. Select Configure > Endpoints.
  3. On the Settings page, select the settings type for the profile you want to assign recipients to.
  4. Select the profile from the list.
  5. Click the existing recipients or, if there are no recipients, click No Recipients Selected Yet.
    The Recipients page opens.

Screen shot of Service Provider Endpoint Manager, Settings recipients

  1. In the Show in the Following Clients’ Console section, above the Client Groups box, click The Add icon..
    The Add Clients dialog box opens.
  2. Select the WatchGuard Cloud account or account group you want to send the profile to.
  3. Click Add.
    Repeat steps 5 to 7 to add another account or account group. The selected accounts and groups appear in the Client Groups box.
  4. In the upper-left corner of the page, click Back.
    The settings profile appears in the Endpoint Security management UI for the account's endpoint security product.

On the Settings page, when you select a settings type, a list of account groups and available security settings profiles shows in the right pane. If the settings profile was assigned by a Service Provider account, a green Inherited Settings label shows.

Screen shot of Service Provider Endpoint Manager, available settings profiles

To quickly assign a settings profile to an account, you can drag the profile to an account or account group. The security settings are automatically assigned to the account group and sub-groups. In a Subscriber account, the settings are automatically assigned to the computers and devices in the group. When you assign the settings, the account group also updates in the recipients list of the security settings profile.

To assign endpoint security settings on the Settings page from WatchGuard Cloud:

  1. From Account Manager, select a Service Provider account.
    To select your own Service Provider account, select Overview. Or, select a tier-n Service Provider account.
  2. Select Configure > Endpoints.
  3. On the Settings page, select the settings type you want to assign the profile for.
    The account groups and available security settings profiles appear.
  4. Drag a profile to the account or account group.

Screen shot of WatchGuard Endpoint Security, assign settings

View Assigned Settings

When you assign settings, a number appears next to the profile name to show that it is assigned to an account. This number increases each time you assign the profile to an account.

To view the accounts that a settings profile is assigned to:

  • Point the mouse at the number next to the profile.
    A colored lined connects the profile to the accounts it is assigned to.

Screen shot of Service Provider Endpoint Manager, Assigned Settings

If the list of accounts in the left pane shows a black number in the colored line, then there are accounts in the folder with exceptions applied to the settings. For information on inheritance and exceptions, go to Multi-Tenant Management — Settings Inheritance for Subscriber Accounts.

Remove an Account from a Security Settings Profile

When you remove an account from a settings profile, the account inherits the security settings from a group at a higher group or the All group. When there is no higher group, the managed account retains the settings until a new settings profile is assigned.

To remove an account or account group from a profile in WatchGuard Cloud:

  1. From Account Manager, select a Service Provider account.
    To select your own Service Provider account, select Overview. Or, select a tier-n Service Provider account.
  2. Select Configure > Endpoints.
  3. On the Settings page, select the settings type for the profile you want to unassign recipients from.
  4. Select the profile from the list.
  5. Click the existing recipients.
    The Recipients page opens.

Screen shot of Service Provider Endpoint Manager, unassign recipients

  1. Click × next to the group name.
  2. Click Delete.
    The computers and devices that belong to the account inherit the security settings from a group at a higher group or the All group.

Related Topics

Multi-Tenant Management of Settings Profiles

Multi-Tenant Management — Settings Inheritance for Subscriber Accounts

Multi-Tenant Management — Settings Inheritance for Service Provider Accounts