What is agent blacklisting?
Agent blacklisting is a mechanism for restricting certain agents from getting policies and/or NSE processing. Here “agent” means “GUID”.
There are basically 2 scenarios when a computer can be blacklisted – manual and automatic.
Automatic Blacklisting - Merge case
- Computer is merged with another computer. The automatic merge happens due to one of the computer resource keys coincidence with another computer’s keys: name.domain, fqdn, uniqueid. The reasons why 2 computers might get same keys are out of scope of this doc.
- Manual merge of computers might be launched via right click menu -> Merge Resources. It is the Asset Solution item action
When computer X merges into computer Y then X gets into the AgentBlacklist table as well X disappears as a resource at NS. However agent still has GUID X and thinks it is allright. AgentBlacklist table tells NS which computers are not allowed to receive policies and whose NSEs (X, for example) should not be processed.
When agent X requests policies NS checks whether X is blacklisted and if YES, then NS returns a special error code NFYSVR_E_NOT_FOUND 0x80041003 to the agent which means that agent should change its GUID. Agent then is supposed to call Createresource.aspx which would return the new GUID Z.
Note: In case merge was automatic (X was merged into Y due to equal resource keys) Z = Y, thus we will have 2 machines sharing the same GUID. The ONLY workaround in such case in SMP 7.6 is to make sure all the resource keys are unique for the problematic pair of computers. It is not always possible.
There are 2 filters that are supposed to be managed by users manually. The purpose of these filters is to tell NS what computers should stop receiving policies - all the policies or user-based policies. The use-cases for maintenance of these filters are undefined. However here is what they technically do:
- Blacklisted Host Computers
The filter is located under Filters-> Computer Filters and is supposed to be updated manually. The computer resources placed into this filter will NOT get any policies. Also, any NSE from these computers will be rejected.
- User Configuration Blacklisted Users and Computers.
The filter is located under Filters-> Computer Filters and is supposed to be updated manually. Computer resources placed into this filter will NOT get any user-based policies. User resources placed into this filter will NOT get the corresponding user-based policies on all the computers.
Both filters are regular filters, so they may contain either explicit resources or be query-based.