Devices: Approving & Onboarding Discovered Devices
Satyam
Last Update 2 months ago
The Devices tab is where you review, approve, and track all computer accounts discovered from your Active Directory environment. Each device discovered by a sync policy appears here and requires an explicit approval decision before it is added to your managed asset inventory — unless auto-onboarding was enabled on the policy that discovered it.
This article covers the full device lifecycle: understanding statuses, approving individual devices, bulk operations, filtering, and rejection
Devices
Devices are populated in the Devices tab in two ways:
- Sync Policy (Asset Discovery or Group Sync) — When a policy runs, computer accounts found in Active Directory are imported and appear with a Pending status, waiting for your approval decision.
- Auto-Onboarding — If a sync policy has auto-onboarding enabled, discovered devices bypass the Pending state and begin onboarding immediately.
The Devices tab badge shows a count of devices currently in an active state (Pending or In Progress), giving you a quick indicator that action may be required.
Understanding Device Statuses
Each device carries a status badge that reflects exactly where it is in the onboarding lifecycle.
| Status | Meaning |
| Pending | The device has been discovered but not yet acted on. An approval or rejection decision is required. |
| Awaiting Agent | The device was approved via agent-based onboarding. SecOps is waiting for the GPO to deploy the agent and for it to check in. |
| Verifying Credentials | The device was approved via agentless onboarding. SecOps is actively testing the WinRM or SSH credentials against the device. |
| In Progress | A general in-progress state indicating onboarding is underway. |
| Failed | The onboarding attempt did not complete successfully. Hover over the status badge to see the specific failure reason. The device can be re-approved after resolving the underlying issue. |
| Rejected | An administrator manually rejected this device. It will not be onboarded unless re-approved. |
| Onboarded | The device has been successfully added to the managed asset inventory. No further action is needed. |
Filtering the Device List
By default, the Devices tab opens to the Pending filter so that newly discovered devices requiring action are immediately visible. The filter bar at the top provides one-click access to each status group — Pending, In Progress, Failed, Rejected, and Onboarded. Click any filter tag to activate it; click it again to deactivate and return to the unfiltered view.
For more granular filtering, click the Filters icon on the left of the filter bar. The advanced filter panel lets you narrow the list by device name, one or more statuses simultaneously, or operating system — useful in mixed Windows and Linux environments. Click Apply Filter to apply your selection or Reset Filter to clear it. Active filters appear as removable tags directly below the filter bar; click the × on any tag to remove that condition individually.
Approving a Device
To approve a single device and begin onboarding:
The Approve action is also available for devices with a Failed or Rejected status, allowing you to retry onboarding after addressing the root cause.
Upon successful submission, the device moves to In Progress and the Devices tab automatically switches to the In Progress filter so you can monitor its progress.
Onboarding Modal — Agent-Based
Select Agent-based (deploy via GPO) when you want SecOps to push the agent to the device via Group Policy. No credentials are required for this method.
Onboarding Modal — Agentless
Select Agentless (SSH / WinRM) when you want SecOps to connect directly to the device without installing an agent. This method requires network access to the device and valid credentials.
For Windows devices, provide a local or domain account username with administrative privileges on the target machine, along with its password. Select the WinRM port — 5985 for HTTP (default) or 5986 for HTTPS.
For Linux and Mac devices, choose one of three credential types:
Rejecting a Device
To reject a single device, locate it in the Pending filter view and click the × button in the Actions column. The rejection is applied immediately with no confirmation prompt. The device moves to Rejected status and the Devices tab switches to the Rejected filter automatically.
A rejected device can be re-approved at any time by clicking Approve from the Rejected filter view.
By default, the Devices tab opens to the Pending filter so that newly discovered devices requiring action are immediately visible. The filter bar at the top provides one-click access to each status group — Pending, In Progress, Failed, Rejected, and Onboarded. Click any filter tag to activate it; click it again to deactivate and return to the unfiltered view.
For more granular filtering, click the Filters icon on the left of the filter bar. The advanced filter panel lets you narrow the list by device name, one or more statuses simultaneously, or operating system — useful in mixed Windows and Linux environments. Click Apply Filter to apply your selection or Reset Filter to clear it. Active filters appear as removable tags directly below the filter bar; click the × on any tag to remove that condition individually.
Approving a Device
To approve a single device and begin onboarding:
- Locate the device in the Pending filter view.
- Click the Approve button in the Actions column.
- The Onboarding modal will open. Select the onboarding method and complete the relevant fields.
- Click Approve to submit.
The Approve action is also available for devices with a Failed or Rejected status, allowing you to retry onboarding after addressing the root cause.
Upon successful submission, the device moves to In Progress and the Devices tab automatically switches to the In Progress filter so you can monitor its progress.
Onboarding Modal — Agent-Based
Select Agent-based (deploy via GPO) when you want SecOps to push the agent to the device via Group Policy. No credentials are required for this method.
- Asset Criticality — Assign a priority level from 1 (Default) to 5 (Highest). This determines how the device is prioritized in vulnerability reports.
- Asset Groups — Assign the device to one or more asset groups. Select from existing groups or type a new name to create one on the fly.
- Jump Host Agent — The agent that will coordinate the onboarding process.
- Timeout (hrs) — How long SecOps will wait for the agent to check in before marking the device as failed. Default is 12 hours.
Onboarding Modal — Agentless
Select Agentless (SSH / WinRM) when you want SecOps to connect directly to the device without installing an agent. This method requires network access to the device and valid credentials.
For Windows devices, provide a local or domain account username with administrative privileges on the target machine, along with its password. Select the WinRM port — 5985 for HTTP (default) or 5986 for HTTPS.
For Linux and Mac devices, choose one of three credential types:
- Password — Standard SSH username and password. The simplest option to configure.
- SSH Key — Upload a .pem or .key private key file. Provide a passphrase if the key is encrypted. Use this when password-based SSH authentication is disabled in your environment.
- Whitelist Public Key — SecOps generates a key pair and gives you the public key to add to the authorized_keys file on target devices. This is the most secure option as no password or private key needs to be stored in SecOps.
Rejecting a Device
To reject a single device, locate it in the Pending filter view and click the × button in the Actions column. The rejection is applied immediately with no confirmation prompt. The device moves to Rejected status and the Devices tab switches to the Rejected filter automatically.
A rejected device can be re-approved at any time by clicking Approve from the Rejected filter view.