App Control: Event Rule is Not Restoring All Endpoints to Normal Enforcement
App Control Console: All Supported Versions
App Control Agent: All Supported Versions
Alert Triggered for 'Local Approval Alert'
Event Rule only restores 1 Agent, despite multiple devices having been selected to move to Local Approval.
Event Rules are designed to work with one trigger at a time
If multiple endpoints are moved from Normal Enforcement to Local Approval at the same time (bulk Policy move), only one endpoint will count as the trigger.
Only the triggered endpoint will be moved back to Normal Enforcement.
There are 2 options available as a workaround:
Enable the 'Auto Reset' portion of the Local Approval Alert and set it to 1 minute, so that any devices that were put into Local Approval at the same time (Bulk change) would return to their normal enforcement, once the Alert had been reset. (i.e. Devices will return to their normal level of enforcement 1 minute apart - if 3 devices were moved at the same time, they will all return to normal enforcement by 3 minutes after the original Criteria set - Example below
Move 3 devices to Local Approval Policy at 10:00am
Criteria set in the alert for a Time period of 1 Hour
At 11:00am the Alert is triggered and the Event Rule follows suit, returning the first device to trigger the alert
At 11:01am the Alert is reset and the Event Rule triggers once more, restoring the 2nd device to normal enforcement
At 11:02am the Alert is reset and the Event Rule triggers once more, restoring the 3rd device to normal enforcement
Move each endpoint individually, and this way the agent will trigger an Alert per endpoint (The timestamp of the move to Local Approval would need to be different to each previous device set in this way. eg: Device #1 @ 10:00am, Device #2 @ 10:01am