Management and discovery of WFH endpoints - How to
Home » Features »

Management and discovery of WFH endpoints - How to

How to manage and discover WFH endpoints?

The primary step in embracing work from home (WFH) is to identify all the endpoints used by employees for remote work. An unmanaged remote endpoint is the last thing every IT administrator would want, because an unpatched system opens your network to a plethora of cyberattacks, and provides the leeway for users to install malicious applications or uninstall business-critical applications.

Besides the local office, most enterprises will have one or more remote offices to manage as well. With the current WFH situation, it is important to make Endpoint Central server and distribution server accessible to all the remote endpoints, wherever it’s applicable.

Depending on the category you fall under, proceed with the steps provided in that particular category:

  LAN agents Remote office agents Roaming users
SGS already configured There’d be no issues. Configure them as roaming users. There’d be no issues.
SGS newly configured Download and execute ‘configureDCAgentServerCommunication’ script. Download and execute ‘configureDCAgentServerCommunication’ script. Configure them as roaming users. Download and execute ‘configureDCAgentServerCommunication’ script.
Note
  • It is highly recommended to download our SGS component to prevent exposing Endpoint Central server to the internet directly. Owing to the current WFH scenario, SGS will be free for the first 30 days, and will be extended, if required. Refer our document for installation and configuration of SGS.
  • If all your remote endpoints can access the network through VPN at all times, without encountering any technical hindrances, the communication with Endpoint Central server and distribution server will not be an issue.
  • configureDCAgentServerCommunication script is available for Windows, macOS, and Linux.

1. I’ve already configured secure gateway server (SGS)

1.1. LAN agents

The public IP address will be available for all the remote endpoints, and the agents can communicate with the server seamlessly for hassle-free management. (Note: This public IP address of SGS will be mapped to the private IP address of Endpoint Central server).

1.2. Remote office agents

If the remote office agents communicate with Endpoint Central server directly, agent - server communication will not be an issue. However, if the agents communicate with the central server through distribution server (DS), there might be a hindrance to the communication as the DS will not be configured as an edge device (also, it is not recommended to configure DS as an edge device).

  1. Export the branch office details by executing the query provided in the box.
    • Navigate to the Reports tab > Query Reports from the left pane > New Query Report.
    • Provide a report name. Copy and paste the query provided in the box.
    • Click on Run Report to generate reports based on the executed query.
    2. SELECT BranchOfficeDetails.BRANCH_OFFICE_ID, BranchOfficeDetails.BRANCH_OFFICE_NAME, BranchOfficeDetails.HAS_MASTERAGENT, Resource.RESOURCE_ID, Resource.NAME as "DS Name", Resource.DOMAIN_NETBIOS_NAME, DisServerDetails.DS_IPADDRESS, DisServerDetails.DS_VERSION, DisServerDetails.DS_STATUS, DisServerDetails.LAST_CONTACT_TIME, DisServerDetails.DS_DNS_NAME, DisServerDetails.DS_PORT, DisServerDetails.DS_HTTPS_PORT FROM BranchOfficeDetails INNER JOIN DisServerDetails ON BranchOfficeDetails.BRANCH_OFFICE_ID=DisServerDetails.BRANCH_OFFICE_ID INNER JOIN Resource ON DisServerDetails.RESOURCE_ID=Resource.RESOURCE_ID
  2. Navigate to Admin tab > Scope of Management under SoM settings > Remote Offices tab.
  3. Select a remote office > Actions > Modify.
  4. Change the communication type from Through Distribution Server to Direct Communication.

Note: By doing so, all the remote office endpoints will start contacting the Endpoint Central server directly instead of communicating through the DS. This will increase the load on the central server and cause bandwidth bottleneck issues. However, you can follow the guidance below to reduce bandwidth overload issues.

Best practices to break the bandwidth bottleneck

1.3. Roaming users

In order to avoid the exposure of Endpoint Central server to the internet directly, all the communication from the roaming agents to Endpoint Central server will be routed through the secure gateway server.

How to convert to Roaming agents?

2. I’ve newly configured secure gateway server (SGS)

After installation and configuration of SGS, if the same public IP address (as that of Endpoint Central’s) is provided for SGS, there’d be no issues in the agent - server communication. However, if you choose to provide a different IP address, ensure that all the agents communicate with the Endpoint Central server for fetching the new IP address, until which Endpoint Central server should be configured as the edge device. (Note: All the active agents will contact the Endpoint Central server within the 90-minute refresh policy).

How to configure secure gateway server?

2.1. LAN agents and roaming users

If the agents cannot contact the Endpoint Central server to fetch the IP address, here’s what you need to do:

Based on your operating system, download and execute the following script: [Important: In the downloaded script, replace the sample IP address with the new public IP address of SGS]

Windows

Linux

  • Download configureDCAgentServerCommunication_linux.sh.
  • Execute the commands given below:
    chmod +x configureDcAgentServerCommunication_linux.sh
    sudo ./configureDcAgentServerCommunication_linux.sh [sgs_fqdn/sgs_ip] [For example: sudo ./configureDcAgentServerCommunication_linux.sh joe.manageengine.com]

Mac

2.2. Remote office agents

  1. Based on your operating system, download and execute the following script: [Important: In the downloaded script, replace the sample IP address with the new public IP address of SGS]

    2. Windows

    Linux

    • Download configureDCAgentServerCommunication_linux.sh.
    • Execute the commands given below:
      chmod +x configureDcAgentServerCommunication_linux.sh
      sudo ./configureDcAgentServerCommunication_linux.sh [sgs_fqdn/sgs_ip] [For example: sudo ./configureDcAgentServerCommunication_linux.sh joe.manageengine.com]

    Mac

    If the remote office agents communicate with Endpoint Central directly, follow the steps mentioned below:

  2. Export the branch office details by executing the query provided in the box.
    • Navigate to the Reports tab > Query Reports from the left pane > New Query Report.
    • Provide a report name. Copy and paste the query provided in the box.
    • Click on Run Report to generate reports based on the executed query.
    3. SELECT BranchOfficeDetails.BRANCH_OFFICE_ID, BranchOfficeDetails.BRANCH_OFFICE_NAME, BranchOfficeDetails.HAS_MASTERAGENT, Resource.RESOURCE_ID, Resource.NAME as "DS Name", Resource.DOMAIN_NETBIOS_NAME, DisServerDetails.DS_IPADDRESS, DisServerDetails.DS_VERSION, DisServerDetails.DS_STATUS, DisServerDetails.LAST_CONTACT_TIME, DisServerDetails.DS_DNS_NAME, DisServerDetails.DS_PORT, DisServerDetails.DS_HTTPS_PORT FROM BranchOfficeDetails INNER JOIN DisServerDetails ON BranchOfficeDetails.BRANCH_OFFICE_ID=DisServerDetails.BRANCH_OFFICE_ID INNER JOIN Resource ON DisServerDetails.RESOURCE_ID=Resource.RESOURCE_ID
  3. Navigate to Admin tab > Scope of Management under SoM settings > Remote Offices tab.
  4. Select a remote office > Actions > Modify.
  5. Change the communication type from Through Distribution Server to Direct Communication.

Note: By doing so, all the remote office endpoints will start contacting the Endpoint Central server directly instead of communicating through the DS. This will increase the load on the central server and cause bandwidth bottleneck issues. However, you can follow the guidance below to reduce bandwidth overload issues.

Best practices to break the bandwidth bottleneck

Identify WFH endpoints

After ensuring that all your local office endpoints and remote office endpoints can contact Endpoint Central server, identify WFH endpoints for easier management.

With distribution server (DS)

Since it is not recommended to configure your distribution server as an edge device, DS might not be accessible by all the remote endpoints. However, it's possible for the endpoints to contact Endpoint Central server, and not DS. That said, depending on when the Endpoint Central server and the DS were contacted, you can identify the WFH endpoints.

  1. Execute the query provided in the box:
    • Navigate to the Reports tab > Query Reports from the left pane > New Query Report.
    • Provide a report name. Copy and paste the query provided in the box.
    • Click on Run Report to generate reports based on the executed query.
    select Resource.RESOURCE_ID, Resource.NAME, Resource.DOMAIN_NETBIOS_NAME,BranchOfficeDetails.BRANCH_OFFICE_NAME from ManagedComputer inner join BranchMemberResourceRel on ManagedComputer.RESOURCE_ID=BranchMemberResourceRel.RESOURCE_ID inner join BranchOfficeDetails on BranchMemberResourceRel.BRANCH_OFFICE_ID=BranchOfficeDetails.BRANCH_OFFICE_ID inner join AgentContact on ManagedComputer.RESOURCE_ID=AgentContact.RESOURCE_ID inner join Resource on ManagedComputer.RESOURCE_ID=Resource.RESOURCE_ID where BranchOfficeDetails.HAS_MASTERAGENT='true' and AgentContact.LAST_DS_CONTACT_TIME< CurrentTime in millisecond - 172800000 and AgentContact.LAST_CONTACT_TIME >CurrentTime in millisecond - 86400000
  2. Important!
    • AgentContact.LAST_DS_CONTACT_TIME is the last time DS was contacted by the endpoint.
    • AgentContact.LAST_CONTACT_TIME is the last time Endpoint Central server was contacted by the endpoint.
    • CurrentTime (in millisecond) should be fetched from this link. After fetching the current time, provide this in the query, in the place of 'CurrentTime in millisecond'. You'll have to replace it in two places in the query, before executing it.
    • Depending on the communication interval that prevails in your network, choose AgentContact.LAST_DS_CONTACT_TIME and AgentContact.LAST_CONTACT_TIME accordingly. The necessary values can be obtained from the following:
      • 24 hours: 86400000
      • 2 days: 172800000
      • 3 days: 259200000
      • 4 days: 345600000
      • 5 days: 432000000
      • 6 days: 518400000
      • 7 days: 604800000

      • For example, if you think an endpoint should have contacted DS within two days, and Endpoint Central server within a day, then the query should be as follows: AgentContact.LAST_DS_CONTACT_TIME< CurrentTime in millisecond - 172800000 and AgentContact.LAST_CONTACT_TIME >CurrentTime in millisecond - 86400000.

  3. From the results, you will be able to determine the last time Endpoint Central server was communicated, as opposed to the last time DS was communicated. If the last contacted time of Endpoint Central server is lesser than the last contacted time of DS, this is known as a WFH endpoint.

    For example, if an endpoint has last contacted DS two days earlier, but has contacted Endpoint Central server 24 hours earlier, this endpoint is a WFH endpoint.

Without DS/Direct communication

If the endpoints communicate with Endpoint Central server, a custom script needs to be executed to find if the remote endpoint has communicated with the public IP address of Endpoint Central, or the private IP address. You can determine from this, if the endpoint has communicated with the public IP address of Endpoint Central, that it is a WFH endpoint.

  1. Create a custom script configuration in Endpoint Central, using any one of the following scripts. Based on your operating system, download and execute the corresponding script.

    Windows

    Linux

    • Download configureDCAgentServerCommunication_linux.sh.
    • Execute the commands given below:
      chmod +x configureDcAgentServerCommunication_linux.sh
      sudo ./configureDcAgentServerCommunication_linux.sh [sgs_fqdn/sgs_ip] [For example: sudo ./configureDcAgentServerCommunication_linux.sh joe.manageengine.com]

    Mac

  2. While defining this configuration, pass the argument as the IP address of SGS or public IP address of Endpoint Central server.
  3. Upon successful execution of this script, execute the query provided in the box.
    • Navigate to the Reports tab > Query Reports from the left pane > New Query Report.
    • Provide a report name. Copy and paste the query provided in the box.
    • Click on Run Report to generate reports based on the executed query.
    SELECT Resource.NAME as COMPUTER_NAME, Resource.DOMAIN_NETBIOS_NAME AS DOMAIN_NAME, CASE WHEN CollnToResources.remarks_en like '%True%' THEN 'True' ELSE 'False' END as WFH_Status FROM Collection INNER JOIN CollnToResources ON Collection.COLLECTION_ID=CollnToResources.COLLECTION_ID INNER JOIN Resource ON CollnToResources.RESOURCE_ID =Resource.RESOURCE_ID WHERE Collection.COLLECTION_NAME ='configName'

    4. Note: In the place of “configName”, provide the name of the custom script configuration that was created.

faq

Frequently Asked Questions

01. Why should you manage WFH endpoints?

+ -

Managing work-from-home (WFH) endpoints is crucial to maintain security, productivity, and compliance across a distributed workforce. Remote devices often connect through unsecured networks, increasing the risk of data breaches and malware attacks. ManageEngine Endpoint Central helps IT teams secure, monitor, and control these endpoints by enforcing policies, deploying patches, and ensuring consistent configurations—protecting both corporate data and user productivity outside the office network.

Read more

02. How to manage WFH endpoints effectively?

+ -

Effective WFH endpoint management starts with centralized visibility, automated patching, and secure remote access. Endpoint Central enables IT admins to manage endpoints over the internet using a lightweight agent that communicates securely with the server. It supports remote troubleshooting, software deployment, and configuration management, ensuring devices remain compliant and updated even when employees work from home or on the move.

Read more

03. How can I avoid bandwidth issues when a large number of remote employees connect to the central server?

+ -

To reduce bandwidth congestion, Endpoint Central uses a Distribution Server model that intelligently offloads data transfer. Instead of every remote device connecting to the central server, local distribution points deliver patches, software, and updates efficiently to nearby endpoints. IT teams can also schedule deployments during off-peak hours and use peer-to-peer (P2P) distribution to optimize bandwidth utilization across remote networks.

Read more

04. What specific scripts and queries does Endpoint Central provide to help identify remote work endpoints across different operating systems like Windows, Mac, and Linux?

+ -

Endpoint Central offers a library of predefined scripts and queries to identify and manage remote endpoints across Windows, macOS, and Linux systems. These include scripts to track devices connected via public IPs, VPNs, or external networks, as well as queries that identify inactive agents, unpatched systems, or unauthorized software. Admins can execute custom scripts remotely from the console to audit and enforce security across all remote endpoints.

Read more

05. What makes Endpoint Central the right solution to manage WFH endpoints?

+ -

Endpoint Central is purpose-built for remote and hybrid workforce management. It provides full endpoint visibility, internet-based management without VPN dependency, and integrated tools for patching, remote control, and configuration. Its scalable architecture supports global device fleets, while strong security measures—like encryption, role-based access, and compliance reports—make it an ideal choice for enterprises managing WFH endpoints securely and efficiently.

Read more

Trusted by