# Devices for Approval - SoM Settings ## Approval and Re-Approval of Computers and Distribution Servers Endpoint Central provides a controlled approval mechanism for **client computers (via the agent)** and **Distribution Servers**. - **Agent Approval** — Applies to computers that have the Endpoint Central agent installed. - **Distribution Server (DS) Approval** — Applies to computers where Distribution Servers are installed in remote offices. ## Computer (Agent) Approval ### Understanding Computer(s) for Approval and Re-Approval The **"Computer(s) for Approval"** tab, located within the **Computers** view, displays all computers where the Endpoint Central agent has been installed but are awaiting administrator approval before server communication is established. Once approved, computers move to the **Managed Computers** category and server configurations become applicable. If a managed computer later behaves abnormally, its agent is isolated and blocked from communicating with the server until an administrator manually approves it again (Re-Approval). **Note:** The Agent Re-Approval feature was introduced in build **11.4.2540.01**. ### Importance of Computer(s) for Approval and Re-Approval When the Endpoint Central agent is installed on a client computer without the system administrator's knowledge, the approval feature ensures that server communication is established only after explicit review. Computers in the approval queue have the agent installed, but the server rejects all status updates until approval is granted. Computer Re-Approval prevents unauthorised access to the server from unknown or compromised endpoints. The computer requires manual re-approval before it can resume communication. ### How to Enable Computer(s) for Approval and Re-Approval 1. Navigate to `Agent > SoM Settings > Approval Settings`. 2. Enable the **"Computer(s) for Approval"** option. 3. Once enabled, go to `Computers > Computer(s) for Approval` tab. 4. Review listed computers and choose to **Approve** or **Decline** each. ![How to approve agents and distribution server](https://www.manageengine.com/products/desktop-central/how-to/images/approval-1.png) **Note:** For versions below **11.3.2414.01**, these settings are under `Endpoint Central > Agent > Agent Settings`. The Computer(s) for Approval tab appears only when the option is enabled in SoM Settings. ### Approval of Declined Computers Computers you decline appear under `Agent > Computers > Computer(s) for Approval` filtered by **Declined**. If you later approve a declined computer, agent installation is re-triggered on that machine. Declined computer details are retained on the server for **90 days** by default. Adjust this under `Agent > Computers > Computer(s) for Approval > Cleanup Settings`. ### Automatic Approval of Computers Computers matching the following default criteria are automatically approved: - Computers synced from **Active Directory** - Computers enrolled in **MDM** (Azure, ABM, self-enrollment, Enroll via Invite) - Computers added via **Import Computers** or **Add Computers** - Agents deployed via **OSD Imaging** You can configure additional automatic-approval criteria based on DNS Domain Name, Computer Name, Domain Name, or IP Address range. **Note:** Automatic approval does **not** apply to the Re-Approval of computers. ### Scenarios When Agent Re-Approval Is Triggered A managed computer enters the Re-Approval state in the following known scenarios: - **Duplicate Computer and Domain Names** — Multiple computers sharing the same computer name and domain name can trigger re-approval. - **Improper Imaging Process** — The computer was imaged with the agent already installed without following the official imaging guide. - **Agent Uninstalled and Reinstalled Offline** — The agent is uninstalled and reinstalled while the machine cannot reach the server. Once a computer matches these criteria, it moves to the Re-Approval section, visible under `Agent > Computers > Computers for Approval` with **Re-Approve** selected as the Approval Type filter. **Tip:** If none of the above scenarios apply, collect the affected agent logs and server logs and contact [Endpoint Central Support](https://www.manageengine.com/products/desktop-central/support.html) for further investigation. ## Distribution Server (DS) Approval ### Understanding Distribution Server Approval and Re-Approval DS Approval is introduced to enhance the security of **Distribution Server (DS) onboarding**. When a new Distribution Server is installed in a remote office, it enters a **"Waiting for Approval"** state before it can begin serving agents. The administrator must review and either approve or decline the Distribution Server from the console. - If **approved**, the Distribution Server starts functioning normally and manages agents in its remote office. - If **declined**, the Distribution Server is **automatically uninstalled**. **Note:** DS Approval is available from build **11.5.2613.01** onwards. **Note:** Distribution Servers that are installed via console bypass the initial "Waiting for Approval" queue — they become active as soon as installation completes. However, they are not exempt from the re-approval mechanism. If the server detects an anomaly on a push-installed Distribution Server post activation, it will be moved to the "Waiting for Approval" state just like any other Distribution Server. ### Importance of Distribution Server Approval Without an approval gate, a misconfigured machine could be registered as a Distribution Server and gain the ability to serve policies and patches to managed endpoints. The approval step ensures every Distribution Server is intentionally added by a verified administrator before it has any authority over managed devices. ### DS Approval Flow 1. Distribution Server Installed 2. Waiting for Approval 3. Admin Approves → Distribution Server Active 4. Admin Declines → Distribution Server Auto-Uninstalled #### Steps to Approve or Decline a DS 1. Open the Endpoint Central console and navigate to `Agent > Remote Offices`. 2. Under Remote Office view, locate the Distribution Server in the **Awaiting Approval** state under the corresponding remarks status. 3. Review the DS details (name, IP address, remote office). 4. Click **Approve** to allow the Distribution Server to start functioning, or **Decline** to trigger automatic uninstallation. ![approve DS](https://www.manageengine.com/products/desktop-central/how-to/images/approval-2.png) ### DS Re-Approval If the central server detects any anomaly in a currently active Distribution Server — such as unexpected configuration changes, communication irregularities, or integrity failures — it automatically moves the Distribution Server back to the **"Waiting for Approval"** state. The Distribution Server ceases to function until the administrator reviews and acts on it. - If **re-approved**, the Distribution Server resumes its normal operation. - If **declined**, the Distribution Server is automatically uninstalled. ## Notifications You can configure Endpoint Central to notify administrators and technicians on a **daily basis** about any computers or Distribution Servers that are waiting for approval. Notifications are delivered via: - The **email address** associated with the admin/technician account - The Endpoint Central **mobile app** To configure notifications, navigate to `Agent > SoM Settings > Approval Settings > Notification` and enable the appropriate options for computers and/or Distribution Servers.