EPM Management Rules

Hi Chris.

Unfortunately it is a match all criteria option.

Think of using the API for this option, I have had success doing that.

https://instance-services.pm.beyondtrustcloud.com/management-api/swagger/index.html?urls.primaryName=v3

Kind regards
Jens

Thanks Jens, I thought that was the case.  It might be worth submitting an Idea on for the unique environment we have.  It’s either that or hope we can get a server with API access opened to the console to ensure it gets run every day on an ‘always on’ connection.

Can you export the list of computers from somewhere you need to move, then it’s a fairly simple task.

I use a webapp I have created for the purpose.
 

Unfortunately, this would need to be 100% automated as our teams build quite a lot of servers daily.  We need to be able to automate moving at a specific 60 day mark.  This would require our multiple build teams to communicate all servers they have built with us.  

You can do the same with Powershell, and run as a scheduled task or a Audit Rule in the built process that get triggered after 60 days.

I like the latter as you have that in policy, and does not expose the script.

What is the use-case for this?

# add your instance name and destination GroupID for $GroupID
#region PMC Authentication
# Global Variables

$ClientID = "ClientID"
$ClientSecret = "ClientSecret"

# Construct Urls for calls
$PMC = "https://Instance-services.pm.beyondtrustcloud.com"
$APIUrl = "$PMC/management-api/v3"
$GetPolicyUrl = "$APIUrl"+"/Policies"
$GetGroupsUrl = "$APIUrl"+"/Groups"
$GetComputersUrl = "$APIUrl"+"/Computers?Filter.Host="
$SingleHost = "&Filter.LastConnected.SelectionMode=Single&Filter.Created.SelectionMode=Single"

# Add System.Web for HttpUtility
Add-Type -AssemblyName System.Web

# Ensure $ClientID and $ClientSecret are URL-encoded
$client_idEncoded = [System.Web.HttpUtility]::UrlEncode($ClientID)
$client_secretEncoded = [System.Web.HttpUtility]::UrlEncode($ClientSecret)

# Construct the OAuth token URI
$oauthTokenUri = "$PMC/oauth/connect/token"
#Write-Output "Attempting to get a token from the endpoint at $oauthTokenUri"

# Construct the request body
$getTokenRequestBody = "grant_type=client_credentials&client_id=$client_idEncoded&client_secret=$client_secretEncoded"
$formUrlEncodedContentType = "application/x-www-form-urlencoded"

try {
    # Attempt to get the access token
    $getTokenResponse = Invoke-RestMethod -Uri $oauthTokenUri -Body $getTokenRequestBody -ContentType $formUrlEncodedContentType -Method Post
    $BearerToken = $getTokenResponse.access_token
    #Write-Host "Access token retrieved successfully."
}
catch {
    #Write-Host "Failed to get an access token. Error message: $($_.Exception.Message)"
    exit 1 # You can exit the script or handle the error as needed.
}

# Use the access token in your API requests
$Headers = @{
    Authorization = "Bearer $BearerToken"
}
#endregion Authentication complete
Add your Auth above and destination GroupID for $GroupID

#Get computer Hostname for use 
$Hostname = $env:COMPUTERNAME

# Get client computers and IDs
$Computer = Invoke-RestMethod -Uri "$GetComputersUrl$Hostname$SingleHost" -Headers $Headers -Method Get

# Extract relevant data from the API response
$ComputerList = $Computer.data | ForEach-Object {
    [PSCustomObject]@{
        'Hostname'         = $_.host
        'Current GroupName' = $_.groupName
        'Computer Id'      = $_.id  
        'Current GroupID'  = $_.groupId
    }
}

# Build URI for POST request
$GroupID = "Destination Group ID"
$PostCompGroupUri = "$APIUrl"+"/Groups/$GroupID/AssignComputers"

# Build JSON for each selected computer
$JsonObjects = $ComputerList | ForEach-Object {
    [PSCustomObject]@{
        'computerIds' = @($_.'Computer Id')
    } | ConvertTo-Json
}



# Send POST request with JSON data
$JsonObjects | ForEach-Object {
    #Write-Output "Sending POST request to $PostCompGroupUri with body: $_"
    try {
        $response = Invoke-RestMethod -Uri $PostCompGroupUri -Headers $Headers -Method Post -Body $_ -ContentType "application/json"
    } 
    catch {
        #Write-Output "Error: $_"
    }
}

​@Jens Hansen we have 200+ domains where each one would have to be scripted, many of them point to the same policy but we need a way to set that and management rules are easier than scheduled tasks.

I agree. Feature request unfortunately. 
https://beyondtrust-public.ideas.aha.io

KR Jens