ManageEngine Endpoint (Desktop) Central and Patch Manager Plus

ManageEngine Endpoint (Desktop) Central and Patch Manager Plus is a desktop management and mobile device management software for managing desktops in LAN and across WAN and mobile devices from a central location, including automated patch deployment for Windows, macOS and Linux endpoints.

Types of Assets Fetched

This adapter fetches the following types of assets:

• Devices
  
  

Parameters

1. Domain (required) - The hostname or IP address of the ManageEngine Endpoint Central or Patch Manager server.
   For cloud Endpoint/Desktop Central use: desktopcentral.manageengine.com
   For cloud Patch Mananger Plus use: patch.manageengine.com
2. Port (required, default: 8020) - The port Axonius will use to communicate with the server (for cloud use 443).
3. User Name and Password - The credentials for a user account that has permissions to fetch assets. For details, see Authentication and Authorization for On-Prem Instances.

5. User Name Domain (optional, default: empty) - The AD domain. Use this option if you are using the AD authentication method.
6. Domain Authorization Token (optional, default: empty) - Token to access the AD domain.
7. Fetch Desktop Central Data - Select this parameter to fetch desktop central data. If you do not select this option, only patch data is fetched (patch data is available from both products).
8. MFA QR Code (optional, default: empty) - If MFA is enabled using Google Authenticator, save the QR code received as a PNG file and upload it.
   • If supplied, the connection for this adapter will use the uploaded file to authenticate the specified User Name and Password.
   • If not supplied, the connection for this adapter will not add any additional authentication to the specified User Name and Password.
9. OAuth Client ID, OAuth Client Secret and OAuth Refresh Token - parameters for OAuth authentication, used in the cloud version of ManageEngine Endpoint Central and Patch Manager Plus. Refer to APIs for information on how to generate them.
10. OAuth Zoho Accounts URL (default: https://accounts.zoho.com) - The account URL for your Zoho account. Refer to Refresh Access Tokens for information on how to obtain the account URL.

12. MSP Customer ID - Customer ID to fetch information for, when connecting to Endpoint Central MSP. Only use this when connecting to Endpoint Central MSP, otherwise leave empty.

13. Verify SSL - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.

14. HTTP Proxy and HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.

15. To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
    
    

Advanced Settings

1. Include Only Devices with Last Seen value - Select whether to only fetch devices which have a last seen value. Devices which do not have a value for last seen are not fetched.
2. Only fetch devices from the following types - Enter a comma separated list of configured device_type values. Devices will only be fetched if they have the device_type values listed.

Connecting the Adapter

When your license is for Patch Manager plus

• Set the domain to https://patch.manageengine.com
• Set the port to 443

Note that the inventory is not fetched in this case.

APIs

Axonius uses the ManageEngine Desktop Central REST API.

Configuring OAuth Authentication and Authorization

This adapter supports OAuth Authentication to connect to the Cloud Instance

Generating the OAuth Client ID, OAuth Client Secret and OAuth Refresh Token

To use OAuth Authentication you need to generate the OAuth Client ID, OAuth Client Secret and OAuth Refresh Token. To generate them:

1. Go to the Zoho API Console: https://api-console.zoho.com/
2. Click 'Add client', choose 'Self Client' and click 'Create' (if a popup asks you to confirm, click “OK“).
3. On the API Console main page, click on the 'Self Client' application
4. In the tab 'Generate Code', enter the following details, and click 'Create':
   • Scope:
   • Desktop/Endpoint Central Scopes "DesktopCentralCloud.Common.READ,DesktopCentralCloud.SOM.READ,DesktopCentralCloud.Inventory.READ,DesktopCentralCloud.PatchMgmt.READ,DesktopCentralCloud.restapi.READ,DesktopCentralCloud.SOM.UPDATE,DesktopCentralCloud.Inventory.UPDATE,DesktopCentralCloud.PatchMgmt.UPDATE"
   • Patch Manager Plus Scopes
   • "PatchManagerPlusCloud.Common.READ,PatchManagerPlusCloud.PatchMgmt.READ,PatchManagerPlusCloud.SOM.READ,PatchManagerPlusCloud.restapi.READ,PatchManagerPlusCloud.PatchMgmt.UPDATE,PatchManagerPlusCloud.SOM.UPDATE"

• Time Duration: “10 minutes”
• Scope Description: free text (could be anything)

5. A popup “Generated Code“ opens, click copy, and paste the code in a temporary file.
6. In the tab “Client Secret“, copy “Client ID“ and “Client Secret“ to a temporary file
7. Enter the values you’ve copied to the following command:

curl -X POST "https://accounts.zoho.com/oauth/v2/token?grant_type=authorization_code&redirect_uri=http://localhost/callback&code=<code>&client_id=<client_id>&client_secret=<client_secret>"

8. Execute the command on a linux machine (or windows with curl)
9. From the response of the command, copy the value of “refresh_token“ (might start with “1000.“), and save it to a temporary file.

Using OAuth Authentication

1. In Axonius, add a new connection in the ManageEngine Desktop Central/Patch Manager adapter, and fill the following details:
   • Domain - the domain of Desktop Central/Patch Manager (for cloud - use desktopcentral.manageengine.com).
   • Port - the port of the domain (for cloud - 443)
   • OAuth Client ID, OAuth Client Secret, OAuth Refresh Token - the values you copied to a temporary file
   • OAuth Zoho Accounts URL - The relevant url for your Zoho account, from Refresh Access Tokens - APIs

Axonius will now fetch devices from Desktop Central/Patch Manager using OAuth.

Authentication and Authorization for On-Prem Instances

You need to generate a password and then add permissions:

To generate a password:

1. From Desktop Central's web console, navigate to Admin -> API Explorer.
2. On the left pane, click Authentication -> Login.
3. Choose the authentication type as either Local authentication or AD authentication and furnish the user name and password.
4. Upon execution, you will obtain a password along with the auth token.

Use that password in the Password field.
If you have selected the AD authentication, specify the domain in the User Name Domain field.

Editing Permissions
To edit permissions for an existing role in ManageEngine Endpoint Central On-prem, follow the steps given below:

1. Log in to the ManageEngine Endpoint Central On-prem console using your admin credentials.
2. Click on the “Admin” tab and select “Roles” from the left-hand side menu.
3. Locate the role you want to edit from the list of roles, and click on the role name to open the role details page.
4. On the role details page, you will see a list of permissions assigned to that role. To edit the permissions, click on the “Edit” button located at the top right corner of the page.
5. In the “Edit Role” page, you can add or remove permissions by selecting or deselecting the checkboxes for each permission.
6. To grant permissions for REST API, click on the “API Access” tab and select the appropriate REST API methods you want to allow for this role.
7. Grant the following permissions: SOM, Report, Inventory, Software Deployment, Patch Management.
8. Once you have made the necessary changes, click Update to save the updated role.

Version Matrix

This adapter was only tested with the versions marked as supported, but may work with other versions. Contact Axonius Support if you have a version that is not listed, which is not functioning as expected.

Supported From Version

Supported from Axonius version 4.4