Document toolboxDocument toolbox

Creating Endpoint Groups

Owned by Gary Leicht
Last updated: Sept 06, 2024
6 min read

When applying security policies to multiple Infoblox Endpoint devices, you can make the process more efficient by organizing the endpoint devices into Infoblox Endpoint groups, and then add the groups to the network scope when you create a security policy. Note that Infoblox endpoints comes with a default endpoint group called All Infoblox Endpoints (default) that is associated with the default global policy. You can assign an endpoint to an existing custom endpoint group at the time of its installation, thus bypassing its default assignment to the All Infoblox Endpoints group. Infoblox  Endpoint can authenticate access by using a third-party identify provider (IdP) to enforce security policies within an endpoint group. You cannot modify or remove the default endpoint group. An endpoint group can have up to 250,000 endpoints assigned to it. 

An endpoint can be assigned to an existing custom endpoint group rather than being assigned to the default endpoint group at the time it is installed. Metadata indicating the name of the custom endpoint group to which the newly installed endpoint has been assigned can be viewed in the endpoint service logs.

To create Infoblox Endpoint groups, complete the following:

  1. From the Infoblox Portal, click Configure > Security > Endpoints.
  2. On the Endpoints page, select the Endpoint Groups tab, and then click the Create button.
  3. On the Create Endpoint Group page, complete the following:
    • Endpoint Group Name (required): This is a required field. Enter a name for the Infoblox Endpoint group. Ensure that you enter a unique name for each endpoint group.
    • Description: Enter a brief description about the group.
    • Associated Policy: This field displays the associate security policy when you add the group to the policy. It shows Default Global Policy by default.
    • State: Endpoint group state is set to disabled by default. Toggle the switch to the right to Enable Endpoints.  
    • Log Level: Select the level of logging. The default logging level is Info. For information on Infoblox Endpoint system logging, see Endpoint System Logging.
    • Automatically remove endpoints after a period of inactivity: To automatically remove endpoints due to inactivity, enter a value from 15 to 180. "If you specify no value, a value between 1 and 29, or a value greater than 180, then an error message will ask you to specify a different value. You can adjust the value any time after the group is created. If you specify 0, automatic removal will be disabled. Infoblox Platform service will monitor the status of inactive endpoints during configurable period of time (from 15 to 180 days) and then remove the remaining inactive endpoints.
    • Tags: In the Tags section, complete the following:

      • Click Add to open the KEY/VALUE panel to assign a tag or tags to an endpoint group. To remove a tag from an endpoint group, select the checkbox located to the left of the tag entry, then click Remove

      • In the editable field, add a key and a value..
      • Click Save & Close to save your configuration.
    • Authentication Settings:
      • Session TTLSpecify the period of time the IDP session is to persist. The default is 8 hours. After IDP session disconnects, manually connection needs to be established. 
      • Authentication Server PortSpecify the server port that will be used to authenticate the endpoint group. The default TCP port is 9094. This is the third party IDP port number.
      • Authentication Profile: Click Select Authentication Profile to enable authentication. select an authentication profile from the list of profiles available for use with the endpoint group. The available authentication protocols are SAML and OpenID Connect. For more information, see Adding an Authentication Profile to an Endpoint Group to Enforce a Security Policy.
    • Internal Domains List:
      • To add an internal domains list to an Endpoint Group, complete the following:
        • Click the Add button to call up the list of available internal domains.
        • From the Select List under the NAME column, choose an internal domains list to add it to the endpoint group.
        • For information on using internal domains lists with an endpoint group, see Adding Internal Domains to an Endpoint Group.
    • Bypass Mode: By enabling Infoblox Endpoint bypass mode for a Infoblox Endpoint group, you can define your own domain and response for On-Prem DNS service protected by DNS Firewall. For information on enabling bypass mode see BloxOne Endpoint Bypass Mode. To enable Bypass Mode for an endpoint group, complete the following:
      • State: Toggle the State switch to Enable from the default disabled state to enable bypass mode for the endpoint group.
      • Internal Domains List: Click Add to select an add an internal domains list from the Select List options.
      • FQDN: Use the default FQDN or a custom FQDN.
      • TXT Record: Use the default TXT Record or a custom TXT record by clicking Generate random TXT record.

    • Management PasswordsBy enabling Infoblox Management Passwords for a Infoblox Endpoint group, you can protect Endpoints that are part of the group from being uninstalled, stopped, or disabled by anyone who does not have the management password from the local machine. To enable the management of passwords for an endpoint group, complete the following:

      • State: Toggle the State switch to Enable from the default disabled state to enable password management for the endpoint group.

      • Management Password: Alternatively, you can click Generate random password to use a system generated password. In all cases, remember to save the password elsewhere since once the password is saved, it cannot be viewed in the Infoblox Portal again. The management password must contain a minimum of 8 characters including one uppercase letter, one lower case letter, one numeral, and one special character. Do note that the management password is required to disable or stop Infoblox Endpoint service or to uninstall Infoblox Endpoint. 

        • To reset a password, disable password management by toggling the State switch to the disabled position and save the configuration. Now you can go in and apply a new management password and resave the configuration.

    • Schedule Updates: You can update endpoint groups automatically or defer updates from 0 to 28 days. Deferring can be useful when you want to validate the release of a new endpoint on a few devices prior to updating the endpoint for all users on your network. To schedule an update, specify the following:
      • Automatic Updates: Select this option to have updates installed automatically.
      • Schedule Updates: Select this option to manually choose the day, time, and duration for updates.
        • Day & Time: Schedule a day and time for updates. 
        •  Duration: Specify the period of time the system will attempt to perform an update. Select 4 to 10 hours, in one-hour increments. 

      • Defer Updates: Updates can be deferred for a maximum of 28 days with the flexibility to choose a specific day of the week and time for deployment, regardless of the original scheduled release date. The option to defer upgrades for a period of up to 28 days with abilty to select a day and time means the deferred update schedule does not have to be adjusted within the Infoblox Portal in the anticipation of each new Infoblox Endpoint update release. Scheduled deferred updates are perfomed based on the timezone where the local endpoint resides. For information, see Scheduling Endpoint Group Updates
        To defer updates, perform the following:

        • Always defer upgrades for: From among the list of options, select a deferment period. You can select a duration period of  1 day to 28 days, with a maximum deferment period of 28 days.   
        • Days of the week to perform upgrades: Select a day or days of a week upgrades are to be performed. Or, select All to perform upgrades on all days of the week. 
        • Choose local endpoint time zone and duration:
          1. Select a time of day the upgrades are to commence.

          2. Select a duration period (in hours) where updates are to be updated.

    • PoP Settings: To improve performance, select a preferred Point of Presence (PoP) according to the region. You can select a PoP manually or have it selected automatically. To select a PoP manually, set the toggle switch Auto Selection to the OFF position, select a preferred PoP from the Point of Presence drop-down list. To have a PoP selected automatically, set the switch to the ON position. Auto Selection is set to On by default. 

    • Mobile Endpoint Domains: One or more domains must be added to an endpoint group if the deployment of Infoblox Mobile Endpoint is done using a QR code.  After scanning the QR, the user will receive a prompt to enter an email address to perform validation. The domain(s) will be matched to the user's email address as configured in Mobile Endpoint Domains. If it matches, the validation will be successful and if it does not match it will not work.
      For information, see Deployment of MDM-less Mobile Endpoint Using QR Code
      To add a mobile endpoint domain to an endpoint group, perform the following:
      • Click Add to add the following information:
        • Domain: Add the name or names of the desired mobile domain(s). 
        • Description: Provide a description for the added mobile domain(s). 
      • Search: Copy/paste the name of a mobile endpoint domain into the search field to verify it has been added to the list or to view its description. 

4. Click Save to save the current configuration and proceed to the next configuration screen, or click Save & Close to complete the endpoint group creation process. 

For information on moving a Infoblox endpoint to an endpoints group. see Moving a BloxOne Endpoint to an Endpoint Group.

To view addition information on endpoint groups, see the following: