Workflow: Device restart enforcement

Overview

Restarting devices occasionally is necessary to keep devices working in a healthy state. General advice is for users to turn off their devices at the end of the day. Many simply put them to sleep or do not perform a proper shutdown, leaving the system in memory.

Alongside this, patches will not be properly installed in many cases if the device has not been restarted; therefore, it is important to get to these devices and ensure they get restarted.

In many cases, restarting devices is a sensitive topic between IT and the user base, so this workflow offers them some opportunities to perform the restart themselves before an automatic restart is triggered.

Changelog

V1.0.0.0 - Initial Release

Dependencies

The following content must be installed for the workflow to function properly.

Remote actions

  • Restart macOS device

  • Restart Windows device

Campaigns

  • Restart device - Invoke

  • Restart device after delay - Invoke

  • Restart device - workflow Invoke

  • Restart device - last call - workflow Invoke

Configuration

Remote action configuration

The following remote actions must be configured with an API trigger. It can be combined with other execution triggers if the remote action is used outside of a workflow.

  • Restart macOS device

  • Restart Windows device

These remote actions come with two associated campaigns that must be published before use:

  • Restart device - Invoke

  • Restart device after delay - Invoke

For more information, please refer to the remote action and workflow remote action thinklet documentation.

Campaign configuration

The workflow comes with two associated campaigns that must be published before use:

  • Restart device - Workflow Invoke

  • Restart device - Last call - Workflow Invoke

For more information, please refer to the campaign and workflow campaign thinklet documentation.

Trigger configuration for the workflow

The workflow has been designed primarily to be run manually. For example, you can run an investigation that queries for non-server devices that have not been restarted for more than one week by using the NQL query below:

Code
devices during past 7d
| where operating_system.name !in ["*server*"]
| where boot.days_since_last_full_boot > 7

Alternatively, you could also set a schedule for the workflow to be automatically triggered, as shown below:

Note: Once all the prerequisites and workflow are installed and configured, you can use the built-in validation feature that runs every time you save the workflow.

Workflow Structure

This section describes the key steps in this workflow:

  1. The workflow checks if the target device has restarted within the last day. If yes, the workflow terminates; if not, the workflow continues.

  2. The workflow launches a campaign prompting users to restart their device or delay:

  3. The workflow restarts within one minute if ‘Restart now’ is selected; otherwise, it will be delayed by 60 minutes or 24 hours, respectively.

  4. Following the delay period, the workflow checks to see if a restart has occurred; if not, the steps highlighted below are repeated twice.

  5. Lastly, the workflow gives the user ample time to restart their device at a time of their choosing. If the user has not restarted by the end of the workflow, a warning campaign is launched before the remote action(s) Restart macOS / Windows device automatically executes on their device.

    For more information, please refer to the workflow documentation.

Last updated