Discovery mode

Discovery mode is a time-bounded "audit only" override on an endpoint group. While it's active, the API rewrites every rule's action to audit server-side, so the agents in that group see a policy where nothing blocks. Events still flow to the dashboard, so you can see what would have been blocked.

Why it exists

Block-by-default is the right default. But before you turn it on for a group of 200 machines, you want a few weeks of "what's actually plugged in here?" data. Discovery mode is that.

How to enable

From Endpoint groups, open the group's detail page and toggle "Discovery mode" with a window (default 14 days). Set the toggle off (or set the until-date to the past) to switch the group into enforcement.

What changes

  • Agents in the group receive a policy where every rule's action is audit.
  • The agents log events as audit and don't disable any device.
  • The dashboard's events page shows what would have been blocked.
  • Other endpoint groups in the same tenant are unaffected.

End of window

When the discovery window ends (or you toggle it off explicitly), the etag changes, the agents pick up the real policy on their next poll, and enforcement kicks in. No manual push needed.

Recommended pattern

  1. Create an endpoint group for the rollout (e.g. "Engineering — pilot")
  2. Apply a starter template (Standard Office or Engineering)
  3. Set discovery mode to 14 days
  4. Deploy to the pilot machines
  5. Watch the events page; add allow rules for legitimate devices that show up
  6. End discovery mode; verify nothing legitimate gets blocked
  7. Roll out to the remaining machines in that group
Discovery mode — PermitUSB docs