starred/tacticalrmm
1
0
Fork 0
mirror of https://github.com/amidaware/tacticalrmm.git synced 2026-04-26 06:55:52 +03:00
Code Issues 919 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #2269] Policy Agent Exclusions Not Honored When Policy Applied to Site #3352

New issue
Closed
opened 2026-03-14 07:11:30 +03:00 by kerem · 2 comments
kerem commented 2026-03-14 07:11:30 +03:00
Owner
Copy link

Originally created by @guilhermemilekalfatransportes on GitHub (Jul 30, 2025).
Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/2269

Server Info (please complete the following information):
 - OS: Ubuntu 24.04.2 LTS
 - Browser: Microsoft Edge Version 138.0.3351.109 (Official build) (64-bit)
 - RMM Version (as shown in top left of web UI): v1.2.0

Installation Method:
  - [x] Standard
  - [ ] Standard with --insecure flag at install
  - [ ] Docker

Agent Info (please complete the following information):

  • Agent version (as shown in the 'Summary' tab of the agent from web UI): Agent 2.9.1
  • Agent OS: Windows 11 Pro, 64 bit v24H2 (build 26100.3476)

Describe the bug
Policy-level agent exclusions are not honored when the policy is applied directly to a Site, causing the policy's tasks/checks to execute on agents that are explicitly marked as excluded within that policy.

To Reproduce

  1. Create a new Policy (e.g., "Software - LembretePonto").
  2. In this policy, go to "Show Policy Exclusions" and add one or more specific agents (e.g., "RH-11686") to the "Excluded Agents" list.
  3. Go to "Show Relations" for this policy.
  4. In the "Sites" tab, add a Site (e.g., "01 - CDR - Caçador/SC (Matriz)") that contains the excluded agent(s).
  5. Ensure the policy is active and has assigned checks/tasks.
  6. Observe that the policy's tasks are executed on the agent(s) listed in the "Excluded Agents" list (e.g., "RH-11686" task status shows "Synced with agent"), despite being excluded.

Expected behavior
When an agent is listed in the "Excluded Agents" for a policy, that agent should not receive or execute any tasks/checks from that policy, regardless of whether the policy is applied to "All Agents", individual agents, Clients, or Sites that the agent may belong to. The exclusion should take precedence over broader inclusions.

Screenshots

Image Image Image Image Image

Additional context
Through code analysis, this behavior appears to be related to the logic in automation/models.py within the Policy model, specifically the related_agents method.

When a policy is related to a Site (via self.workstation_sites or self.server_sites), the related_agents method generates the list of target agents. The Agent.objects.filter calls within these branches (e.g., those using site_id__in or site__client__in) do not explicitly exclude agents based on excluded_agents_ids within that specific query chain. The exclude(id__in=excluded_agents_ids) logic seems primarily applied only when agents are directly associated with the policy (self.agents) or when evaluating "Default Server/Workstation Policies."

This suggests that the current implementation treats Site-level policy application as a strong inclusion that bypasses agent-specific policy exclusions. This design makes granular exclusions difficult when policies are applied broadly to organizational units (Sites/Clients).

Workaround implemented:
To achieve the desired exclusion, we had to restructure the organizational hierarchy. We created a separate Site (e.g., "01 - CDR - Caçador/SC (Matriz - Gerência)") for the agents that needed to be excluded. The policy was then removed from the original broader Site and reapplied only to the original Site (now containing only the non-manager workstations). This effectively excludes agents by explicit inclusion/exclusion of Sites, rather than relying on policy-level agent exclusions.

Originally created by @guilhermemilekalfatransportes on GitHub (Jul 30, 2025). Original GitHub issue: https://github.com/amidaware/tacticalrmm/issues/2269 **Server Info (please complete the following information):**  - OS: Ubuntu 24.04.2 LTS  - Browser: Microsoft Edge Version 138.0.3351.109 (Official build) (64-bit)  - RMM Version (as shown in top left of web UI): v1.2.0 **Installation Method:**   - [x] Standard   - [ ] Standard with `--insecure` flag at install   - [ ] Docker **Agent Info (please complete the following information):** - Agent version (as shown in the 'Summary' tab of the agent from web UI): Agent 2.9.1 - Agent OS: Windows 11 Pro, 64 bit v24H2 (build 26100.3476) **Describe the bug** Policy-level agent exclusions are not honored when the policy is applied directly to a Site, causing the policy's tasks/checks to execute on agents that are explicitly marked as excluded within that policy. **To Reproduce** 1. Create a new Policy (e.g., "Software - LembretePonto"). 2. In this policy, go to "Show Policy Exclusions" and add one or more specific agents (e.g., "RH-11686") to the "Excluded Agents" list. 3. Go to "Show Relations" for this policy. 4. In the "Sites" tab, add a Site (e.g., "01 - CDR - Caçador/SC (Matriz)") that contains the excluded agent(s). 5. Ensure the policy is active and has assigned checks/tasks. 6. Observe that the policy's tasks are executed on the agent(s) listed in the "Excluded Agents" list (e.g., "RH-11686" task status shows "Synced with agent"), despite being excluded. **Expected behavior** When an agent is listed in the "Excluded Agents" for a policy, that agent should not receive or execute any tasks/checks from that policy, regardless of whether the policy is applied to "All Agents", individual agents, Clients, or Sites that the agent may belong to. The exclusion should take precedence over broader inclusions. **Screenshots** <img width="1238" height="573" alt="Image" src="https://github.com/user-attachments/assets/1c387466-59b3-47d5-a205-9eb6191f1be6" /> <img width="700" height="117" alt="Image" src="https://github.com/user-attachments/assets/951e3f28-0601-452a-9a96-fccc9e24dbd6" /> <img width="593" height="453" alt="Image" src="https://github.com/user-attachments/assets/638bd4a7-d5c7-4d54-b835-2b9456e5e4d6" /> <img width="699" height="413" alt="Image" src="https://github.com/user-attachments/assets/2ea9fd34-ac21-4a0c-ae08-e631235e69b7" /> <img width="978" height="316" alt="Image" src="https://github.com/user-attachments/assets/8281c6fa-8bc0-41ea-a720-70cfa0cbcb08" /> **Additional context** Through code analysis, this behavior appears to be related to the logic in `automation/models.py` within the `Policy` model, specifically the `related_agents` method. When a policy is related to a **Site** (via `self.workstation_sites` or `self.server_sites`), the `related_agents` method generates the list of target agents. The `Agent.objects.filter` calls within these branches (e.g., those using `site_id__in` or `site__client__in`) **do not explicitly exclude agents based on `excluded_agents_ids`** within that specific query chain. The `exclude(id__in=excluded_agents_ids)` logic seems primarily applied only when agents are *directly* associated with the policy (`self.agents`) or when evaluating "Default Server/Workstation Policies." This suggests that the current implementation treats Site-level policy application as a strong inclusion that bypasses agent-specific policy exclusions. This design makes granular exclusions difficult when policies are applied broadly to organizational units (Sites/Clients). **Workaround implemented:** To achieve the desired exclusion, we had to restructure the organizational hierarchy. We created a separate Site (e.g., "01 - CDR - Caçador/SC (Matriz - Gerência)") for the agents that needed to be excluded. The policy was then removed from the original broader Site and reapplied *only* to the original Site (now containing only the non-manager workstations). This effectively excludes agents by explicit inclusion/exclusion of Sites, rather than relying on policy-level agent exclusions.
kerem closed this issue 2026-03-14 07:11:35 +03:00
kerem commented 2026-03-14 07:11:40 +03:00
Author
Owner
Copy link

@wh1te909 commented on GitHub (Aug 26, 2025):

thanks for the detailed report, we've just pushed a fix for this and it will be in the next release

<!-- gh-comment-id:3225784406 --> @wh1te909 commented on GitHub (Aug 26, 2025): thanks for the detailed report, we've just pushed a fix for this and it will be in the next release
kerem commented 2026-03-14 07:11:46 +03:00
Author
Owner
Copy link

@wh1te909 commented on GitHub (Oct 15, 2025):

released in v1.3.0

<!-- gh-comment-id:3406886609 --> @wh1te909 commented on GitHub (Oct 15, 2025): released in v1.3.0
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
master
1.0.0
v1.4.0
v1.3.1
v1.3.0
v1.2.0
v1.1.0
v1.0.0
v0.20.1
v0.20.0
v0.19.4
v0.19.3
v0.19.2
v0.19.1
v0.19.0
v0.18.2
v0.18.1
v0.18.0
v0.17.5
v0.17.4
v0.17.3
v0.17.2
v0.17.1
v0.17.0
v0.16.5
v0.16.4
v0.16.3
v0.16.2
v0.16.1
v0.16.0
v0.15.12
v0.15.11
v0.15.10
v0.15.9
v0.15.8
v0.15.7
v0.15.6
v0.15.5
v0.15.4
v0.15.3
v0.15.2
v0.15.1
v0.15.0
v0.14.8
v0.14.7
v0.14.6
v0.14.5
v0.14.4
v0.14.3
v0.14.2
v0.14.1
v0.14.0
v0.13.4
v0.13.3
v0.13.2
v0.13.1
v0.13.0
v0.12.4
v0.12.3
v0.12.2
v0.12.1
v0.12.0
v0.11.3
v0.11.2
v0.11.1
v0.11.0
v0.10.5
v0.10.4
v0.10.3
v0.10.2
v0.10.1
v0.10.0
v0.9.2
v0.9.1
v0.9.0
v0.8.5
v0.8.4
v0.8.3
v0.8.2
v0.8.1
v0.8.0
v0.7.2
v0.7.1
v0.7.0
v0.6.15
v0.6.14
v0.6.13
v0.6.12
v0.6.11
v0.6.10
v0.6.9
v0.6.8
v0.6.7
v0.6.6
v0.6.5
v0.6.4
v0.6.3
v0.6.2
v0.6.1
v0.6.0
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.32
v0.4.31
v0.4.30
v0.4.29
v0.4.28
v0.4.27
v0.4.26
v0.4.25
v0.4.24
v0.4.23
v0.4.22
v0.4.21
v0.4.20
v0.4.19
v0.4.18
v0.4.17
v0.4.16
v0.4.15
v0.4.14
v0.4.13
v0.4.12
v0.4.11
v0.4.10
v0.4.9
v0.4.8
v0.4.7
v0.4.6
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.3
v0.3.2
v0.3.1
v0.3.0
v0.2.23
v0.2.22
v0.2.21
v0.2.20
v0.2.19
v0.2.18
v0.2.17
v0.2.16
v0.2.15
v0.2.14
v0.2.13
v0.2.12
v0.2.11
v0.2.10
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.8
v0.1.7
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
Clear labels   
In Process

   
bug

   
bug

   
dev-triage

   
documentation

   
duplicate

   
enhancement

   
fixed

   
good first issue

   
help wanted

   
integration

   
invalid

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
requires agent update

   
security

   
ui tweak

   
wontfix
No labels
In Process
bug
bug
dev-triage
documentation
duplicate
enhancement
fixed
good first issue
help wanted
integration
invalid
pull-request
question
requires agent update
security
ui tweak
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/tacticalrmm#3352
No description provided.