Comodo One - Customer Device Organization

I have been unable to resolve the issue with client devices appearing under my company. I enrolled a client server and it is owned by a user under the clients company but in Patch Manager, ITSM and RMM, the server shows up under my company and I don’t see any way to move it. In RMM my company has a “default site” under it but I see no way to change, add or delete sites under my company or client companies.

I am experiencing similar difficulties. How did you provision the device? Via the user e-mail method or via bulk install MSI?

The relationships between C1 customers, C1 staff, and ITSM device groups, devices, user groups, users, and user roles are not clear and do not seem to function properly.

I enrolled it via the email method to a dummy user acct I created under that customer expecting I could circumvent emailing end users directly this way. This was before I learned about the bulk install method which I have yet to try.

The relationship and flow between the modules does seem a bit clunky or awkward. Most solutions I have trialed were smoother but this is as close to contributing to the development process I’ve been. They seem responsive enough so hopefully it’s something they can refine soon. I think the team is more technical and not so familiar with MSP business process and expected functionality so they’re relying on Consortium members to bring that component.

Hello @MTekhna ,

Assuming that you have enrolled the device in ITSM, it should also synchronize in RMM. Also, in ITSM you should be able to change the company by selecting an user under a different company. The hierarchy in ITSM is quite natural, Companies have Users and Users have Devices. So if you want to move a Device under a different Company, you will have to change the User that owns that Device by clicking on ‘Change Owner’ button. If the change will not reflect in RMM, please let us know.
Patch Management agent installed from Patch Management module (ITSM has its own patch management module) can be installed by running a RMM procedure to install the PM agent. This way, the PM agent will install under the same company as in RMM Administrator Console.

@rrrryyyyaaaannnn C1 customers, C1 staff, and ITSM device groups, devices, user groups, users, and user roles are different entities.

  • C1 customers are your clients, each C1 customer being a company. Also, when adding a C1 customer will create a group in Device Groups in ITSM.
  • C1 staff is a member (a person) of your company that is able to manage your clients. When creating a C1 Staff member, it will synchronize in all C1 modules, with administrator rights.
  • Just like in Active Directory, where an administrator can apply a policy on devices and on users, so a person will have different access rights to resources depending on the user rights and the device that is accessing, in the exact same manner User groups and and Device Groups will act on devices, depending on the group that device is part of and the person who owns that device. You can apply profiles on Devices Groups and on User Groups.
  • an user role is a set of privileges that are applied to an user. By default there are Administrator role and User role, but you can create a custom user role from ITSM dashboar > Settings > Role Management > Add Role. The description of each permission in that list can be found on this page.
Hopefully this will clear some aspects regarding Comodo One and ITSM.

Thanks Nick… the hierarchy you describe will be great when it is pervasive across modules and actually working… for now it is not consistent across modules and not even working within a single module in some cases.

The user-centric provisioning is concerning… exposing our customers’ users to confusing communications for each module separately. Creating a user in ITSM sends them an e-mail with links to install agents even if their device has already had the bulk MSI run on it. Those e-mails don’t contain credentials… so when the user wants to submit a help desk ticket to us they have to register again. Devices in PM don’t correlate to devices in ITSM. My Device Groups and Role Management pages are a mess of duplicate and non-existant customers and users.

Hello @rrrryyyyaaaannnn ,

Please allow us to clarify a few things.
“Creating a user in ITSM sends them an e-mail with links to install agents even if their device has already had the bulk MSI run on it.”

  • This does not happen when you create an user and you assign them the role of “Users”. They receive the email to install the agent only when you choose to Enrol a device on that specific user. This scenario also happens when you create an user and you assign them the role of “Administrators”. In this case they do indeed receive that email, but normal users do not.
  • The Service Desk is a completely different Module. Registration is done separately for customers since we do have cases when regular users (customers) choose to use the Service Desk only. The correlation is only done for the overall Comodo One Admin (who can access the Service Desk, ITSM and Patch Management Modules) but not for the regular user. The same goes for Patch Management. It is something managed separately and not through ITSM.
    ITSM itself does incorporate a different Patch Management which is different from the one available under Licensed Applications.

If you have any other questions, please feel free to ask, we’ll gladly help you out.

@Nick , I think as long as the relationships are consistent across modules it’s good. In my case it doesn’t seem to be because in RMM and Patch Manager the device ownership isn’t being reflected correctly. In ITSM I changed the ownership again and it is still not being reflected. RMM displays a “default site” under my company that I cannot remove or rename. Presumably it would do the same under a client if the device ownership were assigned correctly. It would be good to be able to rename this and add/remove sites under companies and users and devices under these. Like @rrrryyyyaaaannnn the user centric nature of the ITSM module was concerning at first. I understand it is “logical”, however we don’t keep account of client personnel typically. If we were an enterprise only shop or if we functioned as the enterprise IT dept in a client we would presumably do this but as an outside service provider in charge of managing technology and not people at a client site I think the user-centric model feels unnatural and generally any end-user input or communication required for installation is avoided. (This brings to mind another feature which it would be good to have is uninstall protection for environments not running GPO) My workaround to this user-centricity would be to create a dummy user acct for such a site and enroll all devices under this “company user x”. That way I am saved from needing to know, track, or maintain client personnel records and device/user relationships unless this is necessary for the contract.

Hello @MTekhna ,

The Patch Management is a separate module, there should be no correspondence between PM an ITSM, however the devices in RMM should keep the same structure as in ITSM. I have escalated this issue to the appropriate staff for further investigation and we will let you know as soon as we have any updates.

“This brings to mind another feature which it would be good to have is uninstall protection for environments not running GPO” - I have escalated this as a feature request.

About the user-centric nature of ITSM, this is the way it was designed, this doesn’t mean, however, that there aren’t ways to avoid these inconveniences, just like the one you have just described.

@Dylan , when you say there should be no correspondence between PM and ITSM I don’t think this means that client devices should not show up under the respective customer. PM currently has client devices owned by a customer listed under my company. The customer company is empty of agents/devices. If there is no correspondence between ITSM and PM, then how do you change the company a device is under in PM?

Hello @MTekhna

At the moment there is no option to change the company for a device that you have enrolled.
The Company selection step should be done prior to downloading the PM Agent from the dropdown menu from the top of the window (next to SYSTEM REPORTS).
Here is the help guide that will assist you in this process:

Thank you.

I had a demo with Paulo from Comodo and he insisted that a user could be associated with only 1 workstation and up to 5 mobile devices. Is that limitation true or was he misinformed?

Hello @rrrryyyyaaaannnn

I am sorry about the confusion but the limitation is from a license point of view. One Premium license can cover up to 5 MOBILE devices per user or one computer.

Hi @Ethan , A few questions: How does this license limitation work? E.g. I currently have 2 mobile devices, 2 servers, and 1 workstation owned under a single user profile. This means that the user is consuming 4 licenses? What are the differences with respect to basic and premium licenses?

Hello @MTekhna ,

The differences between the Basic and Premium ITSM License types are listed on at the very bottom of the page.
Based on the number of users that the license includes, they get used as my colleague Ethan explained. So in your case, yes, it would consume 4 “seats” (or users) from a license and would leave 3 more spots for 3 more devices.
Please let us know if this clears things up or if you have other questions.

Hi @MTekhna , @rrrryyyyaaaannnn ;

I would like to add two notes about device hierarchy and user management.

  1. It is understandable not wanting to deal with each user if you are only managing workstations and servers. In this use case, you can always enroll devices under admins which are members of all companies that you managed and you can still see which device belongs to which company. However, if you are managing also mobile devices, it is always easier and beneficial to associate those devices with the real owners. It would help you on onboarding as well as profiling.

  2. Right now, RMM and Patch Management are still have separate module components as well as tightly integrated components. We are in the process of migrating all of their functionality under ITSM portal. So, thanks for confirming the necessity of this effort and your patience until we have the full feature migration completed. We plan to have majority of features to be under ITSM portal in Q2 and the rest on second half of the year.


We are pleased to inform you that the implementation of the feature that you have requested (Ability to uninstall protection for environments not running GPO) is scheduled to be released in Q3.

We appreciate your patience and your understanding in this matter!"