Pre-requisite
Before configuring discovery sources, seeConfiguring Automatic Endpoint Discovery
Discovery Source Prioritization for Smart Group Assignments
discovery-source.priority-list determines which source's metadata wins when multiple sources report the same endpoint. If you rely on a particular source's attributes for Smart Group assignments (e.g., AWS tags, AD organizational units), make sure it has the highest priority.
Key Rules
| Rule | Explanation |
| Priority List Order | The source listed first has higher priority than those following it. |
| Not Listed = Higher Priority | Any source not explicitly mentioned in the list outranks all sources that are listed. |
| Default Value (4.2.7+) |
VSPHERE, AMAZON_EC2, ARM, ASM, AD, WSUS As of 4.2.7+, AD is internally prioritized over WSUS by default — AD metadata will override WSUS data when both discover the same endpoint. |
Why Does Priority Matter?
If you use AD attributes (such as organizational units) to assign endpoints to Smart Groups, AD's higher priority ensures they are not overwritten by WSUS data.
| Important: If you only include AD,WSUS in the property file (omitting all other sources), any unlisted sources (vSphere, AWS, etc.) will automatically outrank both AD and WSUS. Keep this in mind if you want AD to outrank every other source. |
Make AD the Top Priority Overall
To ensure AD attributes outrank all other sources for Smart Group assignments, list all sources explicitly with AD first:
| discovery-source.priority-list=AD,VSPHERE,AMAZON_EC2,ARM,ASM,WSUS |
By listing all sources, none is automatically elevated due to being omitted. AD becomes the absolute top priority, followed by vSphere, then AWS, with WSUS last.
Implementation Steps
- SSH to the JetPatch server.
- Edit the properties file:
| Version | File Path |
| Prior to 5.0 | /usr/share/tomcat/default/conf/intigua.properties |
| 5.0 and later | /usr/share/intigua/services/data/intigua-main/conf/intigua.properties |
- Locate or add the line:
| discovery-source.priority-list=AD,VSPHERE,AMAZON_EC2,ARM,ASM,WSUS |
- Save and exit.
- Restart the service:
| Version | Command |
| Prior to 5.0 | systemctl restart tomcat |
| 5.0 and later | docker restart intigua-main |
Change Discovery Source Timeouts
|
Notes: • For WSUS Discovery timeouts, see the WSUS Discovery article. • To manually force a discovery source refresh, disable and then re-enable that discovery source. |
- SSH to the JetPatch application server.
- Edit the properties file (same paths as above).
- Add and configure the relevant properties:
| Source | Property | Default |
| Amazon | discovery-source.AWS.success.sleep-time.min | 10 min |
| Amazon | discovery-source.AWS.error.sleep-time.min | 20 min |
| Active Directory | discovery-source.AD.success.sleep-time.min | 10 min |
| Active Directory | discovery-source.AD.error.sleep-time.min | 20 min |
| vCenter | discovery-source.VC.success.sleep-time.ms | 500 ms |
| vCenter | discovery-source.VC.error.sleep-time.min | 5 min |
| Azure ARM | arm.sleep.success.minutes | 5 min |
| Azure ARM | arm.sleep.error.minutes | 5 min |
Active Directory Syncing
| Sync Type | Behavior |
| Regular Sync (every 10 min) |
Checks for new computers created or changed in the last 10 minutes. Does not immediately remove computers or update security group changes. |
| Full Scan (every 24 hours) |
Performs a complete scan to update all computers, including removals and security group changes. To manually force a full scan: disable, then re-enable Active Directory discovery. |
Sync intervals are controlled by the polling properties described in the previous section.
AWS Organizations Multi-Account Support
JetPatch can connect to the Master (or Trusted) account in an AWS Organization, allowing access to list and assume the role of all child (or Trusting) accounts.
Step 1: Configure the AWS Organizations Management Account
- Create an IAM user (e.g., demo-master).
- Attach the following AWS-managed policies:
- AmazonEC2ReadOnlyAccess
- AWSOrganizationsReadOnlyAccess
- Create a customer inline policy (e.g., demo-sts-assume-policy):
|
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:ListRoles", "sts:AssumeRole" ], "Resource": "*" } ] } |
Step 2: Configure Each AWS Organization Member Account
| Pre-requisite: All member accounts must have IAM Roles created. |
- Create an IAM Role (e.g., member-role).
- Attach the AWS-managed policy: AmazonEC2ReadOnlyAccess.
- Under Trusted Relationships, add the following entry:
|
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<management-account-number>:<user>" }, "Action": "sts:AssumeRole", "Condition": {} } ] } |
Step 3: Configure JetPatch
- Enable multi-account support in intigua.properties:
| aws.members.fetch=true |
- (Optional) To modify the default member role, set:
| aws.members.role="demo-slave-role" |
| Tip: For troubleshooting, search for AssumeRole in the discovery.log of the manager logs. |
Comments
0 comments
Please sign in to leave a comment.