We've been very impressed by the Datto team's efficiency, helpfulness, and collaborative spirit. This post demonstrates how to combine Nanitor CTEM with Datto RMM in a multi-tenant setting to streamline security monitoring.

Nanitor is designed so a Managed Service Provider (MSP) has a parent (top-level) organization, while each customer runs as a child organization underneath it. This hierarchical approach allows MSPs to oversee settings for all customers without exposing cross-organization data. Every Nanitor organization includes a unique Signup URL, ensuring that agents automatically map devices to the correct tenant. In Datto RMM, each Site must store the relevant Signup URL so that the Nanitor agent is deployed properly using a ComStore component.

Nanitor CTEM Agent Onboarding

Imagine you already have a Nanitor CTEM instance running at: https://dattotest.nanitor.net. Here, dattotest serves as your parent organization. Let’s say your customer, CompanyA, is set up beneath dattotest. First, you’ll need to grab CompanyA’s Signup URL from: https://dattotest.nanitor.net/organization/companya/admin. This URL typically starts with: https://dattotest.nanitor.net/api/agent_get_signup_key/....

On the Datto RMM side, we'll create a managed site for CompanyA. Under the site's settings, we'll set a variable called usrNanitorSignupURLSITE and set its value to the signup URL we saved earlier.

Next, we need to add the Nanitor CTEM Agent Installer component from the ComStore.

After adding the component, we'll create a job to run the installer on all Windows desktops and servers in the CompanyA site. You can customize this job to fit your specific environment.

There is no need to set the usrNanitorSignupURL component variable, as it will be overwritten by the usrNanitorSignupURLSITE variable set at the site level. The installer component is resilient and will exit gracefully if the Nanitor Agent is already installed on a device. It's a good practice to schedule this job to run regularly to ensure all new devices in the site also get the Nanitor Agent. Make sure the job runs as the system user. Once the job is saved and executed, the Nanitor Agent should be installed on all devices in the CompanyA site.

As we can see we have an example dattotest Windows desktop that has a Nanitor agent installed.

Nanitor CTEM Agent Monitor

Now that the Nanitor CTEM Agent is onboarded to the devices, we want to monitor its health and ensure the health score doesn't fall below a certain level. The Nanitor CTEM Agent Monitor for Windows devices in the Datto ComStore helps us achieve this.

By default, the monitor will create an alert on a device if its Nanitor health score falls below 0.7 (70%). You can change this threshold on the component level or the site level using the variable nanitorHealthScoreThreshold. On the Nanitor site, you can further customize the health score by excluding specific issues and configuring the minimum security baseline to reflect your environment and Service Level Agreements (SLAs) with your customers.  

The Datto RMM component will monitor the health score and write three User Defined Fields (UDFs):

• deviceUrlUDF: Shows the URL to access the device in the Nanitor portal.
• healthScoreUDF: Shows the Nanitor health score of the device.
• criticalIssuesUDF: Shows the most critical issues on the device.

When configuring the component, you need to specify which UDF numbers you want to use. It's a good practice to map UDF numbers to names in the global settings.  

After installing the component from the ComStore, create a policy to apply the monitor to devices in your site, similar to how we created a job for the installer earlier. As shown in the picture we use UDF 21, 22 and 23.

Set the component to execute every 5 minutes and target all devices in the CompanyA site. Since variables can be overwritten at the site level, you can use the same policy across multiple sites. Ensure that the UDF numbers are mapped correctly, and the scopes and targets are set appropriately. Click save and deploy now on the policy so it applies immediately.

After a few minutes, the UDFs will be populated, and you might see an alert if any device's health score is below the threshold. You can adjust the nanitorHealthScoreThreshold in the site settings as needed. In our case the healthscore was 68% and the threshold was 70% so we get an alert.

By lowering the threshold to 0.65 in the Site Settings and redeploying, you’ll see the alert clear:

After redeploying the policy now the alert is gone.

This demonstrates how you can effectively integrate Datto RMM and Nanitor CTEM to manage and monitor the security of your clients' devices in a multi-tenant environment.

Conclusion

Integrating Datto RMM with Nanitor CTEM allows Managed Service Providers to seamlessly deploy agents, configure security policies, and monitor device health scores across multiple tenants. By leveraging Datto’s policy-driven automation in tandem with Nanitor's in-depth security insights, you can maintain a robust, standardized security posture for each client—ensuring greater visibility, efficiency, and peace of mind for everyone involved.