Persistent device list

Standalone Sentry operates using a list of ActiveSync devices that it keeps in its memory. This list is sometimes called the device cache. The information includes each device’s state, such as allowed or blocked.

Standalone Sentry also uses a persistent device list, sometimes known as a persistent cache. Standalone Sentry persists on disk, which means stores on disk, its list of ActiveSync devices. When Standalone Sentry initializes, if it cannot reach UEM due to, for example, network issues, it uses its persistent device list to begin its operations. In this way, Standalone Sentry can begin with the last known state of each of its ActiveSync devices.

Standalone Sentry updates the persistent device list as follows:

At regular intervals. This update to disk is called the periodic disk update.

Before shutting down.

When requested by a CLI command.

Standalone Sentry behavior when UEM is not reachable

Now, when Standalone Sentry detects that it cannot reach Core, it reacts depending on the following situations:

Standalone Sentry is initializing but cannot reach Core to get the list of devices.

Normally, when it initializes, Standalone Sentry retrieves from Core all the registered ActiveSync devices that are allowed to access the ActiveSync server. If Core is not reachable, Standalone Sentry reads into memory the persistent device list that it last stored on disk. Therefore, Standalone Sentry continues operating using the last known state of each device.

To understand Standalone Sentry initialization behavior when it can reach Core, see Core, Standalone Sentry, and device interaction.

At some point after initialization is complete, Standalone Sentry cannot reach Core after trying for an internally specified time period.

In this situation, Standalone Sentry continues operating using the last known state of the device as stored in its in-memory list.

If Core is unreachable, and a new device or device not in the Standalone Sentry persistent device list, accesses the ActiveSync server or backend resource, the default Sentry behavior allows access to the server. In this case, for ActiveSync traffic, the ActiveSync server’s policy is applied to the new device.

Although Standalone Sentry continues operating, being unable to reach Core has the following impact:

The Standalone Sentry does not know when Core changes the state of a device due to a security policy violation.

It does not know when you change the state of the device using the ActiveSync Devices view of the Admin Portal.

It does not know when you change the ActiveSync policy for a device using the Admin Portal.

It cannot get guidance from Core when a device that is not in its list attempts to access the ActiveSync server. This situation occurs, for example, when a new device has registered with Core. Standalone Sentry allows the device access to the ActiveSync server and pushes a default ActiveSync policy to the device.

Standalone Sentry behavior when UEM is reachable again

Standalone Sentry detects when Core becomes reachable. The Standalone Sentry does the following:

Retrieves all the registered ActiveSync devices from Core that are allowed to access the ActiveSync server, and updates its in-memory device list with them.

Resumes normal interactions with Core as described in Core, Standalone Sentry, and device interaction.

Checking if Standalone Sentry can reach UEM

You can check whether Standalone Sentry can reach UEM by using the Standalone Sentry System Manager. See Service Diagnosis.