How Caisey's Group Diagnostics and Configurable Approval Gates Let You Run the Same Check Across 20 Endpoints with One Click While Respecting Client Consent Policies

Imagine you're an MSP technician and you get a call from a client who suspects a specific malware persistence technique is present on several machines across their network. You need to check for a scheduled task that's known to be created by a particular strain. The client has three different sites, each with its own consent policy: Site A requires explicit approval for any command execution, Site B only requires approval for remediation actions, and Site C trusts you to run read-only checks without prompting. With traditional tools, you're stuck. ScreenConnect or TeamViewer would mean connecting to each machine individually—20 separate sessions, 20 passwords, 20 minutes of overhead. An RMM script could run the check on all machines at once, but it would either bypass consent entirely or force a blanket approval that doesn't match each site's policy. Caisey's group diagnostics and configurable approval gates solve this exact problem: you define the check once, select the group of endpoints, and Caisey respects each client's consent settings automatically. Here's how it works in practice.

Setting Up Client Groups and Approval Gate Policies in Caisey

Before you run any group diagnostics, you need to organize your endpoints and define consent policies. In Caisey, you create client groups that mirror your real-world structure. For example, you might have groups like "Acme Corp - Site A," "Acme Corp - Site B," and "Acme Corp - Site C." Each group inherits the approval gate policy you set for that client. To configure approval gates, navigate to the client's settings in the Caisey console. You'll see options like:

• **Require approval for all commands**: Every diagnostic or remediation action triggers a prompt to the client contact.
• **Require approval for remediation only**: Read-only checks (e.g., registry reads, service status) run automatically; only actions that change state need consent.
• **No approval required**: For clients who have given blanket permission for specific types of checks.

These policies apply to every endpoint within the client group. You can also set a default policy for new clients and override it per group if needed. For our scenario, Site A uses "all commands," Site B uses "remediation only," and Site C uses "no approval required." This setup takes about two minutes and is done once per client.

Executing a Group Diagnostic Command

Now it's time to run the check. In the Caisey console, you select the group that contains all three sites—or you can select multiple groups at once. Caisey shows you a list of all enrolled endpoints in those groups, along with their current status (online, offline, etc.). You then compose your diagnostic command. For this example, it's a simple PowerShell command to check for a specific scheduled task: Get-ScheduledTask -TaskName "MaliciousUpdate" -ErrorAction SilentlyContinue. You paste this into the command input field and click "Run on Group."

Caisey immediately sends the command to every online endpoint in the selected groups. But here's the key: it doesn't execute blindly. For each endpoint, Caisey checks the client's approval gate policy. Endpoints in Site C (no approval required) execute the command instantly. Endpoints in Site B (remediation only) also execute because this is a read-only check. Endpoints in Site A (all commands) trigger an approval prompt. The technician sees a live status pane showing which endpoints have completed, which are pending, and which are waiting for approval. No other tool gives you this granular, policy-aware execution in a single click.

Handling Approval Prompts in Real-Time

For the endpoints in Site A that require approval, Caisey sends a notification to the designated client contact—typically via email or the Caisey runtime notification on their device. The technician sees a queue of pending approvals in the browser interface. You can click on each pending item to see the exact command that will be run, the endpoint name, and the client contact's details. You also have the option to send a brief message to the contact explaining why the check is needed. For example: "We're investigating a potential malware persistence on the finance department machines. This command only reads the scheduled task list; it doesn't change anything." The client can approve or deny from their end. As approvals come in, the commands execute and results populate in real-time. The technician doesn't have to wait for all approvals before seeing results from other endpoints. This parallel workflow means you can start analyzing data from Site B and C while waiting for approvals from Site A.

Reviewing Results and Session History

Once all commands have completed (or been denied), you can review the results in a consolidated view. Caisey displays the output for each endpoint, including the command, timestamp, and whether consent was given. In our example, you see that three machines in Site A have the suspicious scheduled task, two in Site B, and one in Site C. You can click on any result to see the full session history for that endpoint—a durable record that includes the command, output, approval status, and any subsequent actions. This audit trail is critical if you later need to prove that you had consent, or if the client questions what was run. The session history is stored in Caisey's Cloudflare Durable Objects, so it's tamper-evident and available for review months later.

Comparison with Alternatives

Let's compare this workflow to what you'd do with other tools.

• **ScreenConnect / TeamViewer**: You'd need to connect to each machine individually—20 separate sessions. Each session requires a password or invitation, and you'd have to manually document what you ran. No built-in consent granularity. Time: 20+ minutes.
• **RMM script execution**: You could run a script on all machines at once, but RMMs typically don't have per-client consent policies. You'd either need to create separate scripts for each consent level or run a blanket script that might violate a client's policy. Also, RMM audit logs often lack the detail of a full session transcript—they just show that a script ran, not the interactive context.
• **Bomgar / BeyondTrust**: These tools offer session policies, but they're designed for individual remote control sessions, not group diagnostics. You'd still need to start a session for each machine, and the approval process is per-session, not per-command. Group execution is not a native feature.

Caisey's combination of group diagnostics and configurable approval gates is unique. It reduces the time to run the same check across 20 endpoints from 20+ minutes to under 5 minutes, while maintaining full compliance with each client's consent requirements. The durable session history gives you a single source of truth for what was done, when, and with whose permission.

Conclusion

When you need to run the same diagnostic across multiple clients with different consent policies, Caisey's group diagnostics and approval gates turn a tedious, error-prone process into a one-click operation. You set the policies once, select your endpoints, and let Caisey handle the consent logic. The result is faster troubleshooting, better client trust, and a clear audit trail that satisfies even the strictest compliance requirements. Next time you get a request to check something on multiple machines, try it with Caisey—you'll wonder how you ever managed without it.