SWARM — New Staff Onboarding Guide

What is SWARM?

SWARM (Secure Asset & Remote Management) is the internal MSP operations platform used to monitor managed endpoints, manage client assets, run maintenance and onboarding automation, and feed structured records into HaloPSA for billing and review.

It is not a remote-control tool. SWARM does not open a live session on an endpoint. Instead, it publishes instructions to small control files that agents poll on a schedule, then reads the results back as structured events.

• SWARM surfaces IT posture data — health, uptime, disk, patching state, security — for all managed endpoints.
• It orchestrates General Service (maintenance) and System Prep (onboarding) workflows for Windows, and a subset of those for macOS.
• It keeps HaloPSA informed: tickets are created, progress notes are posted, and completion entries are generated without the technician writing anything manually.
• It manages static assets — printers, network devices, and mobile devices — that are not self-reporting.

How it Works — the Polling Model

Understanding the polling model prevents a lot of confusion when things seem slow or unresponsive.

• Endpoint agents check in every 5 minutes on their normal polling cycle.
• When you queue a General Service run or push TeamViewer, SWARM publishes a control file. The endpoint picks it up on its next 5-minute poll.
• There is no instant-push path. Actions are not immediate — they take effect on the next agent cycle.
• Results (progress events, task completions, diagnostics packets) are posted back by the agent in the same way — on each run.
• SWARM, not the endpoint, is responsible for all Halo writes. The agent only posts events; the SWARM backend decides what that means for the Halo ticket.

Platform Support

SWARM supports both Windows and macOS endpoints, but the available workflows differ significantly.

Signing In

SWARM uses Microsoft Entra ID (formerly Azure AD) as its primary sign-in method. You will need an active account in the IN2Tech Microsoft 365 tenant.

1. Navigate to the SWARM URL in your browser.
2. Click Sign in with Microsoft.
3. Complete your Microsoft Entra authentication (including MFA if required).
4. SWARM will create your session and redirect you to the dashboard.

If you cannot sign in, ask an existing admin to confirm your account has been added to SWARM under Settings → Admin → Users.

Operator vs Admin

SWARM has two access levels.

Operator (standard)

• Full read access to all endpoint data, assets, and run history
• Can queue General Service, Recurring Service, System Prep, and TeamViewer Push
• Can run and manage Diagnostics
• Can edit system details, manage assets, and export reports
• Cannot access Admin settings (users, Graph configuration, Halo sync)

Admin

• Everything an operator can do, plus:
• User management — add, remove, promote, demote, reset passwords
• Microsoft Graph configuration for email reporting
• Daily HTML executive report configuration and manual triggers
• HaloPSA company sync and remap
• CPU lookup table and system-lookup management

The SWARM Browser Helper

The Microsoft quick-service button on the dashboard uses a local protocol handler (swamhelper://) to open Microsoft Admin in a dedicated private browser window. This keeps Microsoft admin work isolated from your normal browser session.

• Download the SWARM Browser Helper installer from the link in the SWARM header.
• Install it once on your workstation.
• If the helper is missing or outdated, SWARM will prompt you to download or update it when you click the Microsoft button.
• Other quick-service buttons (PAX8, uSecure, BlackPoint, SentinelOne) open normally in a new tab and do not require the helper.

Dashboard Layout

The SWARM console is a single-page application. There is no page navigation — everything happens within the one view.

Header

The top bar contains: SWARM branding, the Windows installer download link, the help link, a live summary badge showing total endpoint counts, the theme toggle, the manual refresh button, your logged-in name, and logout.

Quick-service strip

A row of coloured shortcut bubbles below the header. These are portal links used throughout the day: Microsoft, PAX8, uSecure, BlackPoint, and SentinelOne. The order is configurable in Settings → Services. The Automations button at the right end of the row opens the automation drawer.

Search and view row

Contains the view toggle (list/card), sort controls, the global search box, clear button, and the Reports export menu.

Left pane — Systems and Assets

The main data area. Tabs along the top switch between Systems, Printers, Networks, and Mobile. The Systems tab shows summary health pills and the endpoint list or card grid.

Right pane — Details

When you click an endpoint, the right pane opens with its full detail: General tab, health data, diagnostics controls, edit mode, and bottom-of-pane actions (Push TeamViewer, uninstall). On narrower screens this panel slides in as an overlay.

Health Badges

Every endpoint in the list has a coloured health badge. Health is calculated automatically from the latest ingest payload.

• Healthy — all monitored metrics are within acceptable thresholds
• Warning — one or more metrics are approaching concern thresholds
• Critical — one or more metrics have exceeded the critical threshold
• Offline — the endpoint has not checked in within the configured offline window
• Excluded — one or more health dimensions have operator-applied exclusions

The metrics that drive the badge are: last check-in time (offline), CPU usage, RAM usage, disk usage, and antivirus state. Thresholds for each are configurable in Settings → Health.

Search and Filters

The search box at the top of the list applies instantly across all visible fields.

• Multiple plain words act as AND — both words must appear somewhere in the record.
• Quoted phrases search exact text — "Windows 11 Pro" will match that exact string.
• The word or builds alternate matches — laptop or notebook.
• Search works across the non-system asset tabs too (Printers, Networks, Mobile), using substring matching on their configured columns.

The summary health pills above the list act as quick filters — click Critical to show only red endpoints, click again to clear.

List View vs Card View

Both views show the same endpoints. Use the toggle in the view row to switch.

• Card view is better for at-a-glance health review, especially at end of day.
• List view is required for any bulk action — General Service queuing, System Prep, and Recurring Service all depend on the checkbox column that only appears in list view.

Checking an Endpoint

Clicking any endpoint in the list opens the right-hand details pane. This is your primary view for understanding what is happening on a machine.

General Tab

Shows company, computer name, last user, OS, CPU, RAM, uptime, disk, serial number, IP, and the Last General Service date. The last service date is set automatically when a General Service or System Prep run completes successfully — it is not editable.

Capability Strip

Below the system header, a compact row shows what automation workflows are available for this endpoint.

• Available — can be queued normally
• Review — can be queued but has limitations (usually an unknown platform)
• Unavailable — blocked for this endpoint type; hover for the reason

Check this strip before queuing anything on an unfamiliar endpoint.

Health Tabs

The remaining tabs (Disk, Security, Network, etc.) show the detailed breakdown behind the health badge. Use these to understand why an endpoint is amber or red before deciding on an action.

Running Diagnostics

Diagnostics give you a time-series snapshot of CPU, RAM, disk, and process activity from the endpoint. Use them when you need more context than the last ingest payload provides — for example, to investigate a reported slowness or a suspiciously high CPU reading.

1. Select the endpoint in the details pane.
2. Click Run Diagnostics.
3. Select a duration (how long you want the agent to collect data).
4. Click Start. SWARM publishes the request immediately.
5. The endpoint picks it up on the next agent poll — usually within 5 minutes.
6. The first data packet arrives roughly 2 minutes after the agent starts collecting. Results continue arriving at 2-minute intervals until the run completes.

Reset vs Clear Diagnostics

• Reset Diagnostics — removes all existing diagnostic results and returns the panel to a clean, ready state. Use this to start fresh before a new run.
• Clear Diagnostics — use this when a run never received its final completion packet (e.g. the endpoint went offline mid-run). It resets a stuck state so a new run can be started.

Diagnostics do not resume after a reboot or disconnection. If the endpoint went offline during a run, clear it and start again.

Running General Service — Windows

General Service is the primary maintenance workflow for Windows endpoints. It runs a structured task flow covering health checks, patching, cleanup, and review — all logged back into HaloPSA automatically.

1. Go to the Systems tab and switch to List View.
2. Tick the checkboxes next to the systems you want to service.
3. Click Automations in the quick-service row.
4. Make sure you are on the General Service tab. Confirm the selected system count is correct.
5. Choose Start now or set a scheduled time.
6. Optionally enable Reboot before service — the agent will show a reboot notice to the user and restart before beginning the task flow. The reboot-days threshold is saved in the drawer defaults.
7. Optionally enable Reboot as needed — allows planned mid-service restarts and automatic resume, needed for update installation that requires a reboot.
8. Click Queue General Service.

What Windows General Service Does

The task flow runs in this order. Power Plan Review always runs first so the endpoint is on High Performance AC settings before any long-running servicing begins.

• Power Plan Review — enforces High Performance plan and AC sleep/hibernate baseline
• Pending Reboot Detection
• SentinelOne Health Check
• Windows Update Service Health Check
• Windows Update Scan Readiness Review
• Windows and Microsoft Update Remediation
• WinGet Third-Party Update Remediation
• HP Driver Update (HP endpoints only)
• HP BIOS Update (HP endpoints on AC power only)
• Disk Space Review
• System File Integrity Check
• Post-Patch Cleanup and Space Recovery
• Temporary File Cleanup
• Windows Update Cache Cleanup
• Temporary Internet Files Cleanup, Browser Cache Cleanup
• Temporary User Profile and Installer Cleanup
• Storage TRIM Health Check
• Notebook Battery Health Check (laptops only)
• Automatic Network Optimization
• SysMain Optimization Scheduling
• Windows Search Index Health Check
• Event Log Review and Cleanup
• User Account Inventory Review
• Account Security Review

Monitoring a Run

Open the Automations drawer any time to check on active runs. The General Service tab shows the current run queue with status, elapsed time, and the last reported task.

• Click Refresh to reload run data.
• Active runs are shown by default. Toggle to see recent closed runs.
• If a run appears stuck at a task for a long time, check that the endpoint is still online and polling before escalating.

Cancelling a Run

• Use the Cancel button on an active run to stop it. The queue is republished immediately and the endpoint removes the run on its next poll.
• Use Cancel & Submit Ticket if the endpoint has gone offline and you want to close the Halo ticket without waiting for the 72-hour automatic timeout. SWARM will finalise the ticket with a disconnection-timeout note.

Running General Service — macOS

macOS The queue process is identical to Windows. Select the Mac in list view, open Automations, and queue from the General Service tab. The difference is in what the agent actually does.

The macOS General Service workflow is conservative — it reviews and performs safe light maintenance only. It does not install OS updates, change firewall or remote-access state, or delete user data.

What macOS General Service Does

• Startup Disk Space Review
• RAM Usage Review, CPU Load Review
• Running Processes Inventory
• Startup Items Review
• Network Interface Review
• Storage SMART Health Review (skipped if no actionable status available)
• Notebook Battery Health Review (skipped on desktop Macs)
• DNS Cache Flush
• Safe Cache Cleanup (system temp only — no user data)
• Local Account Inventory Review
• Firewall and Remote Access Review (read-only — no state changes)
• System Log Review

Reading General Service Results in Halo

After a General Service run completes, SWARM creates structured entries in the HaloPSA ticket. Understanding what goes where prevents confusion about what the client sees versus what the technician sees.

What the technician sees

• Technician-only progress notes — posted during the run as tasks complete. Contains raw task data, AI-generated review guidance, and feedback classifier codes. These are hidden from the client.
• Action Items note — a final hidden technician-only summary listing only high-value follow-up: failed updates by KB, high/critical event log patterns, and failed tasks with specific next steps. Noise (skipped tasks, unavailable battery telemetry, etc.) is filtered out.
• Technician review email — sent to the operator who queued the run. Subject: Pending Technician Checks. Contains the same high-value action items digest.

What the client sees

• Customer-facing completion entry — one visible, non-billable Halo action. Lists only successfully completed outcomes in plain language. No task failures, no internal tooling references.

Halo ticket workflow

After General Service completes, SWARM moves the ticket to Manager Review status so it is ready for technician sign-off before billing. The technician review email and the Halo action items note are the inputs for that review.

Recurring Service

Recurring Service creates an ongoing company-level schedule rather than a one-off run. Use this for clients who have agreed to regular monthly or quarterly maintenance.

1. Open the Automations drawer and switch to the Recurring Service tab.
2. Select the company.
3. Choose a recurrence interval and optional scheduled time.
4. Set the reboot policy.
5. Optionally exclude specific endpoints that should not be included in the company schedule.
6. Save the schedule.

SWARM stores only excluded systems, not a fixed endpoint snapshot. New machines added to the company later are included automatically unless explicitly excluded.

When the scheduled time arrives, SWARM materialises individual General Service runs for each eligible endpoint — from that point they behave exactly like manually queued runs.

Windows System Prep

System Prep is SWARM's Windows onboarding workflow. It installs, configures, and validates a new Windows machine against the IN2Tech baseline and then automatically runs a follow-on General Service to confirm everything is healthy.

Before you queue

• The Windows machine must have the SWARM agent installed and be appearing in the Systems list.
• The SWARM agent installer is available from the SWARM header download link.
• The machine must be on AC power throughout the prep run.
• Check the Capability Strip in the details pane — System Prep should show as Available.

Queueing a System Prep run

1. Select the new Windows machine in list view. Only one system at a time for System Prep.
2. Open the Automations drawer and go to the Sys Prep tab.
3. Review and tick the checklist options. The defaults are pre-set to the standard IN2Tech baseline.
4. Choose the PDF client: Foxit (default) or Adobe.
5. Leave Remove existing Microsoft Office unchecked unless you have specifically confirmed that existing Office needs to be wiped. This is a destructive action with a confirmation prompt.
6. Click Queue System Prep.

What System Prep Does

• Renames the computer if required
• Joins Microsoft Entra ID (Azure AD)
• Installs SentinelOne antivirus
• Installs Microsoft 365 (Office)
• Installs the selected PDF client
• Configures power settings (High Performance, sleep/hibernate baseline)
• Sets the IN2Tech desktop wallpaper for current and new user profiles
• Configures File Explorer defaults and privacy settings
• Configures taskbar defaults (Search icon, no Task View, no Widgets)
• Raises account security to the IN2Tech baseline
• Optionally removes existing Office (if selected — destructive, off by default)
• Posts structured task results back to SWARM and into the Halo ticket as each phase completes

After prep completes

SWARM automatically queues a follow-on General Service run in the same Halo ticket. This baseline run validates patching state, disk health, event logs, and account security after the prep completes. The combined prep + General Service result is then moved to Manager Review for technician sign-off.

macOS Onboarding — TeamViewer Push

macOS Full System Prep does not run on Macs. The macOS onboarding workflow is TeamViewer Push — SWARM installs TeamViewer Host on the Mac so the team can connect remotely.

Queueing a TeamViewer Push to macOS

1. Confirm the customer is at the Mac and ready to interact with permission prompts.
2. Select the Mac endpoint in SWARM_DOT_SENTINEL.
3. Check the Capability Strip — TeamViewer Push should show as Available.
4. Click Push TeamViewer in the details pane actions.
5. SWARM queues the push. The Mac agent picks it up on its next poll (within 5 minutes).
6. The agent downloads TeamViewer Host from the IN2Tech custom permalink, installs it, and assigns it to the company TeamViewer account.
7. The agent then prompts the customer to approve Screen Recording, Accessibility, and Full Disk Access in System Settings.

The three macOS privacy permissions

Walk the customer through these if they need help:

• Screen Recording — required for the technician to see the screen. System Settings → Privacy & Security → Screen Recording → enable TeamViewer.
• Accessibility — required for keyboard/mouse control. System Settings → Privacy & Security → Accessibility → enable TeamViewer.
• Full Disk Access — required for file transfer and remote support access. System Settings → Privacy & Security → Full Disk Access → enable TeamViewer.

System Prep Results in Halo

SWARM opens a Halo ticket at queue time and posts structured entries as prep progresses.

• During prep: technician-only Halo notes are posted for each task phase.
• At completion: one customer-visible non-billable entry is posted. It includes a handover header with Entra join confirmation, username/password/Hello PIN placeholders, SentinelOne confirmation, and serial number.
• Follow-on General Service: the baseline run posts its own technician notes and customer-facing completion entry into the same ticket.
• Manager Review: after both prep and General Service complete, the ticket moves to Manager Review for billing sign-off.

Asset Management

SWARM tracks three categories of non-agent assets: Printers, Networks, and Mobile. These do not self-report — they are created and maintained manually by operators.

Switch between asset tabs using the tab strip above the list. Asset management (create/edit/delete) is available from each asset's detail view.

• Assets are company-scoped. The company field links to the shared SWARM company registry.
• Each asset type has a set of configurable fields relevant to that device category.
• Assets are included in multi-sheet XLSX exports.
• Warranty status is tracked and shown as a badge on each asset record.

Reports and Exports

CSV and XLSX Exports

Use the Reports menu in the view row to export data.

• CSV export — exports the currently visible/filtered system list. Filter by company or health first if you want a company-specific output.
• XLSX export — supports multi-sheet exports that can combine systems plus printer, network, and mobile asset sheets into one workbook.
• Visible/filtered console state drives the export content — what you see is what you get.

Daily HTML Executive Report

SWARM generates a daily HTML health report automatically and sends it via email to the configured recipient(s). This report gives an executive-level summary of endpoint health across all managed companies.

• Admin users can view and adjust report settings under Settings → Admin → Daily Report.
• The report can be triggered manually from the admin settings area for testing.
• The report includes Hermes recommendation signals — AI-generated insights based on recent General Service and System Prep patterns.

Monthly Report

The monthly report provides a per-system health trend summary for subscribed companies.

• Subscription settings are managed per company in the Subscription Settings section of the company details pane.
• A This month's report toggle lets operators preview the current month-to-date before month end, rather than waiting for the previous-month report.
• The Send Now button in subscription settings delivers the report immediately using the current toggle state.

Stalled General Service Runs

A General Service run can stall if the endpoint goes offline, reboots unexpectedly, or loses connectivity during a long-running task. SWARM handles this automatically, but you need to know what to expect.

The disconnection timeout sequence

• If a running endpoint stops posting events, SWARM posts a technician-only warning at every 12 hours of disconnection, including the total disconnected time and a countdown to termination.
• At 72 hours without activity, SWARM automatically terminates the run, finalises the Halo ticket with a disconnection-timeout note, and removes the run from the queue.
• A completion email is sent to the requester noting the run timed out.

Cancel & Submit Ticket

If you know the endpoint is not coming back (machine repurposed, client gone offline permanently, etc.) and you want to close the Halo ticket before the 72-hour clock expires:

1. Open the Automations drawer and find the stalled run.
2. Click Cancel on the run bubble.
3. Choose Cancel & Submit Ticket.
4. SWARM will immediately finalise the Halo ticket with a disconnection-timeout note and send the requester completion email.

SFC / DISM stalls

System File Integrity Check and DISM operations can run for a long time (up to 20 minutes for SFC verify). The launcher posts progress heartbeats every 5 minutes during these phases. If you see a run stuck at System File Integrity Check for more than 30 minutes, check whether the endpoint is still online before concluding something is wrong.

Interpreting the Capability Strip

• Available — the workflow is confirmed available. Queue normally.
• Review — the workflow can be queued but may have reduced functionality. Typically shown when the endpoint platform is unknown (no full ingest payload yet). Safe to queue but monitor the run.
• Unavailable — the workflow is not supported for this endpoint type. Hover the badge to see the reason. For macOS endpoints, System Prep will always show Unavailable — use TeamViewer Push instead.

An endpoint may show Review for a workflow until it submits a full ingest payload containing confirmed platform data. Once a complete payload arrives (usually within one polling cycle after agent install), the capability classification updates automatically.

Common Halo Ticket States

SWARM moves Halo tickets through these states automatically. You don't need to touch them manually in most cases.

• In Progress — SWARM has posted progress notes; the run is still active.
• Under Review / Manager Review — the run completed. The ticket is waiting for technician sign-off and billing review.
• Ready to Bill — the Manager Review action has been completed by the technician. The ticket is billable.

If a completed General Service ticket is still showing In Progress in Halo after the run is closed in SWARM, check the Halo ticket timeline to confirm whether the final completion action was posted. If missing, contact the lead technician — do not manually move the ticket status.

Health Exclusions — When to Use Them

Health exclusions suppress specific metrics from contributing to the endpoint's health badge. Available dimensions: antivirus, uptime, CPU, memory, disk.

Apply exclusions from the Edit view in the details pane. They are stored against the endpoint record and persist across agent check-ins.

User Management

Manage SWARM user accounts from Settings → Admin → Users.

• Adding a user — click Add User, enter their name and email. SWARM creates the account. For Microsoft Entra sign-in to work, the email must match their Microsoft 365 UPN in the IN2Tech tenant.
• Admin toggle — promote or demote admin access from the user edit row.
• Reset password — generates a temporary password. Only relevant for local-password accounts (rare in practice).
• Removing a user — removes the SWARM account. Does not affect the Microsoft 365 account.

Microsoft Graph and Halo Settings

Graph (Email reporting)

The daily executive report and automation completion emails are sent through Microsoft Graph using the configured swam@in2tech.com.au shared mailbox. Graph credentials are stored in the backend environment configuration and are not accessible through the UI.

Admin users can configure the report recipient address and test the Graph send path from Settings → Admin → Daily Report.

HaloPSA Company Sync

SWARM maintains a company registry used to link endpoints and assets to clients. This registry can be synchronised from HaloPSA.

• Sync from Halo — imports active clients from HaloPSA into the SWARM company list. Run this when a new client is added to Halo and needs to be available in SWARM_DOT_SENTINEL.
• Company remap — if a SWARM company name and its Halo equivalent are mismatched, use the remap tool to link them correctly. This ensures ticket creation points to the right Halo client.

Publishing Signed Agent Scripts

When an agent script changes, it must be re-signed and republished before endpoints will use the new version. Unsigned or hash-mismatched scripts are rejected by the agent.

Windows publish scripts

• publish-swam-agent.ps1 — Windows SWARM agent (agent/swam-agent.ps1)
• publish-general-service.ps1 — Windows General Service launcher (agent/general-service.ps1)
• publish-prep.ps1 — Windows System Prep launcher (agent/prep_system.ps1)
• publish-swam-diagnostic.ps1 — Windows diagnostics script
• publish-swam-uninstall.ps1 — Windows uninstall script

Each publisher signs the script, regenerates its SHA256 hash file, and updates the associated version file. After publishing, the new version is live — endpoints will pick it up on the next download cycle.

macOS publish path

macOS scripts are published from the MacBook Pro, not from the Windows signing workstation. The Mac uses a separate shell-script signing and build workflow. For notarized installer packages, use the package-specific build and notarization workflow from the MacBook Pro.

Do not attempt to publish macOS scripts from the Windows workstation — the signing certificate and build toolchain are Mac-only.

When to publish

• Any time a launcher script changes, publish it before expecting endpoints to behave differently.
• Publish the Windows agent before rolling out changes that depend on a newer agent version.
• Publish the General Service launcher before rolling out task-level changes.
• If an endpoint is running an old launcher version and behaving unexpectedly, confirm the published version matches the current repo state before diagnosing further.

The Hardening Report

The Hardening Report aggregates blocked-task patterns from recent General Service and System Prep runs. It is a development feedback tool for identifying recurring failure patterns that warrant an agent script improvement.

• Open the Automations drawer and click Hardening Report at the bottom.
• The modal shows top blocker codes (e.g. SWARM_WU_SENTINEL.INVENTORY_BLOCKED), frequency counts, recent examples, and an auto-generated GPT developer prompt you can copy and paste to initiate a script hardening session.
• Use this report in your regular review cycle to surface the most common walls endpoints are hitting and feed them into the engineering backlog.