Tags
Tags let you organize agents into logical groups. Use tags to target specific sets of endpoints for update policies, compliance baselines, and configuration policies.
Creating tags
Navigate to Agents > Tags and click Create Tag. Give the tag a descriptive name (e.g., production-servers, finance-department, windows-11). Tag names must be lowercase, use only letters, numbers, and dashes, and cannot start or end with a dash. Tags appear immediately and are ready to be assigned to agents.
Assigning tags to agents
You can assign tags in three ways:
Manual assignment
Go to Agents > Endpoints, select one or more agents using the checkboxes, and use the bulk action Assign Tag. Pick one or more tags from the dropdown and confirm. The tags are applied to all selected agents immediately.
Automation rules
Set up rules that automatically tag agents based on matching criteria such as OS type, hostname pattern, or IP range. See the Automation section for details on creating and managing rules.
Automation rules can be configured to run on new agent enrollment, on a schedule, or triggered manually. See Automation for details on configuring rule triggers.
Microsoft Entra groups
If you connect Microsoft Entra, you can map an Entra device group to a tag so the group's membership is mirrored onto the tag automatically. Endpoints in the group receive the tag and lose it when they leave the group, keeping your tags aligned with the groups you already maintain in Entra. See Microsoft Entra Group Sync for setup.
Tag details page
Click a tag name in the list to view its detail page. From here you can see:
- Agent count - Total number of endpoints assigned to this tag
- Status breakdown - How many tagged agents are online, offline, or pending
- Agent list - All endpoints with this tag, with the same sort and filter controls as the main Endpoints page
You can also remove agents from the tag directly on this page by selecting them and choosing Remove from Tag.
Using tags for targeting
Tags are the primary mechanism for targeting agents when creating:
- System update policies - Control which OS patches and security updates endpoints receive
- Application update policies - Manage third-party application updates on Windows and macOS endpoints
- Compliance baselines - Evaluate a set of endpoints against CIS, DISA STIG, or other frameworks
- Configuration policies - Apply settings to a group of machines
When you target a policy to a tag, the policy automatically applies to any new agents that receive that tag in the future. This means you define the policy once and let tag membership control who it affects.
Unlike system update policies, an endpoint can inherit more than one application update policy at once when it carries multiple tags that each bring their own policy. See Multiple policies per endpoint for how TridentStack Control resolves overlapping application update policies.
Disabled policies
A disabled update policy can still be assigned to a tag. It appears in the tag editor with a Disabled status, and endpoints that carry it show the same Disabled status on their details page. While disabled, the policy applies nothing: no updates are approved, staged, or installed on its behalf.
For system update policies, a disabled policy also keeps its place in the priority order. If the highest-priority system update policy on an endpoint is disabled, that endpoint has no effective system update policy, and updates pause until you re-enable the policy or change the assignment. A lower-priority policy carried by another tag does not take over. This prevents an endpoint from unexpectedly inheriting a different update schedule the moment you disable a policy.
Favorite tags
Mark the tags you use most as favorites so they are always easy to find. Anywhere you pick tags (assigning an update policy, deployment ring, compliance baseline, or configuration policy to a tag), select the star next to a tag to favorite it. Favorited tags are pinned to the top of the tag picker, ahead of the rest, so your go-to tags are the first ones you see. Select the star again to remove the favorite.
Favorites are shared across your organization: a tag one administrator stars is pinned for everyone on your team.
Best practices
Follow these guidelines to build a tagging strategy that scales with your fleet:
-
Use a consistent naming convention. A prefix-based scheme makes tags easy to filter and understand at a glance. For example:
env-production,os-windows-11,dept-finance,role-web-server. Tag names must be lowercase, alphanumeric, and can only use dashes to separate words. -
Create tags for both organizational and technical grouping. Organizational tags reflect your business structure (department, location, cost center). Technical tags reflect the endpoint's role or platform (OS, server type, application stack). Having both gives you flexibility when targeting policies.
-
Combine tags with automation rules. Manual tagging works for small fleets, but automation keeps grouping accurate as agents change properties or new endpoints enroll. See Automation for setup instructions.
-
Avoid overly specific tags. A tag for every individual machine defeats the purpose of grouping. If you find yourself creating tags with a single agent, consider whether a broader grouping would serve the same goal.
Tags are the foundation of policy targeting. Invest time in a good tagging strategy early to simplify management as your fleet grows.