Managing Unapproved VMs

Any new VM that's managed by Commander is, by default, unapproved (unless Commander has been configured to automatically set the approval states of VMs, as described later in this topic). You have the option of marking a VM as approved and then changing that status back to unapproved at any time.


  • Only VMs can have the Unapproved state; this state is not supported for other service types, such as virtual services, load balancers, databases, auto scaling groups and application stacks.
  • The Approval policy and the approval state are deprecated and will be removed in a future release.

You can use the approval state of a VM to work with the Approval policy by setting that policy to trigger an action when an attempt to relocate or start an unapproved VM is made. For example, if an attempt is made to start an unapproved VM, the Approval policy can alert you of the attempt or can shut the VM down immediately. The policy therefore allows you to mandate that Commander brokers all access to the managed system.

You can also configure Commander to automatically approve VMs that arrive in inventory through the use of third-party deployment tools.

If you require custom integration, contact a representative from Embotics to discuss your requirements.

Setting the Approval state of a VM

Access through:

Views > Inventory > Infrastructure or Applications

Available to:

Administrator, Operator with Approval Access Rights

To set the approval state for a VM:

  1. Right-click a service in the tree or in a table.
  2. Right-click and choose Policy Enforcement > Set Approval State.
  3. In the Set Approval State dialog, select Approved or Unapproved as required.
  4. Click Set.

Configuring the Approval policy

The Approval policy changes the Approval state for templates, but policy actions (for example, deletion) are not performed for templates. It's possible to deploy a VM from a template in the Unapproved state.


  • The Approval policy and the approval state are deprecated and will be removed in a future release.
  • The Approval policy applies only to VMs.
  • Any configuration of this policy on a system-wide basis can affect all managed systems that are managed by Commander now and can affect all managed systems that are added to Commander in the future. If you don't want any managed system to be automatically affected by this policy, configure the policy by selected infrastructure elements only. For more information, see Managing policy when adding a new host.

Access through:

Configuration > Policies

Available to:

Commander Role of Superuser and Enterprise Admin

Administrator Access Rights

  1. On the Configuration page, click Add.
  2. On the Choose a Policy page, select Unapproved from the list of policies, then click Next.
  3. On the Policy Name/Description page, enter a name (for example, "Approval Policy for Production"), and an optional description, then click Next.
  4. On the Choose a Target page, expand the Infrastructure tree if required, and select the infrastructure elements to which you want the policy to apply, then click Next.

    You can't select a folder as a target.

  5. On the Configure the Policy page, to configure the policy but keep it turned off until you are ready to enable it, make sure Enable policy is unchecked.
  6. From Take Action, choose one of the following options:

    When you click:

    After you enable the policy and if the policy is triggered, the result is:

    Notification Only

    No action is taken. An alert is created, notifying you that the policy has triggered. See also Subscribing to Policy Alerts.


    The VM is quarantined if the policy is triggered.

    Note: If you include this action in a policy targeting services in a managed system other than vCenter, the action will fail.


    The VM is suspended (saved in its current state).

    Not supported for VMs in public cloud managed systems. If you include this action in a policy targeting services in a public cloud managed system, the action will fail.


    The Guest OS is shut down.

    Remove from Inventory

    The VM is removed from inventory. Note that the file remains in the datastore.

    Note: If you include this action in a policy targeting services in a managed system other than vCenter, the action will fail.

    Delete from Disk

    The VM and its associated files are deleted permanently from the disk.

    When you delete a VM from disk, the files are permanently deleted. They can't be recovered unless you have a backup copy.

    When all VMs are deleted from a virtual service through a policy action (that is, when VMs are deleted by a policy action or by a command workflow attached to an expiry policy), the empty virtual service is not automatically deleted unless it too is targeted by policy.

    Run [Workflow]

    Existing command workflows appear for selection, organized by target type. If the policy is triggered, the selected workflow is run.

    You must choose a workflow with a target type that matches the target of the policy; otherwise, the workflow will fail. For example, if the selected workflow's target type is "VM", the workflow will fail if the policy targets a database. A workflow with a target type of "Any Inventory Type" can be run on all service types.

    Click Add Workflow to set up a new command workflow.

  7. To send an alert to an SNMP trap listener if you have SNMP configured, enable Send Alert via SNMP.
  8. Enable or clear the last checkbox to set whether you want to allow children of the targets to have their own instance of the policy.

    If you enable this option, other instances of this policy can be applied to any infrastructure elements and VMs that are children of the parent infrastructure element you have selected (an override).

  9. On the Summary page, the summary of your policy options appears.

    If you have enabled the policy and as a result, any VMs are going to be immediately affected by it, Commander displays the number of affected VMs.

    To see what VMs are affected by the policy actions you selected, click Review, then click OK to return to the summary.

  10. Click Finish to complete the configuration.

    Your policy options are now set in Commander.

Determining whether VMs inherit the approval state

Access through:

Configuration > Policies > Approval Inheritance tab

Available to:

Commander Role of Superuser and Enterprise Admin

When a VM is deployed from a template or cloned from another VM, the newly created VM automatically inherits the attributes that were applied to the parent template or VM or source template.

To make sure that newly cloned or deployed VMs automatically inherit the approval state of their parents, enable each rule.

If a parent VM or template is not approved, newly created VMs provisioned from the parents will automatically be set to non-approved.