https://community.cisco.com/t5/network-access-control/exclude-endpoints-statically-assigned-to-identity-groups-from/m-p/3852755#M473254 <P>I'm looking for some guidance and ideas here.&nbsp; I'm looking at a deployment with close to 5 million total endpoints and it's going to surpass that shortly.&nbsp; I want to build out some endpoint purge policies, and the concept is simple enough, but I'm facing a bit of a pickle.</P> <P>I can't see a way to dynamically exclude endpoints that are statically assigned to identity groups.&nbsp; I can add every identity group used for statically assigning endpoints, but if someone creates a new one, it's likely they will forget that there is a purge policy that will catch it.&nbsp; Is there any option to build a purge exclusion expression to catch statically assigned endpoints?&nbsp;Additionally, is there any way we can exclude endpoints that have a description entered?&nbsp;&nbsp;</P> <P>I was thinking of appending a common identifier to all the identity groups used for static assignment and modifying all the mab policies.&nbsp; It still doesn't fix other admins mistakenly creating identity groups without this tag, but at least I could create a single exclusion rule based on "contains xxxx".</P> <P>Any alternatives?&nbsp;</P> Wed, 08 May 2019 23:21:50 GMT Damien Miller 2019-05-08T23:21:50Z https://community.cisco.com/t5/network-access-control/exclude-endpoints-statically-assigned-to-identity-groups-from/m-p/3852755#M473254 <P>I'm looking for some guidance and ideas here.&nbsp; I'm looking at a deployment with close to 5 million total endpoints and it's going to surpass that shortly.&nbsp; I want to build out some endpoint purge policies, and the concept is simple enough, but I'm facing a bit of a pickle.</P> <P>I can't see a way to dynamically exclude endpoints that are statically assigned to identity groups.&nbsp; I can add every identity group used for statically assigning endpoints, but if someone creates a new one, it's likely they will forget that there is a purge policy that will catch it.&nbsp; Is there any option to build a purge exclusion expression to catch statically assigned endpoints?&nbsp;Additionally, is there any way we can exclude endpoints that have a description entered?&nbsp;&nbsp;</P> <P>I was thinking of appending a common identifier to all the identity groups used for static assignment and modifying all the mab policies.&nbsp; It still doesn't fix other admins mistakenly creating identity groups without this tag, but at least I could create a single exclusion rule based on "contains xxxx".</P> <P>Any alternatives?&nbsp;</P> Wed, 08 May 2019 23:21:50 GMT https://community.cisco.com/t5/network-access-control/exclude-endpoints-statically-assigned-to-identity-groups-from/m-p/3852755#M473254 Damien Miller 2019-05-08T23:21:50Z https://community.cisco.com/t5/network-access-control/exclude-endpoints-statically-assigned-to-identity-groups-from/m-p/3852813#M473255 Hi<BR /><BR />Not sure it will help but I got kind of same request which I wasn’t able to manage directly from ISE purge feature.<BR />Instead we went with another approach by using APIs. You’ll be able to see if the device is statically assigned, if it has a specific description and based on your get endpoint, you’ll be able to delete all that don’t matter for you.<BR /> Thu, 09 May 2019 02:18:01 GMT https://community.cisco.com/t5/network-access-control/exclude-endpoints-statically-assigned-to-identity-groups-from/m-p/3852813#M473255 Francesco Molino 2019-05-09T02:18:01Z