Deployment of Cisco AMP for Endpoints with Identity Persistence

daniel.devries · ‎11-13-2017

My main question: is there a way to automatically remove inactive computers from the console (to free up the licenses)? For instance, if a client has not connected to the service for 90 days, then remove it.

I've noticed a large number of duplicate endpoints in my Computers list. It appears that in each case, one of the entries is old. There are also quite a few old, decommissioned computers that were never removed. I can delete the Computer objects from the AMP console, but that is a tedious manual process.

Related issue:

It appears that if I delete a Computer from the AMP console without uninstalling the client, then power on that endpoint later, it never gets added back. From the client side, it says that the policy is up to date and status is "Connected". However, from the console, the Computer cannot be found. As of now this isn't a huge issue, but if I start bulk-deleting "inactive" Computers from the console, this may become a problem for me.

I'm hoping someone in this community may have a workable solution for this. Thanks in advance for any help!

David Janulik · ‎11-14-2017

Hi,

duplicates usually need to be removed with customer permission through TAC or TIer3 support. Yes duplicates eat licences and the reason for them is wrong approach to deploy connectors.

To answer your question with deleting connectors not seen over 90 days, please see attached screenshot. This gives you ability to select all filtered ones and delete.

Cheers

David

Cyber security escalation engineer

View solution in original post

David Janulik · ‎11-14-2017

Hi,

duplicates usually need to be removed with customer permission through TAC or TIer3 support. Yes duplicates eat licences and the reason for them is wrong approach to deploy connectors.

To answer your question with deleting connectors not seen over 90 days, please see attached screenshot. This gives you ability to select all filtered ones and delete.

Cheers

David

Cyber security escalation engineer

daniel.devries · ‎11-14-2017

If I remove a computer from the console and that computer tries to re-connect at some point, would I need to reinstall the client software, or would it add itself back into the console?

Thanks for the response. We'll take a closer look at our deployment methods and see if we can avoid the duplicates in the future.

David Janulik · ‎11-14-2017

Yes, I've just tested it. Removing from dashboard, did a reboot of the computer, which generated a registration attempt and the computer is back to the dashboard.

David

Cyber security escalation engineer

Anders P. · ‎01-10-2018

In these times we are reinstalling some computers due to virus detections.

I see a lot of dublets/triplets from computers that have had problems.

I nees a way to detect and remove the old instance of the same computer, fast. waiting 7/30/60 days will not only show the dublets.

I have 1200+ that will be upgraded to Win 10, have the same name, but new instance.

is there an operational way to do this? :-)

BR

Anders

vegase001 · ‎03-26-2018

David, can you expain what ' wrong approach to deploy connectors' means?

xbenitezm · ‎06-22-2019

Hello there vegase001. I guess he is reffering to this:

Deployment of Cisco AMP for Endpoints with Identity Persistence

https://www.cisco.com/c/en/us/support/docs/security/advanced-malware-protection-endpoints/200318-Deployment-of-Cisco-AMP-for-Endpoints-wi.html

So there is a way to keep track of a computer bye its Mac Address or hostname in order to prevent duplicates.

mcantu · ‎04-24-2020

So if you are using VDI I would deploy policy by hostname so duplicates aren't created.

Inactive AMP Endpoints and Reconnecting to Console

Deployment of Cisco AMP for Endpoints with Identity Persistence