Solved: Deleting my devices registered by disabled/locked AD user

Devrat Kamath · ‎04-10-2018

Hi Experts,

I have a customer running ISE 2.2 moving from 1.2 -> 1.4 -> 2.2.

They've been using the my devices portal to allow employees to login to the portal using their AD credentials and register devices to use on the network. Their authorization is setup to look at membership of MyDevices endpoint ID group and called station ID for the SSID so potentially disabled/locked AD users might have endpoints that can still get on the network.

While we have other workarounds like setting up exception policies for specific Endpoint:PortalUser attribute, the customer is asking if there is a way to identify and delete these endpoints (other than purge). I'm sure we should be able to do this via API by filtering for specific PortalUsers and running delete ops on those returned endpoints but that is not something the customer has the capability for. I cannot think of any other way to find and delete endpoints belonging to disabled AD users and it'd be great if anyone has any suggestions that might help here.

Thanks!

Timothy Abbott · ‎04-10-2018

Aside from purge or API, I can't think of any other way to do what you are asking. You can always reach out to our PM team with customer details and use case so that we can file an enhancement request.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎04-10-2018

Aside from purge or API, I can't think of any other way to do what you are asking. You can always reach out to our PM team with customer details and use case so that we can file an enhancement request.

Regards,

-Tim

Devrat Kamath · ‎04-10-2018

Thanks Tim. We have decided to take the API route but I will work on filing an enhancement request around this.