Re: Exclude endpoints statically assigned to identity groups from purging

Damien Miller · ‎05-08-2019

I'm looking for some guidance and ideas here. I'm looking at a deployment with close to 5 million total endpoints and it's going to surpass that shortly. I want to build out some endpoint purge policies, and the concept is simple enough, but I'm facing a bit of a pickle.

I can't see a way to dynamically exclude endpoints that are statically assigned to identity groups. I can add every identity group used for statically assigning endpoints, but if someone creates a new one, it's likely they will forget that there is a purge policy that will catch it. Is there any option to build a purge exclusion expression to catch statically assigned endpoints? Additionally, is there any way we can exclude endpoints that have a description entered?

I was thinking of appending a common identifier to all the identity groups used for static assignment and modifying all the mab policies. It still doesn't fix other admins mistakenly creating identity groups without this tag, but at least I could create a single exclusion rule based on "contains xxxx".

Any alternatives?

Francesco Molino · ‎05-08-2019

Hi

Not sure it will help but I got kind of same request which I wasn’t able to manage directly from ISE purge feature.
Instead we went with another approach by using APIs. You’ll be able to see if the device is statically assigned, if it has a specific description and based on your get endpoint, you’ll be able to delete all that don’t matter for you.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question