Anyone know how to manually clear an endpoint in ISE 2.1 so that it will not be recognized in ISE as having a valid MAR entry?

we're testing a new ISE 2.1 cluster for production deployment. I am mainly using virtual machines and a plethora of USB network adapters both wired and wireless across several windows and osx versions. this generally works fine.

however today i noticed while trying to test a non-domain joined VM against my 'whitelist' policies that the host was actually being caught by the normal domain attached ruleset that uses MAR. i was shocked. in previous ISE versions i would have workstations totally unable to use MAR at all for no-reason aparent. so when this version actually used MAR when i DIDN'T want it too i about fell to the floor laughing.

now in previous versions, i would go find the endpoint mac and then delete the device from the endpoint store in ISE. this was more than enough to have the device get re-profiled by ISE and i was on my way. but it didn't work this time in 2.1. i tried deleting the endpoint and on a subsequent reboot of my test VM it was again processed thru my domain ruleset because ISE saw the endpoint had been previously authenticated. i tried deleting the endpoint again but got the same result.

the only way i have found thus far to 'purge' the MAR cache is to actually disable the entire feature in the external identity store advanced settings and then re-enable it. but that's ridiculous and in a production environment would cause the entire MAR cache to disappear forcing all of my users to log off and back on again,or reboot, etc.

there's gotta be a better way!