I'm not sure if this possible so if someone could help me that would be good.
We want to lock down our ISE policies so that unauthenticated machines get very limited access. However our desktop support team still wants to be able to build PCs at desks.
To do this they need access to loads of AD and SCCM servers, which the unauth acl will not allow them to access.
They are happy to add the endpoints manually into a specific group. But may forget to take them out after the machine has been built - is it possible to automatically remove any endpoint in a specified group on a scheduled basis?