Solved: ISE Never Purge Policy

dm2020 · ‎05-25-2022

Hi All,

I need to configure a purging rule in ISE to remove any unknown or profiled endpoints that have been inactive for 30+ days which seems to be simple enough. What I want to ensure is that endpoints that are statically assigned to identity groups, such as for CCTV cameras, door entry readers etc, are never purged. Referencing the Unknown and Profiled endpoint groups for my purge policy should be enough to do this, but I also want to configure a Never Purge policy just to be on the cautious side.

All of our statically assigned wired endpoints are assigned to identity groups under parent group 'MAB_Endpoints'. If I create a Never Purge policy that just references identity group 'MAB_Endpoints', will this be enough to ensure that endpoints in all child groups are never purged or do I need to create a Never Purge policy for all child groups? I hope that makes sense

thomas · ‎05-29-2022

Your statically-assigned endpoints are under MAB_Endpoints, not Profiled so this should work:

View solution in original post

Marcelo Morais · ‎05-26-2022

Hi @dm2020 ,

if my understanding is correct ... you would like to (at Administration > Identity Management > Settings > Endpoint Purge

NeverPurgeRule - CCTV

Condition = (Endpoint Identity Groups.Profiled.CCTV)

PurgeRule - Unknown & Inactive

Condition = (Endpoint Identity Groups.Unknown) and (EndpointPurge InactiveDays GreaterThan 30)

PurgeRule - Profiled & Inactive

Condition = (Endpoint Identity Groups.Profiled) and (EndpointPurge InactiveDays GreaterThan 30)

Note: about " ... will this be enough to ensure that Endpoints in all Child groups are never purge ...", after a very quick test, IMO, the answer is Yes (please double check the purge at Operations > Reports > Reports > Audit > Endpoints Purge Activities).

Hope this helps !!!

thomas · ‎05-29-2022

Your statically-assigned endpoints are under MAB_Endpoints, not Profiled so this should work: