Thanks, I use that attribute in other rules. I dont like creating blanket rules, however, because I have a ton of wired MAB. And using Inactive Days without another attribute would likely remove many of my static endpoints. This is a sticky situation because its difficult for me to get my customers to tell me when a device is truly decommissioned vs temporarily out of service.

If I look at wireless alone, I don't have any statically assigned devices, so maybe I can create a purge rule that using the attribute of Device Type = Wireless combined with the Inactive Days attribute. 

Hi @Josh Morris ,

 please try:

ENDPOINTPURGE.DeviceRegistrationStatus EQUALS NotRegistered
 AND
ENDPOINTPURGE.InactiveDays GREATERTHAN <# of days>

Hope this helps !!!

Thanks. Does the Device Registration Status attribute translate to an endpoint being statically assigned to an Endpoint Identity Group? In other words, with the method you've recommended, would I be purging statically assigned endpoints?

AFAIK that registration attribute applies to BYOD flows.  Not static group assignments.  So as I understand it, yes you would be purging endpoints assigned to static groups.  How many static groups do you have?  Are you not using profiling?

I have more static groups than I'd care to admit. I could try to use more profiling in some instances (security cameras), but others are machines assigned to security zones, so there could be any number of devices types in those groups. 

Just a warning on endpoint identity groups, the more you have the slower the ERS API runs. This is due to how the RBAC is evaluated while making API calls. 

I have two suggestions that you could use here.

1. Append something like SAL (static allow list) to the beginning of all of your identity groups that are used for statically assigning endpoints to. With this you can use specific purge rules such as these two. Delete anything that's been inactive for more than 30 days that's not in a static "SAL" id group. Then Purge any statically assigned "SAL" endpoint that's been inactive for more than 180 days. 
     
   
   
2. The next option would be to use a custom endpoint endpoint attribute, assign the value of True to any static endpoint. This would be done when assigned the endpoint to a static group and would be an extra step. Bulk editing this would be pretty easy via CSV import or API. 
   

I honestly suggest purging all endpoints, static or not, but treating them differently. If an endpoint hasn't connected in 180 days, or whatever is deemed appropriate then purge it. This avoids having ID groups full of stale decommissioned endpoints with minimal risk and rework.

Your first option is interesting. I hadn't considered it. I was thinking about creating a parent group for all my static endpoint groups and adding that parent group to the purge exception list. But this would mean that I would never purge anything in that group. That's been the most difficult part of making this decision...I'm scared to purge a static endpoint that was somehow still in use. 

I have been looking at endpoint purge in a more granular way, but you're showing me here that I can really get away with just two purge rules with this method. I've also been focusing on Elapsed Days instead of Inactive Days, but maybe I should switch that as well. 

Hi @Josh Morris ,

 about " ... Does the Device Registration Status attribute translate to an endpoint being statically assigned to an Endpoint Identity Group? ... ", you are correct, since a Statically Endpoint has not been through the BYOD Flow, then the default state of the DeviceRegistrationStatus attribute is always Not Registered, in other words, the DeviceRegistrationStatus is not an option for Statically Endpoints.

Thanks !!!