![]() ![]() For more information, see the article Remove devices by using wipe, retire, or manually unenrolling the device. If your device is under control of Intune or any other MDM solution, retire the device in the management system before disabling or deleting it. In your policy, define a timeframe to disable a device before deleting it. As a best practice, disable a device for a grace period before deleting it. It isn't advisable to immediately delete a device that appears to be stale because you can't undo a deletion if there's a false positive. For example, the owner of the affected device can be on vacation or on a sick leave that exceeds your timeframe for stale devices. There are scenarios that can make a device look like stale while it isn't. For example, you shouldn't consider a timestamp that is younger than 21 days (includes variance) as an indicator for a stale device. When defining your timeframe, factor the window noted for updating the activity timestamp into your value. Timeframeĭefine a timeframe that is your indicator for a stale device. In your cleanup policy, select accounts that have the required roles assigned. To update a device in Azure AD, you need an account that has one of the following roles assigned: Failure to do this may cause loss of data. If your organization uses BitLocker drive encryption, you should ensure that BitLocker recovery keys are either backed up or no longer needed before deleting devices. The following sections provide you with examples for common policy considerations. This policy helps you to ensure that you capture all considerations that are related to stale devices. To efficiently clean up stale devices in your environment, you should define a related policy. You have two options to retrieve the value of the activity timestamp: If the delta between the existing value of the activity timestamp and the current value is more than 14 days (+/-5 day variance), the existing value is replaced with the new value. Intune managed devices have checked in to the service.Windows 10 or newer devices that are either Azure AD joined or hybrid Azure AD joined are active on the network.A Conditional Access policies requiring managed devices or approved client apps has been triggered.Azure AD evaluates the activity timestamp when: The evaluation of the activity timestamp is triggered by an authentication attempt of a device. How is the value of the activity timestamp managed? ![]() This activity timestamp is now in public preview. If the delta between now and the value of the activity timestamp exceeds the timeframe you've defined for active devices, a device is considered to be stale. In Azure AD, this property is called ApproximateLastLogonTimestamp or activity timestamp. Detect stale devicesīecause a stale device is defined as a registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. Stale devices in Azure AD can interfere with the general lifecycle policies for devices in your organization. As a general hygiene and to meet compliance, you may want to have a clean state of devices.An increased number of devices creates unnecessary device writebacks increasing the time for Azure AD connect syncs.Duplicate devices can make it difficult for your helpdesk staff to identify which device is currently active.Stale devices have an impact on your ability to manage and support your devices and users in the tenant because: What is a stale device?Ī stale device is a device that has been registered with Azure AD but hasn't been used to access any cloud apps for a specific timeframe. ![]() In this article, you learn how to efficiently manage stale devices in your environment. As an IT admin, you probably want a method to remove stale devices, so that you can focus your resources on managing devices that actually require management. Because of lost, stolen, broken devices, or OS reinstallations you'll typically have some stale devices in your environment. Ideally, to complete the lifecycle, registered devices should be unregistered when they aren't needed anymore. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |