Posted on 12-08-2020 11:24 AM
On Windows devices, its easy to break domain trust after a certain period of time, and I understand the impact that will have on the device. This makes it easier to protect data on old machines that a random associate might decide to "keep" after it sits in their drawer unused for a few years.
I want to come up with a similar process for our Macs in Jamf to make up for a few shortfalls with our internal asset management system. What I would like is a way to purge inactive machines, knowing that they can't come back to bite me. Quick note that this primarily applies to my older, self-enrolled devices, and that this isn't much concern on newer devices.
For example, if I delete all machines in my inventory that haven't checked in for over a year, what impact will there be next time the device is used? Right now, I would expect given the time, it would need a filevault key to get into as no one will know a valid login password. The key would be gone from the Jamf database and the device would need to be reimaged, which is the exact state I desire. Now imagine a scenario where someone remembers their password and gets in - is there any real risk there? The MDM profile should have trust broken at this point from my understanding, and this will also break conditional access on o365, basically invalidating all access to company resources. If this is being used for legitimate work purposes, they will call the help desk and have it reimaged, as we want. Otherwise, it will just function as a normal machine without access to the company network. at the same time, all of our security software will still be running quietly in the background until the user decides to wipe it.
Are my assumptions correct? Does anyone do anything similar? I have an inactive group already, but we are currently looking at our renewal cost and license needs. It isn't doing me any good at the moment to be paying for licenses for machines that have been sitting in my inactive group for 2 years.