← Policies

Jamf Pro Device Retention

Overview

Ideally, to complete the device lifecycle, devices should be removed from Jamf Pro when they are no longer actively in use. Jamf Pro stores device information that can become obsolete over time. As the period between check-ins gets longer, devices stray further from the current baseline security requirements. Additionally, all managed devices consume a license in Jamf Pro, regardless of whether they are actively checking in or not.

Locking, unmanaging, and deleting stale devices allows us to focus on what requires management, reduce licensing costs, generate more accurate compliance reports, and improve the security of the organization.

Retention Policy

Managed devices that are 1-3 months stale and have not been refreshed are considered non-compliant. These devices must be investigated by Ground Control to reestablish communication.

Managed devices that are 1-3 months stale and have been refreshed will be locked, then unmanaged in Jamf Pro.

Managed devices that are 3-6 months stale will be locked.

Managed devices that are 6 months - 1 year stale will be unmanaged.

Unmanaged devices that are more than 1 year stale will be deleted from Jamf Pro.

Locking stale devices

Locking stale devices allows us to secure the endpoint in a non-destructive manner as opposed to unmanaging or deleting a device.

By locking stale devices we ensure that they can no longer be used, thus protecting the organization from any unpatched security threats or unauthorized use.

Locked devices may be unlocked by requesting a code from the Ground Control team.

Unmanaging stale devices

The following is true for all unmanaged devices:

  • Jamf Pro stops performing management actions on the computer.
  • Jamf Pro stops consuming a license for that computer.
  • The computer is no longer counted in Smart Groups.
  • All components installed by Jamf Pro remain on the computer.
  • All inventory information associated with the computer remains in-tact (such as Recovery Lock keys, FileVault keys, and activation lock bypass codes).

Return to service for unmanaged or deleted devices

Before an unmanaged or deleted device may be redeployed, it must be re-enrolled in Jamf Pro. It is preferred to wipe the device and allow automated device enrollment to proceed normally. Alternatively, user initiated enrollment may be used if you are unable to wipe the device.

If the Ground Control team does not have physical possession of a device to be re-enrolled, the employee with possession is responsible for communicating the device serial to Ground Control and taking all necessary steps to re-enroll and update the device.

Published Date
9-1-22