Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=removal-inactive-devices

Removal of inactive devices

You must be an Admin or Super Admin to use this feature.

You can configure Sophos Central to remove devices automatically if they've been inactive for a specified length of time.

Removing devices means that they'll no longer be listed on the Devices page and won't be managed by Sophos Central.

Removal doesn't delete Sophos software from the devices. You can do that before removal or afterwards. If you do it after removal, you need a password. See Delete Sophos software left on devices.

You might need to remove devices because they're not used anymore, because users have left the organization, or because you've set up devices for testing only.

You set up automatic removal separately for endpoint computers and servers. The instructions here apply for both.

About removal rules

You can set up two removal rules:

  • Remove inactive devices in selected groups.
  • Remove all inactive devices, except devices you exclude.

You can set both rules but configure them to run after different periods of inactivity. Doing this lets you use them for different purposes. For example, you could do as follows:

  • Use the "selected groups" rule to remove devices in a test group after 14 days inactivity.
  • Use the "remove all" rule to clean up all devices on the network that haven't been used for 365 days.

Remove inactive devices in selected groups

Removal of devices in selected groups might not be available for all customers yet.

Set up automatic removal of devices in groups you select.

  1. Go to My Products > General Settings.
  2. Go to the Endpoint Protection or Server Protection section.
  3. Click Removal of Inactive Devices.

  4. Turn on removal as follows:

    1. Turn on Remove inactive computers in selected groups or the equivalent for servers.
    2. In Days inactive, enter 14 days or more.
    3. In Comment, add a reminder of why you turned on the setting or when you should review it.
    4. Click Save.

    Removal of inactive devices in groups.

We'll now check for inactive computers every 24 hours, at midnight, for the data region your account uses. We'll remove all that match your settings the same night, if possible.

Remove all inactive devices

You can set up removal of all inactive devices.

Before you start, consider whether there are devices you don't want to remove. For example, you might have devices used as an update cache or message relay. You can exclude devices from removal. See Exclude devices from removal.

To turn on removal of all inactive devices, do as follows:

  1. Go to My Products > General Settings.
  2. Go to the Endpoint Protection or Server Protection section.
  3. Click Removal of Inactive Devices.

  4. Turn on removal as follows:

    1. Turn on Remove all inactive computers or the equivalent for servers.

    2. In Days inactive, enter 14 days or more.

      You must select a number of days that is greater than the number of days for your selected groups rule. Otherwise, the selected groups rule will never be triggered.

    3. In Comment, add a reminder of why you turned on the setting or when you should review it.

    4. Click Save.

    Removal of all inactive devices.

We'll now check for inactive computers every 24 hours, at midnight for the data region your account uses. We'll remove all that match your settings the same night, if possible.

Exclude devices from removal

Exclusions don't apply to removal of devices in selected groups.

If you have devices that you don't want to remove, put them in a special group or groups and exclude those groups.

Excluding a group doesn't automatically exclude its sub-groups. You must exclude sub-groups manually.

You can exclude up to four groups. Sub-groups count towards the maximum of four.

To exclude a group, do as follows:

  1. On the Removal of inactive devices page, make sure you've turned on Remove all inactive computers or the equivalent for servers.
  2. Go to Exclusions.

  3. Find the group in the list of available groups and do as follows:

    1. Move the group to Excluded computer groups or the equivalent for servers.
    2. Click Save.

    Selector for exclusions.

Check which devices were removed

To see devices that were removed, go to Reports > Reports > Endpoint & Server Protection and click Restore deleted devices and recover Tamper Protection passwords.

The list shows devices removed automatically, as well as devices removed by admins.

Devices stay in the list for 180 days. You can restore them for the first 30 days.

List of recently deleted devices.

Delete Sophos software left on devices

To delete Sophos software you've left on removed devices, you need the Tamper Protection password for each device. To recover the password, do as follows:

  1. Go to Reports > Reports > Endpoint & Server Protection and click Restore deleted devices and recover Tamper Protection passwords.
  2. Find the devices.
  3. In the Tamper Protection password column, click Password details to see the password.

Restore deleted devices

You can restore devices for up to 30 days after removal.

Note

This feature doesn't restore update caches or memory relays that were on the deleted devices. You can reinstall them after the devices have been restored.

To restore deleted devices, do as follows:

  1. Go to Reports > Endpoint & Server Protection > Restore deleted devices and recover Tamper Protection passwords.
  2. Select the devices and click Restore.