Removal of inactive devices

You can configure Sophos Central to remove devices automatically if they've been inactive for a specified time.

Removing devices means they'll no longer be listed on the Devices page and won't be managed by Sophos Central.

Removal doesn't delete Sophos software from the devices. You can do that before removal or afterward. If you do it after removal, you need a password. See Delete Sophos software left on devices.

You might need to remove devices because they're not used anymore, because users have left the organization, or because you've set up devices for testing only.

You set up automatic removal separately for endpoint computers and servers. The instructions here apply for both.

About removal rules

You can set up two kinds of removal rule:

• Groups-based rules: Rules that remove inactive devices in selected groups.
• All-devices rule: The rule that removes all inactive devices, except devices you exclude.

You can use both kinds of rule, but configure them to run after different periods of inactivity. Doing this lets you use them for different purposes. For example, you could do as follows:

• Use a groups-based rule to remove devices in a test group after 14 days.
• Use the all-devices rule to clean up all devices on the network that haven't been used for 180 days.

Remove inactive devices in selected groups

Set up automatic removal of devices in groups you select.

You can set up two groups-based rules. For example, one rule to remove virtual desktops after a few days, and another rule to remove other devices after a month.

To set up a rule, do as follows:

1. Go to My Products > General Settings.
2. Go to the Endpoint Protection or Server Protection section.
3. Click Removal of Inactive Devices.

4. Go to a Groups-based rule section and do as follows:

   1. Turn on Remove inactive computers in selected groups or the equivalent for servers.
   2. (Optional) Select Permanently remove VDI desktops to remove virtual desktops. You can't restore them later.

   3. In Days inactive, enter the number of days that devices must be inactive before we remove them.

      If you're an MSP or Marketplace customer, you must enter 31 days or more.

   4. In the list of available groups, find groups where you want to apply the rule and move them to the list of selected groups.

   

5. (Optional) Create another groups-based rule.

6. Click Save.

We'll now check for inactive computers every 24 hours, at midnight, for the data region your account uses. We'll remove all that match your settings the same night, if possible.

Remove all inactive devices

Set up removal of all inactive devices.

Before you start, consider whether there are devices you don't want to remove. For example, you might have devices used as an update cache or message relay. You can exclude devices from removal. See Exclude devices from removal.

To set up the all-devices rule, do as follows:

1. Go to My Products > General Settings.
2. Go to the Endpoint Protection or Server Protection section.
3. Click Removal of Inactive Devices.

4. Go to All-computers rule or the equivalent for servers, and do as follows:

   1. Turn on Remove all inactive computers or the equivalent for servers.
   2. (Optional) Select Permanently remove VDI desktops to remove virtual desktops. You can't restore them later.

   3. In Days inactive, enter the number of days that devices must be inactive before we remove them.

      You must select a number of days that is greater than the number of days for your groups-based rules. Otherwise, the groups-based rules will never be triggered.

      If you're an MSP or Marketplace customer, you must enter 31 days or more.

   

5. Click Save.

We'll now check for inactive computers every 24 hours at midnight for the data region your account uses. We'll remove all devices that match your settings the same night, if possible.

Exclude devices from removal

If you have devices that you don't want to remove, put them in a special group or groups and exclude those groups.

Excluding a group doesn't automatically exclude its sub-groups. You must exclude sub-groups manually.

You can exclude up to four groups. Sub-groups count towards the maximum of four.

To exclude a group, do as follows:

1. On the Removal of inactive devices page, make sure you've set up and turned on the All-computers rule or the equivalent for servers.
2. Scroll down to Exclusions.

3. Find the group in the list of available groups and move it to Excluded computer groups or the equivalent for servers.

   

4. Click Save.

Check which devices were removed

To see devices that were removed, go to Reports > Reports > Endpoint & Server Protection and click Restore deleted devices and recover Tamper Protection passwords.

The list shows devices removed automatically, as well as devices removed by admins.

Devices stay in the list for 120 days. You can restore them for the first 30 days.

Delete Sophos software left on devices

To delete Sophos software you've left on removed devices, you need the Tamper Protection password for each device. You can recover the password for 120 days after removal.

To recover the password, do as follows:

1. Go to Reports > Reports > Endpoint & Server Protection and click Restore deleted devices and recover Tamper Protection passwords.
2. Find the devices.
3. In the Tamper Protection password column, click Password details to see the password.

Restore deleted devices

You can restore devices for up to 30 days after removal.

To restore deleted devices, do as follows:

1. Go to Reports > Endpoint & Server Protection > Restore deleted devices and recover Tamper Protection passwords.
2. Select the devices and click Restore.