Automated removal of stale endpoints from Active Directory (AD)/EntraID, Microsoft Intune, and Jamf -

As part of DIT's ongoing efforts to improve security, accuracy, and efficiency in our endpoint management systems, DIT Platform Services will implement ongoing automated removal of stale endpoints from Active Directory (AD)/EntraID, Microsoft Intune, and Jamf beginning October 1, 2025. We will be removing endpoints that have not checked in for 180 days or more.

What’s Happening

Identification of endpoints that have not checked in within the defined stale period of 180 days to UMD AD, Intune and JAMF environments
Removal of these endpoints from AD, Intune, and Jamf
Coordinated communication to minimize any impact on active users or systems

Why this Matters

Ensures our inventory reflects active, supported devices
Improves reporting accuracy across management platforms
Improves compliance and reduces potential vulnerabilities
Addresses findings from USM and legislative audits

What Qualifies as a Stale Endpoint?

A stale endpoint is any device record in our management systems that has not checked in, synced, or authenticated within a defined period. Specifically:

Active Directory (AD):

Computer objects that have not authenticated with the domain for 180 days or more.
This typically means the device is no longer in use, has been retired, or is inactive.
- For non-Microsoft endpoints, DIT administrators will be contacting endpoint admins with a list of devices that need to be verified as active.
Additional details about Windows device cleanup can be found here.

Intune:

Computers that have not checked in (reported status) within 180 days or more.
This may indicate the device is not being managed, has been wiped, or is no longer assigned to a user.
- This process has already been happening automatically since we began enrolling devices in Intune.
Additional details about Intune device cleanup can be found here.

Jamf:

Computers that have not checked in with Jamf in 180 days or more.
Mobile devices that have not updated inventory in Jamf for 180 days or more.
- This suggests the device is either unused, unenrolled, or disconnected from management.
Additional details about Jamf device cleanup can be found here.

Starting October 1, 2025, the automated process will run weekly on Thursdays. Each Thursday, Active Directory OU admins and Jamf Site Admins will receive an email report listing the endpoints in scope.

If you have any concerns about devices under your management or if you would like to discuss the change, please reach out to us at it-desktop@umd.edu.