Device Removal Pending

Hello,

I’m looking for some guidance on the device cleanup. We have a number of devices in removal-pending, according to the documentation the device enters this state when an admin soft removes the device as opposed to force removing a device.

We’re not aware of any admins doing this, but yet devices have entered this state. After some further testing it seems the devices also enter this state if the user associated with the device has been marked as disabled or removed from AD. At this point all devices associated with the user are moved into the removal-pending state.

There are some cases where neither or the above applies and the devices are still in removal-pending.

My first question is how devices transition into removal-pending if they’ve not been soft removed by an admin and the account is still active in AD?

My second question is in relation to the second option below “Automatically Force Remove Inactive Devices”. Is this referring to the clean-up of devices in removal-pending? It’s unclear as the tooltip describes it force removing inactive devices, I understood a “force” remove was to remove a device that already has a state “removed” and that’s what the last option is for.

And lastly, when does a device move into an inactive state? Is this configured somewhere?

If anyone is able to provide some clarity on the questions above that would be great.

Thanks,
Jason

Hello Jason,
My first question is how devices transition into removal-pending if they’ve not been soft removed by an admin and the account is still active in AD?
This does not have to do anything with AD, it means that an admin deleted/removed the device from the Client Connector portal (under enrolled devices). After the next keepalive connection, the status changes to Unregistered.

My second question is in relation to the second option below “Automatically Force Remove Inactive Devices”. Is this referring to the clean-up of devices in removal-pending?
Yes, that would run force remove (which would set the status in the portal to Removed). Also, this can be used against registered devices that have not been connected for a long time (a user has a new laptop and never logged out of the Client Connector on his/her old laptop)

Thanks Jamil, regarding the removal-pending, there are only 3 admins able to perform this and none of us have checked a device for removal, or if we have we’ve also force removed the device following this action.

Something automated is marking the devices in this state. I found 79 devices marked for removal-pending, after cross referencing them to AD, 80% of them either had the account disabled or they don’t exist any longer in AD. I also found the user is greyed out when filtering on the enrolled devices page.

It’s a concern for us as removal-pending devices count against your license quota.

Thanks for confirming the option “Automatically Force Remove Inactive Devices” I’ll look to get this enabled to cleanup the removal-pending devices and any long standing devices that have not communicated with the Zscaler service in a long while.

Is there a configuration for marking devices inactive?

For the devices that are still in AD and in removal pending status, check the audit logs in Client Connector portal to see if someone by mistake removed the devices. If not, please raise a support ticket for further investigation.

Thanks Jamal, I’ve checked the audit logs and there’s only one soft remove and that was me testing earlier today. Apart from that there is nothing indicating a soft remove has been performed (can only go back to Sept 2021). I’ve raised a support ticket.

Thanks for the help.