Table of Contents

Remove Retired Devices

Why remove stale devices? So that resources can be focused on managing devices that actually require management. It also gives you a better picture of your environment.

ConfigMgr will automatically remove stale data, however the deletion time depends on the type of data. The Inactive Client discovery data is automatically deleted after 180 days (object exists in AD) while the Obsolete Client Discovery Data (object removed from AD) is deleted after 30 days. For better hygiene, you can manually delete the host from AD, which would then fall under the Obsolete Client Discovery Data and thus be removed after 30 days. For faster removal, you can manually delete the host(s) from AD and then from ConfigMgr.

OU Discovery Exclusion

Devices that are not going to have a Configuration Manager client but are objects in your Active Directory OU will be discovered and show up in the "Non-client Discovered Windows Devices" collection. Request an OU discovery exclusion from the EPM core team to have a specific OU excluded from discovery, this can be one or more OUs. These exclusions can be used to "reduce the noise" when trying to track down any systems that should have a client but are missing it.

This is not the same as an ISO exception and excluding an OU from Configuration Manager will not grant ISO exceptions to any object in that OU.

Collections

Collection refreshes are a heavy process on site server resources.

Limit the number of incremental collections
Do not use both Full and Incremental on the same collection

If a collection does not need to be updated, remove the evaluation interval from the collection by unchecking the box(es). Be sure the interval is cleared as seen below.

Before	After

Deployments

Delete and remove any deployments that are no longer in use.

For example, if you created and ran a test deployment that has now completed, you can delete it.

Admin Accounts

They must be managed and separate from personal use, i.e. not tied to a personal EID which are typically used for email, web browsing and other productivity tasks.

Establish lifecycle management for administrative accounts. Ensure you have a process for disabling or deleting administrative accounts when admin personnel leave (or leave their administrative position).

Quantity

For business continuity and resiliency, it is recommended that each CSU have 2 admins. However, limit the number of admin accounts to those that need access for their job tasks as well as to reduce potential risks.

Workstation Security

Install the MECM console on a virtual machine or on a different physical workstation that is not used for day-to-day activities like internet browsing, email, etc.

Related Information

Page:
Common Tasks and Procedures (Endpoint Management)
- configmgr
- administration
Page:
Maintenance Windows and Business Hours (Endpoint Management)
Page:
Deploying Software Updates (Endpoint Management)
- configmgr
- administration
Page:
CM Deploying 3rd Party Updates to Collections (Patch My PC) (Endpoint Management)
Page:
3rd Party Updates List (Endpoint Management)
Page:
CM Client Settings (Endpoint Management)
Page:
Recommended Practices (Endpoint Management)
- configmgr
- administration

Search UT EPM Documentation

Service Links

Get Help

EPM is available to IT Support Organizations (ITSOs) with any endpoint management questions. If you have a question about a specific endpoint client, please reach out to your local endpoint client support organization.

SERVICE STATUS

Planned Maintenance

ConfigMgr: Every Tuesday, from 6 a.m. – 10 a.m.
Jamf: Every Tuesday, from 8 a.m. – 12 p.m.

Section Content