HI All, Is there the ability to reject / prevent a host from checking into fleet ?
09/29/2022, 8:39 PM
Hi, @oneiroi! The best way to prevent a host from checking in would be to uninstall osquery on the host. If that isn't an option, you can revoke the enroll secret the host has stored, just keep in mind that this could cause issues with other hosts if you don't then push the updated secret out to them.
Can you tell me a little more about what prompted the question so I can dog in a little more for you?
09/30/2022, 11:07 AM
Hi @Kathy Satterlee, An old endpoint no longer under our control, despite instructing the receiving party a year ago that this needs to be removed; is still checking in, no lingering concerns, just a case of a privacy issue as we're still getting data for the no longer under org control hardware, and if possible, we'd prefer to not be.
09/30/2022, 2:27 PM
Gotcha. In that case, depending on the workload vs reward for you, changing enroll secrets would be the way to go. Then you can remove the host from Fleet and it won't be able to re-enrolled. Your existing hosts will stay enrolled as long as they aren't deleted from Fleet and the local osquery store stays valid.
Pretty low risk, just something to keep in mind in case you do run into a situation down the road where something isn't reporting in as expected.