Security

So I was looking for example how to remove an attribute from specific set of endpoints in Endpoint database. My search didn't produce the desired results.

Looks like this problem is lurking around for some time and users do have a need for solution like this post from Derek Smith long time ago. 

Most discussed solution was export and import Endpoint database. I really don't like this solution, if I only need to modify for example 2k endpoints in database containing many 10k endpoints.

I look over the pyclearpass library that I was already using for other things. Here is a quick and dirty procedure to update or remove attributes in the endpoint database. If you specify a filter expression (thx Alex for pointing me in the right direction about filter format in this post).

But there is also a problem with Clearpass filters. My problem was that attribute has a wrong type of value and it was type mismatch in database. Clearpass will not allow you to put wrong type of value in filter expression. It will throw type mismatch error.

You can very easily search endpoint database with postgresql query like that:

SELECT * FROM public.tips_endpoints_view where attributes->>'MAC-Auth Expiry' like '%ExpireTime%';


I could use postgresql python module to get endpoints with wrong values. This could be even preferable as I would not be limited to 1000 results that API can return.

 I opted not to do that as I only have about 2k endpoints to correct. Maybe in the next version :-) For now I just check if the length of the string returned is more than 19 characters. This mean it is longer than datetime field and hence it is not correct type of data in DT field.

Here is the short python script to update or remove attribute(s). Requirements are icecream, pyclearpass, json, datetime

Hope it will be useful for someone.

Best, Gorazd

Why wouldn't you use the device repository that is meant for this purpose rather than modifying the attributes that are already handled in policy?

So I was looking for example how to remove an attribute from specific set of endpoints in Endpoint database. My search didn't produce the desired results.

Looks like this problem is lurking around for some time and users do have a need for solution like this post from Derek Smith long time ago. 

Most discussed solution was export and import Endpoint database. I really don't like this solution, if I only need to modify for example 2k endpoints in database containing many 10k endpoints.

I look over the pyclearpass library that I was already using for other things. Here is a quick and dirty procedure to update or remove attributes in the endpoint database. If you specify a filter expression (thx Alex for pointing me in the right direction about filter format in this post).

But there is also a problem with Clearpass filters. My problem was that attribute has a wrong type of value and it was type mismatch in database. Clearpass will not allow you to put wrong type of value in filter expression. It will throw type mismatch error.

You can very easily search endpoint database with postgresql query like that:

SELECT * FROM public.tips_endpoints_view where attributes->>'MAC-Auth Expiry' like '%ExpireTime%';


I could use postgresql python module to get endpoints with wrong values. This could be even preferable as I would not be limited to 1000 results that API can return.

 I opted not to do that as I only have about 2k endpoints to correct. Maybe in the next version :-) For now I just check if the length of the string returned is more than 19 characters. This mean it is longer than datetime field and hence it is not correct type of data in DT field.

Here is the short python script to update or remove attribute(s). Requirements are icecream, pyclearpass, json, datetime

Hope it will be useful for someone.

Best, Gorazd

Hi Carson.

These wrong value types were pushed to the database via enforcement policy updates. It's strange that you can push a wrong value type for example free text into DateTime attribute over the enforcement profile, but then you can't remove it easily.

The problem I have with the wrong value type is that updates from extension like Intune, BigFix or maybe others will fail as data type is wrong and update is discarded.

And these attributes should not be there at all, but users are very resourceful to find ways when trying to connect to networks.. And when authorization fails, it still push updates to endpoint but with wrong data types in some fields.

Best, Gorazd

Why wouldn't you use the device repository that is meant for this purpose rather than modifying the attributes that are already handled in policy?

So I was looking for example how to remove an attribute from specific set of endpoints in Endpoint database. My search didn't produce the desired results.

Looks like this problem is lurking around for some time and users do have a need for solution like this post from Derek Smith long time ago. 

Most discussed solution was export and import Endpoint database. I really don't like this solution, if I only need to modify for example 2k endpoints in database containing many 10k endpoints.

I look over the pyclearpass library that I was already using for other things. Here is a quick and dirty procedure to update or remove attributes in the endpoint database. If you specify a filter expression (thx Alex for pointing me in the right direction about filter format in this post).

But there is also a problem with Clearpass filters. My problem was that attribute has a wrong type of value and it was type mismatch in database. Clearpass will not allow you to put wrong type of value in filter expression. It will throw type mismatch error.

You can very easily search endpoint database with postgresql query like that:

SELECT * FROM public.tips_endpoints_view where attributes->>'MAC-Auth Expiry' like '%ExpireTime%';


I could use postgresql python module to get endpoints with wrong values. This could be even preferable as I would not be limited to 1000 results that API can return.

 I opted not to do that as I only have about 2k endpoints to correct. Maybe in the next version :-) For now I just check if the length of the string returned is more than 19 characters. This mean it is longer than datetime field and hence it is not correct type of data in DT field.

Here is the short python script to update or remove attribute(s). Requirements are icecream, pyclearpass, json, datetime

Hope it will be useful for someone.

Best, Gorazd

Makes sense.  For this case I'd probably be more likely to just delete the endpoint entry entirely rather than mess with attribute cleanup.

Hi Carson.

These wrong value types were pushed to the database via enforcement policy updates. It's strange that you can push a wrong value type for example free text into DateTime attribute over the enforcement profile, but then you can't remove it easily.

The problem I have with the wrong value type is that updates from extension like Intune, BigFix or maybe others will fail as data type is wrong and update is discarded.

And these attributes should not be there at all, but users are very resourceful to find ways when trying to connect to networks.. And when authorization fails, it still push updates to endpoint but with wrong data types in some fields.

Best, Gorazd

Why wouldn't you use the device repository that is meant for this purpose rather than modifying the attributes that are already handled in policy?

So I was looking for example how to remove an attribute from specific set of endpoints in Endpoint database. My search didn't produce the desired results.

Looks like this problem is lurking around for some time and users do have a need for solution like this post from Derek Smith long time ago. 

Most discussed solution was export and import Endpoint database. I really don't like this solution, if I only need to modify for example 2k endpoints in database containing many 10k endpoints.

I look over the pyclearpass library that I was already using for other things. Here is a quick and dirty procedure to update or remove attributes in the endpoint database. If you specify a filter expression (thx Alex for pointing me in the right direction about filter format in this post).

But there is also a problem with Clearpass filters. My problem was that attribute has a wrong type of value and it was type mismatch in database. Clearpass will not allow you to put wrong type of value in filter expression. It will throw type mismatch error.

You can very easily search endpoint database with postgresql query like that:

SELECT * FROM public.tips_endpoints_view where attributes->>'MAC-Auth Expiry' like '%ExpireTime%';


I could use postgresql python module to get endpoints with wrong values. This could be even preferable as I would not be limited to 1000 results that API can return.

 I opted not to do that as I only have about 2k endpoints to correct. Maybe in the next version :-) For now I just check if the length of the string returned is more than 19 characters. This mean it is longer than datetime field and hence it is not correct type of data in DT field.

Here is the short python script to update or remove attribute(s). Requirements are icecream, pyclearpass, json, datetime

Hope it will be useful for someone.

Best, Gorazd