Security

A long time ago I created a custom endpoints attribute and defined it as mandatory.

I now want to delete it or even change it to being optional.

Can;t do either as my whole endpoints db has that attribute defined ... its a big db

How can I

change attribute to optional

delete it from every endpoint db entry ?

Rgds

A

Once an attribute is created, you cannot modify the type or optional status as you've found out. You cannot delete an attribute if it's being referenced, which in your case it is being referenced by all your endpoints.

The only way I can think of to remove this is to export your entire endpoints database, delete your existing endpoints database, delete the attribute, modify the exported file to remove the reference and import the endpoints back in.

I would highly recommend doing this with Aruba's assistance, or atleast open a TAC case in case you need to involve a resource for any issues.

re exporting the endpoints db

Found an issue wit one of the mac oui vendors ,,, theres a hex 39 character in their name so when you try and import ther endpoints db you get an invalid XML error. Manually removing the hex39 allowed the import to continue

Well got a lot further wth this.

1). Export endpoints file

2). just as a check try and import it again

problem is that here it fails.

If you've got endpoint entries that existed before you added the custom mandatory attribute was created then when you export endpoints, they don't include  the custom mandatory attribute ( one shown below with it included). This means when you try and import the file again it fails for every entry that doesn't have the custom attribute present in the file

<Endpoint macVendor="Apple, Inc." macAddress="38c98631d4bc" status="Known">
<EndpointProfile updatedAt="Jun 28, 2018 07:52:56 BST" addedAt="Jan 19, 2016 16:04:21 GMT" fingerprint="{&quot;dhcp&quot;: {&quot;option55&quot;: [&quot;1,121,3,6,15,119,252,95,44,46&quot;], &quot;options&quot;: [&quot;53,55,57,61,50,54,12,82&quot;]}}" conflict="false" name="Mac OS X" family="Apple Mac" category="Computer" hostname="admins-mac-mini" staticIP="false" ipAddress="144.32.226.150"/>
<EndpointTags tagName="UoY_Vlan" tagValue="226"/>
<EndpointTags tagName="UoYDevice" tagValue="true"/>
<EndpointTags tagName="UoY_Airgroup_User_Device" tagValue="false"/>
<EndpointTags tagName="UoY_Airgroup_Shared_Server_Device" tagValue="false"/>

 
</Endpoint>

3). In endpoints you . can search for every endpoint entry with a particular attribute  present.  In our case there were only 44 of them and non of them were using it for anything.  Delete the endpopints 

4). You can now edit the custom attribute and change it from mandatory to optional

5). Try to delete attribute and you might find that its used somewhere in a policy

6). Find policies that use it and edit/delete/replace accordingly

7). Delete attribute from custom list

Simples!

Points to note however

1). Depending on how often  you refresh your endpoints db you might . have loads of entries with this custom variable set, in which case this procedure will probalby not be the right thing to do.

2). Still trying to decide whether  its a bug where you cannot export and import an endpoints db  because all the exported entries don't any mandatroy attributes. Perhaps there should be an "override" button