Will an inactive endpoint that has tamper protection removed and deleted out out Sophos Central rejoin automatically when it connects again?

Hello Brian McLaws,

The old on premise console
and also the new one [;)]. When deleted from the Console SEC just "hides" the computer, its attributes (specifically group membership), history, and alerts and events are kept. As long as an endpoint can locate the server and the server (can have been migrated) has the same certificates the endpoint will be able to connect and (re-)appear - if its original group still exists (note that the group is not identified by name but an internal ID) in the same group otherwise in Unassigned. Alerts and Events will eventually be deleted but the computer object will remain "forever" unless deliberately removed from the database. 
Central counts the licenses in use and thus assumes you want to unassign the license from a device when you delete it. It also hides but keeps the device but only for recovering the Tamper Protection password and just for 60 days. The only way to get a device into Central again is to reinstall. Please note that the device must have communicated with Central and applied the policy that disables TP. Disabling TP won't work if the device has already been inactive when you change the policy and does not communicate before you delete it. 

Christian 

Thanks for the prompt reply. It makes sense what you say and how it used to behave with SEC and why it behaves the way it does now with Sophos Central. I am still getting used to how the product works and what to do about computers that have been removed from our network that I have not been made aware of and they just show as inactive forever. I am trying to figure out a best practice for this type of scenario.

I was just thinking about a VM, for instance, that has been powered off for awhile. If I delete it without disabling tamper protection what will happen when they decide to turn it back on? If I don't know about it, what state will it be in? I won't know that I need to reinstall because it won't show up in the unassigned group like the old SEC did. Any thoughts? Do I just create a group called inactive and move them all there indefinitely and not worry about deleting them? 

Thanks for the prompt reply. It makes sense what you say and how it used to behave with SEC and why it behaves the way it does now with Sophos Central. I am still getting used to how the product works and what to do about computers that have been removed from our network that I have not been made aware of and they just show as inactive forever. I am trying to figure out a best practice for this type of scenario.

I was just thinking about a VM, for instance, that has been powered off for awhile. If I delete it without disabling tamper protection what will happen when they decide to turn it back on? If I don't know about it, what state will it be in? I won't know that I need to reinstall because it won't show up in the unassigned group like the old SEC did. Any thoughts? Do I just create a group called inactive and move them all there indefinitely and not worry about deleting them? 

Hello Brian McLaws,

having no first-hand experience with Central I'm not really competent. I hope someone knowledgeable will correct me if I'm wrong.

delete it without disabling tamper protection
the device will not reappear and not update, furthermore regular un-(and re-)install will not be possible. You can recover the password within 60 days. In any case you won't get any notification in Central Admin that the device has been resurrected.
create a group called inactive
AFAIK devices offline more than 30 days do not count towards usage (please see under Endpoint License Scenario/Examples) so in terms of licensing they shouldn't cause problems. You might want to retrieve and store the TP password "just in case" before eventually deleting them.

Christian