Assets not Scanned in last >3month

We have 1,300 assets that have not been scanned in >3months. This means that assets were not discovered on our network for more than 3 months. There is deployed to and last used by data for these records in ServiceNow. What steps should ITAM take to find issue with these assets?

2 Likes

Multiple approaches here, I’ll offer some ideas

  • CMDB with device status: If you have luxury of having a CMDB (I see that you do) to report device lifecycle status you would look to that to determine to keep inventory or not. If CMDB says “Installed” you must assume it is still with you then you have an inventory agent scanning issue (assuming you’re using an agent base ITAM tool) or similar along those lines. Could also mean someone responsible for lifecycle status hasn’t kept it updated and might be truly decommissioned. If so then your record can be set to “Ignored”, disposed, etc a flag acceptable by your organization

  • No CMDB Status: Here you must determine if the device is around or not. I use a quick program to ping multiple devices at one to see if they are on the network or had been recently. If you get a echo (response from the device) then we know it’s viable and need to get inventory working correctly. If it returns no ping but you see an IP for it, it was there recently. If you have means to determine most recent logged in user, owner, custodian, etc create yourself a standard form asking questions about the device. They may not be on VPN if you have that available at your company and simply using Outlook via cloud. If you don’t have a DMZ collector for inventory you’ll miss those

  • Agent issues: Are the services running on the devices, is your system collecting, reconciling data as designed. All kinds of agent issue could arise once you confirm it is truly on the network and available.

I could write at length on this topic. Keeping it short to see if that helps move you in the right direction. Others here eager to help as well. What is right for your org may not work for mine or others, though the fundamentals are almost always true when tracking down a device not scanning

Cheers, Bryant

3 Likes

Bryant has some great tips

Overall I’d suggest checking the configuration on the scanning tool in question - based on your other question in the forum, I’ll guess it’s SCCM. If SCCM hasn’t been in contact with these machines in 90+ days, then something changed on that side of the equation - could be they moved these to a new SCCM server, and that new one isn’t connected to ServiceNow for your reporting. If it’s SN Discovery, then likely the Discovery schedules or ranges have been altered, and someone “told” discovery to stop checking those.

As Bryant says, I could go on about this too, but hopefully his and my notes give you somewhere to start.
James

2 Likes

We have a process in ServiceNow that automates emails to the assigned user of the device and their manager at 21, 30, and 45 day intervals for the user to connect that device to the network. If they don’t, at day 45, a missing asset request is kicked off automatically where ITAM writes off the asset and IS revokes machine certificates so that if the device is later found, it’s no longer a security risk.

Through the course of this process, if the user messages that they are using the computer but for some reason SCCM shows no access date, a technician will see if they can resolve the issue with the SCCM client, and if that doesn’t work, their computer would be replaced. In addition to being a concern for ITAM who doesn’t have a heartbeat on the machine, ultimately, it’s a security risk that the computer isn’t checking into SCCM.

2 Likes