Finding Unmanaged Devices

Watch the “Finding Unmanaged Devices” video, or read below.

Finding Unmanaged Devices

Organizations today have a comprehensive arsenal of security tools to protect corporate-assigned devices. However, they can only protect the assets they know about. Finding the “unknown unknowns” presents a challenge.

Unmanaged devices can be defined as IP connected devices:

• Without an agent or configuration solution installed
• Not being secured by an endpoint agent
• Only known to the network or network scanners

Whether it’s an employee’s cell phone, a conference room smart TV, or a virtual machine (VM), any unmanaged device should be accounted for and acted on appropriately.

Challenges in Knowing Which Devices are Unmanaged

Finding unmanaged devices is tricky. Asking Active Directory to show any device not being managed doesn’t work. Manually comparing AD data and network management software is time-consuming and error-prone. But a solution that can automatically correlate and deduplicate data will uncover risks and give you the ability to quickly address them.

Data Sources Needed to Find Unmanaged Devices

• Directory Services — Services like Active Directory or Azure AD that authenticate and authorize users and devices
• Endpoint Management Solutions — Services like SCCM and Jamf Pro
• Network/Infrastructure Data — By connecting to the networking infrastructure, administrators gain visibility into all devices within their environment

Discovering Unmanaged Devices with Axonius

There are simple queries you can build to find unmanaged devices in Axonius, ranging from the broadest possible scenario to the most detailed.

Let’s take a look at the most basic query for finding unmanaged devices without security agents or management solutions.


This query can be represented in the Axonius Query Wizard as:

This query can also be represented as an AQL (Axonius Query Language) expression:

not (((specific_data.data.adapter_properties == "Agent" or specific_data.data.adapter_properties == "Manager")))

This query finds all unmanaged devices without security agents or management solutions. Here’s an example of the returned results:

We can add other filter criteria to prioritize which devices should be addressed. For example, let’s find unmanaged devices that are not being scanned by a VA tool.


This query can be represented in the Axonius Query Wizard as:

This query can also be represented as an AQL (Axonius Query Language) expression:

not specific_data.data.adapter_properties == "Agent" and not specific_data.data.adapter_properties == "Manager" and not specific_data.data.adapter_properties == "Vulnerability_Assessment"

Here is an example of the returned results:

We can also add a time element to find devices that are unmanaged, unscanned, and have been active on the network in the past three days using the following:


This query can be represented in the Axonius Query Wizard as:

This query can also be represented as an AQL (Axonius Query Language) expression:

 not specific_data.data.adapter_properties == "Agent" and not specific_data.data.adapter_properties == "Manager" and not specific_data.data.adapter_properties == "Vulnerability_Assessment" and specific_data.data.last_seen >= date("NOW - 3d")

Here is an example of the returned results:

Taking Action on Unmanaged Devices

The Axonius Security Policy Enforcement Center allows customers to determine which automated action to execute when an unmanaged device is found.

Highlighted Actions Include:

• Notify - Let someone know about the unscanned cloud instance via email, Slack, Syslog, or by CSV
• Create Incident - Create an incident using a ticketing system like ServiceNow, Jira, or Zendesk
• Enrich Device or User Data - Enrich data with Shodan, Censys, or Portnox to show what is publicly known

For more details, see Action Library.