I was wondering if there was a way to transfer ownership of all devices of a user that is leaving the company to another user. And if not, is there a suggested way to have ‘company owned’ devices so no matter the status of the employees, the devices will always exist?
You need to use tags.
Devices are own by their “creators” unless they have tags and then the tags own them.
I’m not sure I follow. The devices are authenticated by a user but authorized based on the tag. So if the user goes away, the device would disappear along with it. Unless I’m missing something?
This has to be something that other folks have encountered in the past and I expect it has a solution, I just can’t find what it is.
Once you add a tag, the device is no longer owned by the user (as stated above). They are a tagged device. We exclusively use tags on all devices, and once a device is tagged, there is no ‘owner’ listed in the admin panel for the tagged device.
So, even though a user has to authenticate to add a device to your tailnet, once it is tagged, that user can go away, but the device will still be there.
Ah, so the ‘Creator’ in the Machine Details is not applicable to who owns the Machine after a tag has been applied, it’s just for reference. That’s the magic that I was misunderstanding. A summary of my understanding:
- Untagged machines are solely owned by the Creator and they will disappear if that user disappears
- Tagged Machines are now owned by ‘the system’ and will not disappear unless an admin removes them. This allows for the case of the tag being removed, the machine then says “Hey, there’s a removed tag here. It’s ok, the machine is still online, but you can remove the tag”. It will then… (see next bullet)
- You cannot remove all tags from a Machine as it then wouldn’t know who owns it. I’ve worked around this by making a dummy tag with no access via ACL as that fits my needs.
Apologies for not understanding from the first response.