Shadow IT detection in GLPI: discovering unmanaged devices

Shadow IT is the collection of devices, applications, and services operating on your network without IT department knowledge or approval. It is not a theoretical risk — in most organizations, it is already there. The question is whether you can see it.

Why shadow IT is a problem

Unmanaged devices create three categories of risk:

• Security — a device you do not know about is a device you are not patching. It may run outdated firmware, have default credentials, or lack endpoint protection entirely.
• Licensing — software installed on unmanaged machines is software you are not tracking. In a vendor audit, those installations count against your compliance whether you authorized them or not.
• Support — when an unmanaged device causes a network issue (IP conflict, rogue DHCP, bandwidth saturation), troubleshooting starts with "what is this and who put it here?" That question burns hours.

How GLPI finds unmanaged devices

The GLPI agent's network discovery scans defined IP ranges and reports every device that responds — via SNMP, NetBIOS, or ping. Each discovered device is compared against existing inventory records. If a MAC address or serial number matches an existing asset, the records link automatically. If there is no match, the device lands in the Unmanaged devices list — your shadow IT detection feed.

Setting up discovery for shadow IT detection

Configure the GLPI agent to scan your entire managed IP space, not just the subnets where you expect devices. Shadow IT hides in the ranges you are not looking at.

Step-by-step setup

1. Define IP ranges in GLPI covering all production subnets, including guest and IoT VLANs
2. Assign SNMP credentials for each range (even if some ranges will only respond to ping, the SNMP query will enrich data for devices that do respond)
3. Enable the netdiscovery task on at least one agent per network segment
4. Set the discovery schedule — daily is a good balance between visibility and network load
5. Configure notification rules to alert the IT team when new unmanaged devices appear

The notification step is critical. Discovery data that sits unreviewed in a list is not adding value. An email to the network team saying "3 new unknown devices found on VLAN 40" turns passive data into active investigation.

Handling discovered-but-unmanaged assets

When a new unknown device appears, the workflow should follow a consistent pattern:

1. Identify — use the MAC address vendor prefix (OUI) and any SNMP data to determine what the device is. A Raspberry Pi on the engineering VLAN is a different conversation than an unknown HP printer in the lobby.
2. Locate — trace the MAC to a switch port if you have LLDP/CDP data. Physically find the device if needed.
3. Decide — does this device belong on the network? If yes, import it into GLPI as a managed asset, assign it an owner and a location, and apply the appropriate security policies. If no, disconnect it and investigate how it got there.
4. Document — whether you adopt or remove the device, record the decision. This builds institutional knowledge about your network boundaries.

Making it sustainable

Shadow IT is not a one-time cleanup — it is ongoing. People will keep plugging in personal routers and connecting test equipment. The goal is not to prevent all of it, but to detect it within 24 hours and make a conscious decision about each device.

GLPI's discovery runs on a schedule and the unmanaged devices list updates automatically. Pair that with notification rules and a triage process, and you have a control that keeps your CMDB honest and your network perimeter defined.