When you need to free up user licenses you should start by running the housekeeping tasks "Clear expired tokens" and "Clear deleted LDAP users".
The "Clear deleted LDAP users" Task
When users are deleted from an external LDAP identity sources, the user deletion may result in licenses being allocated to users that cannot be accessed in the management console.
This housekeeping task can be used to remove tokens that are assigned to users that have been deleted from LDAP. If you are freeing up licenses this way it is probably a good idea to run the "Users Use License" report both before, and after the "Clear Deleted LDAP users" task is run.
The "Users Use License" report will normally display tokens that are consumed by deleted LDAP users as blank usernames at the head of the report and by running the report both before and after the "Clear Deleted LDAP users" task you will be able to confirm that these licenses have been freed up.
From the management console select “Administration | Tasks”, left click on the context menu of the task Clear deleted LDAP users then select “Run”;
A window will open titled "Execute Task" at this point you can optionally supply a description;
Click "RUN" to execute the task.
The "Clear expired tokens" Task
Tokens that have been expired but not been removed from the system may be removed using the Clear expired tokens task.
This task is run by first navigating to "Administration | Tasks", left clicking on the context menu of the task Clear expired tokens, then select "Run";
A window will open titled "Execute Task", at this point you can optionally supply a description and restrict which products are to be cleared.
Click "RUN" to execute the task.
The "Delete Unused Tokens" Task
Another way to free up licenses is to ensure that tokens that are not used are removed using the task Disable unused tokens.
This task is run by first navigating to "Administration | Tasks", left clicking on the context menu of the task Disable unused tokens, then select "Run";
A window will open titled "Execute Task", at this point you can optionally supply a description and specify if replace the "Days" parameter from its default setting.
Click "RUN" to execute the task.
Releasing Licenses from disabled accounts
The task "Release licenses from disabled accounts" has to be added to the default list of tasks obtained by navigating to "Administration | Tasks", then left click on the context menu of the task Release licences from disabled accounts and select the "Run" option;
A window will open titled "Execute Task", at this point you can optionally supply a description and replace the default parameters "Domain Name", "Unit Name" and "Group Name";
Click "RUN" to execute the task.
Identifying License Usage Details
License details may be obtained from the Management Console either through the "Home" menu-bar option (by navigating to "Configuration | Licenses"), or by running the report Report of Users use License.
If you can't find the template "Users use License", first check the other pages (the report is usually found on one of the last pages), but if the report still cannot be found you will need to download the file from the support site.
From the management console select “Administration | Reports”, left click on the context menu of the report Report of Users use License, then select “Create Report”;
A new window will open titled "Report - New", give the report a name, and in most cases you will not need to filter the report so just click "SAVE", and the report will be added to the "Reports" tab. To run the report select the tab "Reports", left click on the context menu of the recently created report and select "Run";
The results of the report can be found by selecting the tab "Results", left clicking on the context menu of the newly created report and selecting "Export";
Reloading the System Cache
Once the housekeeping tasks have been performed we would suggest clearing the cache (this will assist the accuracy of the license count).
To clear the system cache navigate to "Configuration | Advanced Security Settings", then at the prompt "Reload System Cache" click on the button "RELOAD";
A message will now pop up confirming that the system cache has been reloaded.
Finally log out of the management console. Once you log back in to the management console you should find that the license counts are updated..
License Consumption
What qualifies as an active user, and how do you check it ?
To check the status of a user navigate to "Directory | Users", Select the domain of the user then click "SEARCH" and you will be presented with a list of users for the selected domain;
Each user has two status values - one internal and the other external.
The external users status is taken from your external directory (usually AD) and may differ from the internal status.
Licenses are only consumed by a user if they have an internal status set to "Active".
What qualifies as an active token, and how do you check it ?
If a user is active but not currently assigned any tokens then they will not normally be consuming a user license, however users with tokens will still not be consuming a user license if the tokens are not active.
To check the status of tokens that have been assigned to a specific user left click on the context menu of the user and select the option "Tokens";
A list of all tokens assigned to the selected user will then be displayed;
If any of the tokens listed are active, then the users will be consuming a license.
Also In the case of an inactive token being created,...
For example, during the registration of a DeviceID token, this will also count toward license consumption.
What can cause a user to be consuming a license, and how do we check who are consuming licenses ?
In addition to active tokens being assigned to a user, a user may also consume a license if they have any Question and Answer details or certificates stored against the user. Both can be checked by examining the content of the "Users Use License" report;
If a user has non-zero values in either of the columns "Tokens", "Q&A" or "Certificates", then they will be consuming a license.
If the initial lines of this report contain entries where the First and Last names are blank, then it is probable that this users were deleted in the external directory. If this is the case and these users are still consuming user licenses, then the licenses may be freed up by running the task "Clear deleted LDAP users".