I was wondering if anyone had any policy or procedure in place for what is and isnt an acceptable time frame for PCs to be out of date on the DAT. I would say 7-14 days is ok and anything after that needs to be investigated for problems.
Our system is set up so that any system who's dat is more than 14 days out goes to an Inactive Agent group. This group has rules to Install the ePO agent, VSE 8.5, and the anti-spyware module. (Since we've been using McAfee products for years, I also have a rule for this group to Remove VSE 8.0, just in case.) Most machines at this point still need individual attention, but at least this setup catches some of them.
The only problem with setting it up this way is that if any system 14 days out was a member of a group with special rules (normally exclusions but we also have some other groups with mail rules and buffer overflow changes) then these rules will be discarded until I manually move the system back to its proper group. So I do have to monitor this group on a regular basis.
As for 14 days: sadly, we sometimes don't have the manpower to check machines even that far out in a timely manner, so I know that making the cutoff less wouldn't really result in machines getting maintenance any faster. Plus, our network does have multiple layers of protection, so that helps mitigate our risk.