Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 9 subscribers
  • Views 2309 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central remove devices dynamically

Brendan Dudley

Hi Community,

 

I'm looking for a way to dynamically clean up server endpoints in Central when they are destroyed.  We create and destroy tens of servers daily as part of our CI/CD pipeline.  When an instance is destroyed we run /sophos-av/uninstall.sh however this does not update Central.  The device still appears in Central, consumes a license, and starts throwing alerts for "real time protection disabled" and "failed to protect server: <IP>".  This creates a lot of noise making any real alerts go unnoticed and creates a problem for license accounting.

Short of writing a script to hit the API and delete the endpoint, is there a method for managing this?  I see that during the installation Sophos AV connects to Central and registers the device.  I would assume there should be a graceful way in the software to clean this up.  What's the best practice here?  Unfortunately, Support's answer was to manually delete the devices in the UI which is obviously not scaleable.

If anyone has encountered the same problem and has a good practice for managing this, please let me know!

 

Thanks!



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

     

    The script going to the API is the best option here - this is one of the use cases the API was created for. 

    Endpoint deletion is sticky to prevent unwanted data loss - things like Bitlocker recovery keys - of important elements. We don't age out entries. 

    Although, if you want to propose a change (such as a setting to schedule deletes of offline elements after X days) - you could do that at ideas.sophos.com

    The best option in the UI (still manual) is to multi-select the computers and delete them en masse. I don't know what your naming convention is but if there was a consistent unique pattern you could filter by that to get the entries you need.

     

    I hope this helps.

    Richard

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • +1

    Hi,

     

    The script going to the API is the best option here - this is one of the use cases the API was created for. 

    Endpoint deletion is sticky to prevent unwanted data loss - things like Bitlocker recovery keys - of important elements. We don't age out entries. 

    Although, if you want to propose a change (such as a setting to schedule deletes of offline elements after X days) - you could do that at ideas.sophos.com

    The best option in the UI (still manual) is to multi-select the computers and delete them en masse. I don't know what your naming convention is but if there was a consistent unique pattern you could filter by that to get the entries you need.

     

    I hope this helps.

    Richard

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
  • 0 in reply to RichardP

    Hey Richard,

     

    I appreciate the response.  Keeping data for historical purposes certainly makes sense, removal isn't necessary for my use case.  I do wish that I could remove the license and stop alerting on the device during uninstall though.  I'll request that via ideas.sophos.com.  I've got a POC created for my script.  Once I've got it up and running I'll put it up on Github and share with the community here.

     

    Cheers.

  • 0 in reply to RichardP

    Hey Richard,

    While I've got you, I'm running in to a small problem with my POC.  More of a nuisance than anything.  It looks like the Endpoint ID in the API does not equal the ID found on the device or in the URL of the device on Sophos Central.

    In Sophos Central the construction of the URL is https://central.sophos.com/manage/devices/servers/<endpoint-id>/summary if I understand correctly.  I also find the same value on the device in the path /opt/sophos-av/etc/sophosav/mcs.config where the MCSID=<endpoint-id>, same as it appears in the URL.  From the API however the Endpoint ID does not match.  It appears slightly out of order.  I can't for the life of me remember how to figure this out right now.  Maybe it's endian-ness? 

    Here is an example:

    In the UI and on the device I have an endpoint with ID: 602eaa5e-3ad4-64ed-a808-c963f7726556

    From the API the same endpoint has "id": 06e2aae5-a34d-46de-8a80-9c367f275665

    Every set of two characters is reversed.  I think I saw this in school but that was a while ago.... looks like a bug or oversight?

  • 0 in reply to Brendan Dudley

    It is endianness.

    I will have to double check what the expected output from that database is.

    Once I know, I will be in touch.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to RichardP

    Just an update on this - the data coming out of the API is the canonical real ID for the endpoint.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML