Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 9 subscribers
  • Views 2310 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central remove devices dynamically

Brendan Dudley

Hi Community,

 

I'm looking for a way to dynamically clean up server endpoints in Central when they are destroyed.  We create and destroy tens of servers daily as part of our CI/CD pipeline.  When an instance is destroyed we run /sophos-av/uninstall.sh however this does not update Central.  The device still appears in Central, consumes a license, and starts throwing alerts for "real time protection disabled" and "failed to protect server: <IP>".  This creates a lot of noise making any real alerts go unnoticed and creates a problem for license accounting.

Short of writing a script to hit the API and delete the endpoint, is there a method for managing this?  I see that during the installation Sophos AV connects to Central and registers the device.  I would assume there should be a graceful way in the software to clean this up.  What's the best practice here?  Unfortunately, Support's answer was to manually delete the devices in the UI which is obviously not scaleable.

If anyone has encountered the same problem and has a good practice for managing this, please let me know!

 

Thanks!



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

     

    The script going to the API is the best option here - this is one of the use cases the API was created for. 

    Endpoint deletion is sticky to prevent unwanted data loss - things like Bitlocker recovery keys - of important elements. We don't age out entries. 

    Although, if you want to propose a change (such as a setting to schedule deletes of offline elements after X days) - you could do that at ideas.sophos.com

    The best option in the UI (still manual) is to multi-select the computers and delete them en masse. I don't know what your naming convention is but if there was a consistent unique pattern you could filter by that to get the entries you need.

     

    I hope this helps.

    Richard

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to RichardP

    Hey Richard,

     

    I appreciate the response.  Keeping data for historical purposes certainly makes sense, removal isn't necessary for my use case.  I do wish that I could remove the license and stop alerting on the device during uninstall though.  I'll request that via ideas.sophos.com.  I've got a POC created for my script.  Once I've got it up and running I'll put it up on Github and share with the community here.

     

    Cheers.

Reply
  • 0 in reply to RichardP

    Hey Richard,

     

    I appreciate the response.  Keeping data for historical purposes certainly makes sense, removal isn't necessary for my use case.  I do wish that I could remove the license and stop alerting on the device during uninstall though.  I'll request that via ideas.sophos.com.  I've got a POC created for my script.  Once I've got it up and running I'll put it up on Github and share with the community here.

     

    Cheers.

Children
No Data
Unfiltered HTML