Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 9 subscribers
  • Views 2310 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central remove devices dynamically

Brendan Dudley

Hi Community,

 

I'm looking for a way to dynamically clean up server endpoints in Central when they are destroyed.  We create and destroy tens of servers daily as part of our CI/CD pipeline.  When an instance is destroyed we run /sophos-av/uninstall.sh however this does not update Central.  The device still appears in Central, consumes a license, and starts throwing alerts for "real time protection disabled" and "failed to protect server: <IP>".  This creates a lot of noise making any real alerts go unnoticed and creates a problem for license accounting.

Short of writing a script to hit the API and delete the endpoint, is there a method for managing this?  I see that during the installation Sophos AV connects to Central and registers the device.  I would assume there should be a graceful way in the software to clean this up.  What's the best practice here?  Unfortunately, Support's answer was to manually delete the devices in the UI which is obviously not scaleable.

If anyone has encountered the same problem and has a good practice for managing this, please let me know!

 

Thanks!



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

     

    The script going to the API is the best option here - this is one of the use cases the API was created for. 

    Endpoint deletion is sticky to prevent unwanted data loss - things like Bitlocker recovery keys - of important elements. We don't age out entries. 

    Although, if you want to propose a change (such as a setting to schedule deletes of offline elements after X days) - you could do that at ideas.sophos.com

    The best option in the UI (still manual) is to multi-select the computers and delete them en masse. I don't know what your naming convention is but if there was a consistent unique pattern you could filter by that to get the entries you need.

     

    I hope this helps.

    Richard

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to RichardP

    Hey Richard,

    While I've got you, I'm running in to a small problem with my POC.  More of a nuisance than anything.  It looks like the Endpoint ID in the API does not equal the ID found on the device or in the URL of the device on Sophos Central.

    In Sophos Central the construction of the URL is https://central.sophos.com/manage/devices/servers/<endpoint-id>/summary if I understand correctly.  I also find the same value on the device in the path /opt/sophos-av/etc/sophosav/mcs.config where the MCSID=<endpoint-id>, same as it appears in the URL.  From the API however the Endpoint ID does not match.  It appears slightly out of order.  I can't for the life of me remember how to figure this out right now.  Maybe it's endian-ness? 

    Here is an example:

    In the UI and on the device I have an endpoint with ID: 602eaa5e-3ad4-64ed-a808-c963f7726556

    From the API the same endpoint has "id": 06e2aae5-a34d-46de-8a80-9c367f275665

    Every set of two characters is reversed.  I think I saw this in school but that was a while ago.... looks like a bug or oversight?

Reply
  • 0 in reply to RichardP

    Hey Richard,

    While I've got you, I'm running in to a small problem with my POC.  More of a nuisance than anything.  It looks like the Endpoint ID in the API does not equal the ID found on the device or in the URL of the device on Sophos Central.

    In Sophos Central the construction of the URL is https://central.sophos.com/manage/devices/servers/<endpoint-id>/summary if I understand correctly.  I also find the same value on the device in the path /opt/sophos-av/etc/sophosav/mcs.config where the MCSID=<endpoint-id>, same as it appears in the URL.  From the API however the Endpoint ID does not match.  It appears slightly out of order.  I can't for the life of me remember how to figure this out right now.  Maybe it's endian-ness? 

    Here is an example:

    In the UI and on the device I have an endpoint with ID: 602eaa5e-3ad4-64ed-a808-c963f7726556

    From the API the same endpoint has "id": 06e2aae5-a34d-46de-8a80-9c367f275665

    Every set of two characters is reversed.  I think I saw this in school but that was a while ago.... looks like a bug or oversight?

Children
Unfiltered HTML