From 4c6c554faf9f226d194d66371d1b23bbedf57b3c Mon Sep 17 00:00:00 2001
From: Mike Swanson <mike@azcomputerguru.com>
Date: Tue, 26 May 2026 16:30:51 -0700
Subject: [PATCH] wiki: seed Lone Star Electrical Systems
 (client:lonestar-electrical)

Seeded from March MDM session logs + Syncro (customer 33809612) + vault.
Google Workspace shop with ManageEngine MDM (Zoho); documents the
dual-EMM self-enrollment trap resolved 2026-03-24.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 wiki/clients/lonestar-electrical.md | 112 ++++++++++++++++++++++++++++
 wiki/index.md                       |   1 +
 2 files changed, 113 insertions(+)
 create mode 100644 wiki/clients/lonestar-electrical.md

diff --git a/wiki/clients/lonestar-electrical.md b/wiki/clients/lonestar-electrical.md
new file mode 100644
index 0000000..dd866dd
--- /dev/null
+++ b/wiki/clients/lonestar-electrical.md
@@ -0,0 +1,112 @@
+---
+type: client
+name: lonestar-electrical
+display_name: Lone Star Electrical Systems LLC
+last_compiled: 2026-05-26
+compiled_by: GURU-5070/claude-main
+sources:
+  - session-logs/2026-03-23-session.md
+  - session-logs/2026-03-24-session.md
+  - credentials.md
+  - clients/lonestar-electrical/google-workspace.sops.yaml (vault)
+  - temp/lonestar-russ-setup.py
+  - temp/lonestar-kyla-reset.py
+  - temp/lonestar-kyla-2fa-fix.py
+backlinks: []
+---
+
+# Lone Star Electrical Systems LLC
+
+Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the fleet for being a **Google Workspace** shop (not Microsoft 365) with mobile devices managed by **ManageEngine MDM** (Zoho), not Intune. Field-heavy: techs use phones/tablets on job sites.
+
+---
+
+## Profile
+
+- **Company type:** Electrical contractor (field service)
+- **Contract type:** Prepaid hour block
+- **Hours remaining:** 17.25 hrs as of 2026-05-26 (Syncro live). Always live-check `GET /customers/33809612` before billing.
+- **Billing rate:** (verify — check recent Syncro invoices; not captured in available sources)
+- **Syncro customer ID:** `33809612` (Lone Star Electrical Systems LLC)
+- **Address:** 3774 North Warren Avenue, Tucson, AZ
+- **Managed assets (Syncro):** 1 asset on record
+- **Key contacts:**
+  - Robin Eneix — robine@lonestarelectrical.net (Syncro primary contact)
+  - Jose R. (joser@lonestarelectrical.net) — field user; subject of the 2026-03 personal-phone MDM issue
+  - sysadmin@lonestarelectrical.net — Google Workspace admin account (ACG-managed)
+  - James — account compromised 2026-03-10 (Syncro #32010); [verify current name/role]
+  - Kyla, Russ — GWS user accounts touched via provisioning/2FA scripts (temp/); [verify roles]
+- **Active ticket:** None open in Syncro as of 2026-05-26 (see Active Work)
+
+---
+
+## Infrastructure
+
+### Email & Identity
+
+- **Platform:** Google Workspace (domain `lonestarelectrical.net`). NOT Microsoft 365 — the M365 remediation tool does not apply here.
+- **GWS admin:** sysadmin@lonestarelectrical.net
+- **GWS mobile management:** set to **Basic** (no Google-native MDM push) — device management is delegated to ManageEngine.
+- **ACG management plane:** Google Workspace API access via the `ACG-MSP-Access (Google Workspace)` service account (vault: MSP Tools). `lonestarelectrical.net` is an onboarded tenant. Service-account key: `temp/acg-msp-access-8f72339997e5.json`.
+
+### Mobile Device Management (MDM)
+
+- **Platform:** ManageEngine MDM (Zoho) — https://mdm.manageengine.com/webclient
+- **MDM admin:** mike@azcomputerguru.com (Zoho account, Super Admin)
+- **Enrolled devices:** 2 company tablets (named **Zach** and **JOSE**), enrolled 2025-12-04 via QR code, fully managed. These are direct enrollments and are unaffected by the Google third-party-EMM integration.
+
+### Workstations
+
+- **LS-1, LS-2** — Windows workstations; both upgraded to Win11 on 2026-05-04 (Syncro #32244). [Further inventory not documented]
+
+---
+
+## Access
+
+- **Google Workspace admin:** sysadmin@lonestarelectrical.net — vault: `clients/lonestar-electrical/google-workspace.sops.yaml`
+- **ManageEngine MDM:** mike@azcomputerguru.com (Zoho Super Admin) — https://mdm.manageengine.com/webclient
+- **GWS service account (programmatic):** `ACG-MSP-Access (Google Workspace)` (vault: MSP Tools); key file `temp/acg-msp-access-8f72339997e5.json`
+- **Vault root:** `clients/lonestar-electrical/` in vault repo
+
+---
+
+## Patterns & Known Issues
+
+- **ManageEngine + Google Workspace dual-EMM trap (resolved 2026-03-24).** A personal phone repeatedly prompted for MDM enrollment when the user added their Lonestar Google account. Root cause was **two independent triggers**: (1) ManageEngine MDM self-enrollment was enabled for all directory groups, AND (2) ManageEngine was configured as a **third-party EMM provider inside Google Workspace** (Devices > Mobile & endpoints > Settings > Third-party integrations). The Google integration enforces enrollment on any device that adds a Lonestar account — independent of ManageEngine's own self-enrollment setting. **Fix required both:** disable ManageEngine self-enrollment (Enrollment > Self Enrollment > Disable) AND remove ManageEngine as the third-party EMM in the GWS Admin Console. Disabling only one leaves the prompt in place. Company tablets enrolled directly via QR code are unaffected by either change.
+- **Google Workspace, not M365.** Reach for GWS Admin Console + the ACG-MSP-Access service account for identity work. The M365 remediation-tool app suite does not apply to this client.
+- **Field/mobile-first.** Most tickets are phone/tablet/field-device oriented (iPhone field setup, tablet PDF editing). Expect mobile, not desktop, as the primary support surface.
+
+---
+
+## Active Work
+
+No open Syncro tickets as of 2026-05-26. Two tickets in "Customer Reply" status (awaiting client):
+- #32251 — iPhone: set up cell phone for use in the field (2026-05-05)
+- #32215 — QuickBooks issues (2026-04-25)
+
+---
+
+## History Highlights
+
+| Date | Event |
+|---|---|
+| 2025-12-04 | Two company tablets (Zach, JOSE) enrolled in ManageEngine MDM via QR code, fully managed |
+| 2026-03-10 | Emergency: James's account hacked (Syncro #32010, resolved) |
+| 2026-03-11 | Tablet unable to edit PDFs (#32015) |
+| 2026-03-23 | Lonestar MDM issue investigated — identified ManageEngine self-enrollment as the cause of joser's personal-phone prompt; fix initially blocked by a broken Zoho portal page |
+| 2026-03-24 | MDM issue RESOLVED — disabled ManageEngine self-enrollment AND removed ManageEngine as GWS third-party EMM. joser's phone stopped prompting immediately |
+| 2026-05-04 | Win11 upgrades on LS-1 and LS-2 (#32244) |
+| 2026-05-05 | iPhone field setup (#32251) |
+
+---
+
+## Compilation Notes
+
+- Seeded 2026-05-26 from two March session logs + credentials.md + vault entry + temp provisioning scripts, enriched with live Syncro data (customer 33809612).
+- **Vault slug is `lonestar-electrical`** (matches `clients/lonestar-electrical/` in the vault), though session logs and temp scripts use the un-hyphenated `lonestar`.
+- **No dedicated project folder** — Lonestar work lives in root session logs and `temp/` scripts; there is no `clients/lonestar*/` working directory or `projects/` entry in the ClaudeTools repo (only the vault folder exists).
+- Flagged `[verify]`: billing rate; exact roles/names for James, Kyla, Russ; full workstation inventory.
+
+## Backlinks
+
+*(none yet)*
diff --git a/wiki/index.md b/wiki/index.md
index 38b9d40..05850e7 100644
--- a/wiki/index.md
+++ b/wiki/index.md
@@ -40,6 +40,7 @@ Run `/wiki-lint` to check for stale entries and broken backlinks.
 | [Western Tire](clients/western-tire.md) | Tire retail (jackfurriers.com brand); Mike Furrier owner (Syncro ID 391491); email migrated from websvr to IX 2026-04-22; 30 mailboxes; SSL cert expires 2026-05-30 | 2026-05-24 |
 | [Kittle (general contractor)](clients/kittle.md) | General contractor Tucson AZ; Syncro 32460233; HPE MicroServer Gen11 WS2025 EVAL at 10.0.0.5; no backups, no firewall; DKIM/DMARC missing; 3 plaintext creds in Syncro notes; GuruRMM onboarding 2026-05-08 | 2026-05-24 |
 | [Khalsa (two-site)](clients/khalsa.md) | Two-site client (Camden + River); onboarding not completed; domain khalsa.local, DC TROUT at 10.11.12.254; Mac domain-join runbook documented; template docs otherwise empty | 2026-05-24 |
+| [Lone Star Electrical Systems](clients/lonestar-electrical.md) | Electrical contractor Tucson AZ; Syncro 33809612, prepaid block 17.25 hrs; Google Workspace (not M365); ManageEngine MDM (Zoho); 2026-03 dual-EMM self-enrollment trap resolved; field/mobile-first | 2026-05-26 |
 | [Anaise](clients/anaise.md) | Single workstation client; contact David (anaisedavid.office@gmail.com); DESKTOP-O8GF4SD; creds in vault at clients/anaise/desktop-o8gf4sd.sops.yaml; onboarding incomplete; M365 enrollment unconfirmed | 2026-05-24 |
 | [ACG Website (azcomputerguru.com)](clients/azcomputerguru.com.md) | Public website redesign (Astro); score 33/40; placeholder testimonials + no-backend form are pre-launch blockers; OKLCH token design system; see internal-infrastructure.md for ACG servers | 2026-05-24 |
 | [Quantum WMS](clients/quantumwms.md) | WMS company; quantumwms.com tenant (ddf3d2c9); GoDaddy decoupling + M365 migration; 2x Business Premium + Exchange Online Plan 1; deadline 2026-06-03; Tenant Admin consented 2026-05-26 | 2026-05-26 |