sync: auto-sync from GURU-5070 at 2026-06-08 19:04:33

Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-08 19:04:33
2026-06-08 19:05:25 -07:00
parent d250086933
commit a0e01c3d39
1 changed files with 70 additions and 0 deletions
--- a/wiki/clients/safesite.md
+++ b/wiki/clients/safesite.md
@@ -0,0 +1,70 @@
+---
+title: Safe Site Utility Services LLC
+type: client
+slug: safesite
+last_verified: 2026-06-08
+source_logs:
+  - session-logs/2026-06/2026-06-08-mike-safesite-investigation.md
+---
+
+# Safe Site Utility Services LLC
+
+MSP client. Fragmented endpoint management across **four** systems (Datto RMM, Intune/MDM,
+ScreenConnect, Syncro) — a GuruRMM consolidation is in progress.
+
+## M365 tenant
+- **Domain:** safesitellc.com · **Tenant ID:** `71b4e637-c802-4137-a812-ae50dbc839e3`
+- **Onboarded apps (ComputerGuru MSP suite), verified live 2026-06-08:**
+  - Security Investigator, User Manager, Tenant Admin — Graph, consented + reading.
+  - **Intune Manager** (`46986910-aa47-4e5e-b596-f65c6b485abb`) — **consented 2026-06-08** (Mike, GA).
+    Holds full Intune write scopes (DeviceManagementConfiguration/ManagedDevices/Apps ReadWrite.All
+    + ManagedDevices.PrivilegedOperations.All). Use the `intune-manager` get-token tier.
+  - Exchange Operator/Investigator-EXO: token issues but EXO `InvokeCommand` 401 — the SP lacks the
+    **Exchange Administrator** role in-tenant (not yet assigned). Defender tier: reachable but **0
+    devices onboarded** to MDE (no endpoint EDR telemetry).
+- **get-token note:** `~/.claude/identity.json` lacks `vault_path` on GURU-5070 → pass
+  `VAULT_ROOT_ENV=D:/vault` to `remediation-tool/scripts/get-token.sh`.
+
+## Intune posture (45 Windows devices, enrollment-only)
+- 45 Windows MDM devices; **no compliance policies, no configuration profiles** (settings catalog
+  empty). Enrollment configs are all default. **One** deployed app: **ScreenConnect Client**.
+- **Security gaps:** 22 of 45 **unencrypted** (no BitLocker, nothing enforcing it); 8 noncompliant.
+- Devices enrolled under **IT/admin accounts** (JonathanB@, sysadmin@, subhamb@, mailadmin1@), NOT
+  end users — so Intune's `userPrincipalName` does NOT identify the real operator. Use **Datto's
+  Last User** for person→machine attribution instead.
+
+## Endpoint management fragmentation (reconciled 2026-06-08)
+Unified inventory by hostname across all four sources = **73 unique machines**.
+- **Datto RMM = the near-master list (71/73)** and carries real `Last User` + AV/EDR status.
+  Only `0325-DELL3550` and `LAPTOP` are absent from Datto (Intune-only).
+- Intune 42 · Syncro 24 · GuruRMM 18 (as of 2026-06-08).
+- No Datto API creds in vault — Datto data comes from console CSV export.
+- ScreenConnect API key only supports `GetSessionsByName` (blank for agents) → **cannot enumerate**
+  the fleet; see [[reference_screenconnect_api]].
+
+## GuruRMM
+- Client **Safesite** `fe17552f-736b-42ec-86a2-0e6f107f2397`. Sites: **Bell** (RED-HAWK-6595),
+  **Glendale** (SWIFT-OCEAN-8321), **Unknown** (LIGHT-CLOUD-3585, created 2026-06-08 as the
+  catch-all bucket for un-attributed push installs).
+- 18 agents enrolled; **55 of 73 machines still need the agent**. Agents observed **offline /
+  WS-disconnected** 2026-06-08 (dispatches go to `pending`) while the same machines are **Online in
+  Datto** — Datto/Intune are the live push channels, not GuruRMM, right now.
+
+## NexSite recalled-email investigation (2026-06-08)
+External sender m.paris@nexsitepartners.com sent "Re: NWWells - SafeSite - Vendor Forms" with
+attachment **`SSUS 06122026.PDF`** to 9 Safe Site recipients on 2026-06-08 ~18:54 UTC; recalled.
+IT contact: Jonathan Byrd (j.byrd@nexsitepartners.com). Goal: determine if the PDF was
+accessed/downloaded on managed endpoints.
+- **No EDR back-telemetry** (MDE 0 devices) → endpoint history can only come from **on-disk
+  artifact recovery** (file search + Zone.Identifier MotW + Outlook cache + browser DL history +
+  RecentDocs), run via a live channel.
+- **Recipient → machine (via Datto Last User):** beeanna=`0225-DELL3550`, david=`0622-DAVID-HP`,
+  jon=`0525-ASUSFX707Z`, justinb=`0525-DELL3550-1`, lennyg=`DESKTOP-3USU20B`,
+  suzannep=`1122-SUZANNE-DELL`, travisf=`MSI`, jeremiahw=`DESKTOP-LOPKB4G`, thomasc=`0724-DELL3550`.
+- Caveat: artifact recovery proves "downloaded=yes"; it cannot prove "never accessed". Only covers
+  managed machines (not phones/personal). Time-sensitive — artifacts age out.
+
+## Open items
+- Choose forensic channel (Datto console job vs Intune proactive remediation) — GuruRMM agents
+  offline. Push GuruRMM agent to the 55 gap machines. Assign Exchange Admin role to the Sec
+  Investigator SP if mailbox-audit forensic is wanted. Remediate the 22 unencrypted endpoints.