--- title: Safe Site Utility Services LLC type: client slug: safesite last_verified: 2026-06-08 source_logs: - session-logs/2026-06/2026-06-08-mike-safesite-investigation.md --- # Safe Site Utility Services LLC MSP client. Fragmented endpoint management across **four** systems (Datto RMM, Intune/MDM, ScreenConnect, Syncro) — a GuruRMM consolidation is in progress. ## M365 tenant - **Domain:** safesitellc.com · **Tenant ID:** `71b4e637-c802-4137-a812-ae50dbc839e3` - **Onboarded apps (ComputerGuru MSP suite), verified live 2026-06-08:** - Security Investigator, User Manager, Tenant Admin — Graph, consented + reading. - **Intune Manager** (`46986910-aa47-4e5e-b596-f65c6b485abb`) — **consented 2026-06-08** (Mike, GA). Holds full Intune write scopes (DeviceManagementConfiguration/ManagedDevices/Apps ReadWrite.All + ManagedDevices.PrivilegedOperations.All). Use the `intune-manager` get-token tier. - Exchange Operator/Investigator-EXO: token issues but EXO `InvokeCommand` 401 — the SP lacks the **Exchange Administrator** role in-tenant (not yet assigned). Defender tier: reachable but **0 devices onboarded** to MDE (no endpoint EDR telemetry). - **get-token note:** `~/.claude/identity.json` lacks `vault_path` on GURU-5070 → pass `VAULT_ROOT_ENV=D:/vault` to `remediation-tool/scripts/get-token.sh`. ## Intune posture (45 Windows devices, enrollment-only) - 45 Windows MDM devices; **no compliance policies, no configuration profiles** (settings catalog empty). Enrollment configs are all default. **One** deployed app: **ScreenConnect Client**. - **Security gaps:** 22 of 45 **unencrypted** (no BitLocker, nothing enforcing it); 8 noncompliant. - Devices enrolled under **IT/admin accounts** (JonathanB@, sysadmin@, subhamb@, mailadmin1@), NOT end users — so Intune's `userPrincipalName` does NOT identify the real operator. Use **Datto's Last User** for person→machine attribution instead. ## Endpoint management fragmentation (reconciled 2026-06-08) Unified inventory by hostname across all four sources = **73 unique machines**. - **Datto RMM = the near-master list (71/73)** and carries real `Last User` + AV/EDR status. Only `0325-DELL3550` and `LAPTOP` are absent from Datto (Intune-only). - Intune 42 · Syncro 24 · GuruRMM 18 (as of 2026-06-08). - No Datto API creds in vault — Datto data comes from console CSV export. - ScreenConnect API key only supports `GetSessionsByName` (blank for agents) → **cannot enumerate** the fleet; see [[reference_screenconnect_api]]. ## GuruRMM - Client **Safesite** `fe17552f-736b-42ec-86a2-0e6f107f2397`. Sites: **Bell** (RED-HAWK-6595), **Glendale** (SWIFT-OCEAN-8321), **Unknown** (LIGHT-CLOUD-3585, created 2026-06-08 as the catch-all bucket for un-attributed push installs). - 18 agents enrolled; **55 of 73 machines still need the agent**. Agents observed **offline / WS-disconnected** 2026-06-08 (dispatches go to `pending`) while the same machines are **Online in Datto** — Datto/Intune are the live push channels, not GuruRMM, right now. ## NexSite recalled-email investigation (2026-06-08) External sender m.paris@nexsitepartners.com sent "Re: NWWells - SafeSite - Vendor Forms" with attachment **`SSUS 06122026.PDF`** to 9 Safe Site recipients on 2026-06-08 ~18:54 UTC; recalled. IT contact: Jonathan Byrd (j.byrd@nexsitepartners.com). Goal: determine if the PDF was accessed/downloaded on managed endpoints. - **No EDR back-telemetry** (MDE 0 devices) → endpoint history can only come from **on-disk artifact recovery** (file search + Zone.Identifier MotW + Outlook cache + browser DL history + RecentDocs), run via a live channel. - **Recipient → machine (via Datto Last User):** beeanna=`0225-DELL3550`, david=`0622-DAVID-HP`, jon=`0525-ASUSFX707Z`, justinb=`0525-DELL3550-1`, lennyg=`DESKTOP-3USU20B`, suzannep=`1122-SUZANNE-DELL`, travisf=`MSI`, jeremiahw=`DESKTOP-LOPKB4G`, thomasc=`0724-DELL3550`. - Caveat: artifact recovery proves "downloaded=yes"; it cannot prove "never accessed". Only covers managed machines (not phones/personal). Time-sensitive — artifacts age out. ## Open items - Choose forensic channel (Datto console job vs Intune proactive remediation) — GuruRMM agents offline. Push GuruRMM agent to the 55 gap machines. Assign Exchange Admin role to the Sec Investigator SP if mailbox-audit forensic is wanted. Remediate the 22 unencrypted endpoints.