--- type: client name: lonestar-electrical display_name: Lone Star Electrical Systems LLC last_compiled: 2026-06-02 compiled_by: HOWARD-HOME/claude-main sources: - clients/lonestar-electrical/session-logs/2026-06-02-session.md - clients/lonestar-electrical/session-logs/2026-06-01-session.md - clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md - clients/lonestar-electrical/docs/apple-mdm-setup-reference.md - session-logs/2026-03-23-session.md - session-logs/2026-03-24-session.md - credentials.md - clients/lonestar-electrical/google-workspace.sops.yaml (vault) - temp/lonestar-russ-setup.py - temp/lonestar-kyla-reset.py - temp/lonestar-kyla-2fa-fix.py backlinks: [] --- # Lone Star Electrical Systems LLC Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the fleet for being a **Google Workspace** shop (not Microsoft 365) with mobile devices managed by **ManageEngine MDM** (Zoho), not Intune. Field-heavy: techs use phones/tablets on job sites. --- ## Profile - **Company type:** Electrical contractor (field service) - **Contract type:** Prepaid hour block - **Hours remaining:** 17.0 hrs as of 2026-06-01 (Syncro live). Always live-check `GET /customers/33809612` before billing. - **Billing rate:** (verify — check recent Syncro invoices; not captured in available sources) - **Syncro customer ID:** `33809612` (Lone Star Electrical Systems LLC) - **Address:** 3774 North Warren Avenue, Tucson, AZ - **Managed assets (Syncro):** 1 asset on record - **Sites:** Norris site (location of the LS-1 / LS-2 Win11 workstations) - **Key contacts:** - Robin Eneix — robine@lonestarelectrical.net (Syncro primary contact) - Jose R. (joser@lonestarelectrical.net) — field user; subject of the 2026-03 personal-phone MDM issue - sysadmin@lonestarelectrical.net — Google Workspace admin account (ACG-managed) - James — account compromised 2026-03-10 (Syncro #32010); [verify current name/role] - Kyla, Russ — GWS user accounts touched via provisioning/2FA scripts (temp/); [verify roles] - Main phone on file (Syncro): 520-730-3642 - **Active ticket:** None open in Syncro as of 2026-06-01 (see Active Work) --- ## Infrastructure ### Email & Identity - **Platform:** Google Workspace (domain `lonestarelectrical.net`). NOT Microsoft 365 — the M365 remediation tool does not apply here. - **GWS admin:** sysadmin@lonestarelectrical.net - **GWS mobile management:** set to **Basic** (no Google-native MDM push) — device management is delegated to ManageEngine. - **ACG management plane:** Google Workspace API access via the `ACG-MSP-Access (Google Workspace)` service account (vault: MSP Tools). `lonestarelectrical.net` is an onboarded tenant. Service-account key: `temp/acg-msp-access-8f72339997e5.json`. ### Mobile Device Management (MDM) - **Platform:** ManageEngine MDM (Zoho) — https://mdm.manageengine.com/webclient - **MDM admin:** mike@azcomputerguru.com (Zoho account, Super Admin) - **Enrolled devices:** 2 company tablets (named **Zach** and **JOSE**), enrolled 2025-12-04 via QR code, fully managed. These are direct enrollments and are unaffected by the Google third-party-EMM integration. ### Workstations - **LS-1, LS-2** — Windows workstations at the **Norris site**; both upgraded to Win11 on 2026-05-04 (Syncro #32244). Both were inherited from the **previous MSP** with **Sophos Endpoint Protection** (managed via the previous MSP's Sophos Central — no ACG access). Sophos removal is in progress (see Patterns and Active Work). Both enrolled in **GuruRMM** during the 2026-05 removal work; ScreenConnect + GuruRMM agents registered for Safe Mode (`SafeBoot\Network`). ### Unraid Server - **Status:** Running Unraid **7.1.4** as of 2026-06-02 (migrated to new USB flash drive). - **Hostname:** [verify] - **LAN IP:** [verify] - **License type:** [verify — Basic / Plus / Pro] - **Boot device:** New USB flash drive (written via Unraid USB Creator, 7.1.4). Original failed stick: label `UNRAID`, `/dev/sda1`, Generic Flash Disk 8GB — retired but kept as temporary backup until new stick confirmed stable. - **Config:** Old `config/` folder (array assignments `super.dat`, shares, network settings, license `.key`) copied from the failing stick onto the new one. Disk layout and array configuration preserved; only the OS files are fresh. - **License:** Re-registered to the new USB GUID via Unraid webGUI Tools > Registration > Replace Key on 2026-06-02. - **Root credentials:** Carried over from the old `config/shadow`; root password is NOT yet vaulted for this client. Only ACG's own Unraid boxes are vaulted (`infrastructure/jupiter-unraid-primary.sops.yaml`, `infrastructure/uranus-unraid.sops.yaml`). [verify and vault] - **Array/disk layout:** [verify — confirm all disks landed in correct slots from copied `super.dat`] - **Health check:** Mike's Claude session was running a check on 2026-06-02 post-migration — results pending. --- ## Access - **Google Workspace admin:** sysadmin@lonestarelectrical.net — vault: `clients/lonestar-electrical/google-workspace.sops.yaml` - **ManageEngine MDM:** mike@azcomputerguru.com (Zoho Super Admin) — https://mdm.manageengine.com/webclient - **GWS service account (programmatic):** `ACG-MSP-Access (Google Workspace)` (vault: MSP Tools); key file `temp/acg-msp-access-8f72339997e5.json` - **Vault root:** `clients/lonestar-electrical/` in vault repo - **Unraid server:** root credentials not yet vaulted [verify and vault] --- ## Patterns & Known Issues - **Inherited Sophos with no Central access — kernel-driver tamper-protection removal (in progress 2026-05-28/29).** LS-1 and LS-2 came from the previous MSP running Sophos Endpoint Protection managed via the previous MSP's Sophos Central account — ACG has **no Central access**, so no remote uninstall and no way to disable tamper protection from the management plane. Tamper protection is enforced by the **`SophosED.sys` kernel boot driver** (`Start=0`, loads before `smss.exe`), which defeats every user-mode removal: `SophosZap` (blocked by TP), `SophosUninstall.exe` (only removes user-mode parts), `PendingFileRenameOperations` delete (driver loads too early), `sc config` (kernel callback), and ACL reset (kernel-level). **Resolution path is offline via WinRE:** delete `D:\Windows\System32\drivers\SophosED.sys`, load the offline SYSTEM hive and set the `Sophos Endpoint Defense` service `Start=4`, reboot, then `SophosZap.exe --confirm` (TP check now passes). Full step list in the 2026-05-29 session log. **Reusable for any inherited-MSP Sophos/CrowdStrike/SentinelOne removal where tamper protection is enforced and the management console is inaccessible.** (Related: GuruRMM SPEC-015 safeboot-network-registration aims to automate exactly this remote-Safe-Mode removal flow.) - **Sophos shell extensions + Datto Cloud Continuity startup conflict (LS-2).** Presented as unresponsive desktop mouse clicks (until Ctrl+Alt+Del) and dead Start-menu right-click. Root cause: Sophos shell extensions competing with the Datto Cloud Continuity `/pop` startup entry during logon. Removing the Datto startup registry entry addressed the logon contention. - **ManageEngine + Google Workspace dual-EMM trap (resolved 2026-03-24).** A personal phone repeatedly prompted for MDM enrollment when the user added their Lonestar Google account. Root cause was **two independent triggers**: (1) ManageEngine MDM self-enrollment was enabled for all directory groups, AND (2) ManageEngine was configured as a **third-party EMM provider inside Google Workspace** (Devices > Mobile & endpoints > Settings > Third-party integrations). The Google integration enforces enrollment on any device that adds a Lonestar account — independent of ManageEngine's own self-enrollment setting. **Fix required both:** disable ManageEngine self-enrollment (Enrollment > Self Enrollment > Disable) AND remove ManageEngine as the third-party EMM in the GWS Admin Console. Disabling only one leaves the prompt in place. Company tablets enrolled directly via QR code are unaffected by either change. - **Google Workspace, not M365.** Reach for GWS Admin Console + the ACG-MSP-Access service account for identity work. The M365 remediation-tool app suite does not apply to this client. - **Field/mobile-first.** Most tickets are phone/tablet/field-device oriented (iPhone field setup, tablet PDF editing). Expect mobile, not desktop, as the primary support surface — the LS-1/LS-2 desktop work is the exception, not the norm. - **Recurring `bzfirmware` checksum boot error = failing USB flash drive.** Replace the stick (Unraid USB Creator + copy old `config/` + re-register license to new GUID). Do NOT just replace the file — if the error recurs after a file-level fix, the stick itself is failing. Reusable for any Unraid box. --- ## Active Work No open Syncro tickets as of 2026-06-01. - **Sophos removal on LS-1 / LS-2 (IN PROGRESS).** `SophosED.sys` kernel boot driver still present and active on both machines; most user-mode Sophos services removed from LS-2. Offline WinRE completion step pending on both (delete driver, disable SED service in offline hive, reboot, `SophosZap --confirm`). Handed off to Howard via coord message `689cfb7c` (2026-06-01). A Syncro ticket "Sophos Endpoint Removal - LS-1 and LS-2" was drafted — verify it exists before logging time. - **Unraid server USB replacement done (2026-06-02); PENDING:** - Create Syncro ticket documenting the USB failure, replacement (Unraid 7.1.4 via USB Creator), config copy, and license re-registration. - Capture and fold in the results of Mike's server health check (array start state, disk assignments, parity validity, registration status). - Verify array integrity: confirm all disks landed in correct slots from the copied `super.dat`; ensure no unwanted parity rebuild was triggered. - Vault the Lonestar Unraid root password and document the server in the wiki (hostname, IP, Unraid 7.1.4, license type). --- ## History Highlights | Date | Event | |---|---| | 2025-12-04 | Two company tablets (Zach, JOSE) enrolled in ManageEngine MDM via QR code, fully managed | | 2026-03-10 | Emergency: James's account hacked (Syncro #32010, resolved) | | 2026-03-11 | Tablet unable to edit PDFs (#32015) | | 2026-03-23 | Lonestar MDM issue investigated — identified ManageEngine self-enrollment as the cause of joser's personal-phone prompt; fix initially blocked by a broken Zoho portal page | | 2026-03-24 | MDM issue RESOLVED — disabled ManageEngine self-enrollment AND removed ManageEngine as GWS third-party EMM. joser's phone stopped prompting immediately | | 2026-05-04 | Win11 upgrades on LS-1 and LS-2 (#32244) | | 2026-05-05 | iPhone field setup (#32251) | | 2026-05-28/29 | Sophos removal on LS-1/LS-2 begun: enrolled in GuruRMM, removed Datto startup conflict (LS-2), registered Safe Mode agents, removed user-mode Sophos; blocked by `SophosED.sys` kernel driver — WinRE offline removal staged (Ventoy USB), completion pending | | 2026-06-01 | Recovered the (previously unlogged) Sophos removal context, reconstructed it into a session log, and handed the WinRE completion procedure to Howard via coordinator (msg `689cfb7c`) | | 2026-06-02 | Unraid server USB flash drive failed (recurring bzfirmware checksum error); migrated to new stick (Unraid 7.1.4 via USB Creator), copied old config/, re-registered license to new GUID | --- ## Compilation Notes - Refreshed 2026-06-02 (recompile by HOWARD-HOME/claude-main) to absorb the 2026-06-02 session log: added Unraid server infrastructure subsection, new `bzfirmware` checksum pattern, history row, and pending Active Work items. - Refreshed 2026-06-01 (full recompile) to incorporate the 2026-05-28/29 Sophos removal work, which had previously been lost — it was never written to a session log and survived only in a gitignored temp draft (`.claude/tmp/ollama_prompt.txt`) and coord message `8a5cb25c`. A proper session log was reconstructed at `clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md` before this compile. - Seeded 2026-05-26 from two March session logs + credentials.md + vault entry + temp provisioning scripts, enriched with live Syncro data (customer 33809612). - **Vault slug is `lonestar-electrical`** (matches `clients/lonestar-electrical/` in the vault), though session logs and temp scripts use the un-hyphenated `lonestar`. - Lonestar work now lives in both `clients/lonestar-electrical/` (docs + session-logs) and root session logs / `temp/` scripts. - Flagged `[verify]`: billing rate; exact roles/names for James, Kyla, Russ; full workstation inventory; Unraid server hostname/IP/license type/root credentials. ## Backlinks *(none yet)*