azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
59397e8de320323e05d88947b0f6c70a8cc5bf45
claudetools/wiki/clients/lonestar-electrical.md
Mike Swanson 5bba410450 wiki: compile lonestar-electrical (full) + reconstruct Sophos removal log 
Reconstructs the 2026-05-28/29 Sophos removal work on LS-1/LS-2 that was
never saved to a session log (survived only in a gitignored temp draft +
coord message). Adds the kernel-driver tamper-protection removal pattern
and WinRE completion steps; refreshes live Syncro data (17.0 prepaid hrs).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-01 18:18:32 -07:00

9.4 KiB
Raw Blame History

type, name, display_name, last_compiled, compiled_by, sources, backlinks
type name display_name last_compiled compiled_by sources backlinks
client lonestar-electrical Lone Star Electrical Systems LLC 2026-06-01 GURU-5070/claude-main
clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md
clients/lonestar-electrical/docs/apple-mdm-setup-reference.md
session-logs/2026-03-23-session.md
session-logs/2026-03-24-session.md
credentials.md
clients/lonestar-electrical/google-workspace.sops.yaml (vault)
temp/lonestar-russ-setup.py
temp/lonestar-kyla-reset.py
temp/lonestar-kyla-2fa-fix.py

Lone Star Electrical Systems LLC

Electrical contractor in Tucson, AZ. ACG-managed client. Distinctive in the fleet for being a Google Workspace shop (not Microsoft 365) with mobile devices managed by ManageEngine MDM (Zoho), not Intune. Field-heavy: techs use phones/tablets on job sites.

Profile

  • Company type: Electrical contractor (field service)
  • Contract type: Prepaid hour block
  • Hours remaining: 17.0 hrs as of 2026-06-01 (Syncro live). Always live-check GET /customers/33809612 before billing.
  • Billing rate: (verify — check recent Syncro invoices; not captured in available sources)
  • Syncro customer ID: 33809612 (Lone Star Electrical Systems LLC)
  • Address: 3774 North Warren Avenue, Tucson, AZ
  • Managed assets (Syncro): 1 asset on record
  • Sites: Norris site (location of the LS-1 / LS-2 Win11 workstations)
  • Key contacts:
    • Robin Eneix — robine@lonestarelectrical.net (Syncro primary contact)
    • Jose R. (joser@lonestarelectrical.net) — field user; subject of the 2026-03 personal-phone MDM issue
    • sysadmin@lonestarelectrical.net — Google Workspace admin account (ACG-managed)
    • James — account compromised 2026-03-10 (Syncro #32010); [verify current name/role]
    • Kyla, Russ — GWS user accounts touched via provisioning/2FA scripts (temp/); [verify roles]
    • Main phone on file (Syncro): 520-730-3642
  • Active ticket: None open in Syncro as of 2026-06-01 (see Active Work)

Infrastructure

Email & Identity

  • Platform: Google Workspace (domain lonestarelectrical.net). NOT Microsoft 365 — the M365 remediation tool does not apply here.
  • GWS admin: sysadmin@lonestarelectrical.net
  • GWS mobile management: set to Basic (no Google-native MDM push) — device management is delegated to ManageEngine.
  • ACG management plane: Google Workspace API access via the ACG-MSP-Access (Google Workspace) service account (vault: MSP Tools). lonestarelectrical.net is an onboarded tenant. Service-account key: temp/acg-msp-access-8f72339997e5.json.

Mobile Device Management (MDM)

  • Platform: ManageEngine MDM (Zoho) — https://mdm.manageengine.com/webclient
  • MDM admin: mike@azcomputerguru.com (Zoho account, Super Admin)
  • Enrolled devices: 2 company tablets (named Zach and JOSE), enrolled 2025-12-04 via QR code, fully managed. These are direct enrollments and are unaffected by the Google third-party-EMM integration.

Workstations

  • LS-1, LS-2 — Windows workstations at the Norris site; both upgraded to Win11 on 2026-05-04 (Syncro #32244). Both were inherited from the previous MSP with Sophos Endpoint Protection (managed via the previous MSP's Sophos Central — no ACG access). Sophos removal is in progress (see Patterns and Active Work). Both enrolled in GuruRMM during the 2026-05 removal work; ScreenConnect + GuruRMM agents registered for Safe Mode (SafeBoot\Network).

Access

Patterns & Known Issues

  • Inherited Sophos with no Central access — kernel-driver tamper-protection removal (in progress 2026-05-28/29). LS-1 and LS-2 came from the previous MSP running Sophos Endpoint Protection managed via the previous MSP's Sophos Central account — ACG has no Central access, so no remote uninstall and no way to disable tamper protection from the management plane. Tamper protection is enforced by the SophosED.sys kernel boot driver (Start=0, loads before smss.exe), which defeats every user-mode removal: SophosZap (blocked by TP), SophosUninstall.exe (only removes user-mode parts), PendingFileRenameOperations delete (driver loads too early), sc config (kernel callback), and ACL reset (kernel-level). Resolution path is offline via WinRE: delete D:\Windows\System32\drivers\SophosED.sys, load the offline SYSTEM hive and set the Sophos Endpoint Defense service Start=4, reboot, then SophosZap.exe --confirm (TP check now passes). Full step list in the 2026-05-29 session log. Reusable for any inherited-MSP Sophos/CrowdStrike/SentinelOne removal where tamper protection is enforced and the management console is inaccessible. (Related: GuruRMM SPEC-015 safeboot-network-registration aims to automate exactly this remote-Safe-Mode removal flow.)
  • Sophos shell extensions + Datto Cloud Continuity startup conflict (LS-2). Presented as unresponsive desktop mouse clicks (until Ctrl+Alt+Del) and dead Start-menu right-click. Root cause: Sophos shell extensions competing with the Datto Cloud Continuity /pop startup entry during logon. Removing the Datto startup registry entry addressed the logon contention.
  • ManageEngine + Google Workspace dual-EMM trap (resolved 2026-03-24). A personal phone repeatedly prompted for MDM enrollment when the user added their Lonestar Google account. Root cause was two independent triggers: (1) ManageEngine MDM self-enrollment was enabled for all directory groups, AND (2) ManageEngine was configured as a third-party EMM provider inside Google Workspace (Devices > Mobile & endpoints > Settings > Third-party integrations). The Google integration enforces enrollment on any device that adds a Lonestar account — independent of ManageEngine's own self-enrollment setting. Fix required both: disable ManageEngine self-enrollment (Enrollment > Self Enrollment > Disable) AND remove ManageEngine as the third-party EMM in the GWS Admin Console. Disabling only one leaves the prompt in place. Company tablets enrolled directly via QR code are unaffected by either change.
  • Google Workspace, not M365. Reach for GWS Admin Console + the ACG-MSP-Access service account for identity work. The M365 remediation-tool app suite does not apply to this client.
  • Field/mobile-first. Most tickets are phone/tablet/field-device oriented (iPhone field setup, tablet PDF editing). Expect mobile, not desktop, as the primary support surface — the LS-1/LS-2 desktop work is the exception, not the norm.

Active Work

No open Syncro tickets as of 2026-06-01.

  • Sophos removal on LS-1 / LS-2 (IN PROGRESS). SophosED.sys kernel boot driver still present and active on both machines; most user-mode Sophos services removed from LS-2. Offline WinRE completion step pending on both (delete driver, disable SED service in offline hive, reboot, SophosZap --confirm). Handed off to Howard via coord message 689cfb7c (2026-06-01). A Syncro ticket "Sophos Endpoint Removal - LS-1 and LS-2" was drafted — verify it exists before logging time.

History Highlights

Date Event
2025-12-04 Two company tablets (Zach, JOSE) enrolled in ManageEngine MDM via QR code, fully managed
2026-03-10 Emergency: James's account hacked (Syncro #32010, resolved)
2026-03-11 Tablet unable to edit PDFs (#32015)
2026-03-23 Lonestar MDM issue investigated — identified ManageEngine self-enrollment as the cause of joser's personal-phone prompt; fix initially blocked by a broken Zoho portal page
2026-03-24 MDM issue RESOLVED — disabled ManageEngine self-enrollment AND removed ManageEngine as GWS third-party EMM. joser's phone stopped prompting immediately
2026-05-04 Win11 upgrades on LS-1 and LS-2 (#32244)
2026-05-05 iPhone field setup (#32251)
2026-05-28/29 Sophos removal on LS-1/LS-2 begun: enrolled in GuruRMM, removed Datto startup conflict (LS-2), registered Safe Mode agents, removed user-mode Sophos; blocked by SophosED.sys kernel driver — WinRE offline removal staged (Ventoy USB), completion pending

Compilation Notes

  • Refreshed 2026-06-01 (full recompile) to incorporate the 2026-05-28/29 Sophos removal work, which had previously been lost — it was never written to a session log and survived only in a gitignored temp draft (.claude/tmp/ollama_prompt.txt) and coord message 8a5cb25c. A proper session log was reconstructed at clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md before this compile.
  • Seeded 2026-05-26 from two March session logs + credentials.md + vault entry + temp provisioning scripts, enriched with live Syncro data (customer 33809612).
  • Vault slug is lonestar-electrical (matches clients/lonestar-electrical/ in the vault), though session logs and temp scripts use the un-hyphenated lonestar.
  • Lonestar work now lives in both clients/lonestar-electrical/ (docs + session-logs) and root session logs / temp/ scripts.
  • Flagged [verify]: billing rate; exact roles/names for James, Kyla, Russ; full workstation inventory.

Backlinks

(none yet)

Reference in New Issue View Git Blame Copy Permalink