Files
claudetools/projects/gps-rmm-audit/tracker.md
Howard Enos c82c1c76bb sync: auto-sync from HOWARD-HOME at 2026-07-03 17:22:21
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-03 17:22:21
2026-07-03 17:22:47 -07:00

18 KiB

GPS -> GuruRMM Coverage Audit

Goal: For every business/client paying for GPS (Guru Protection Service), verify that GuruRMM is set up correctly — the org/account exists, the machines they pay for are all enrolled and reporting, and the services they pay for (backups, AV, email) are actually configured and working. Where the client wiki is missing host/login/provider info, fill those gaps as we go (credentials -> SOPS vault via /vault).

Source of truth for "should have": Syncro active recurring schedules (device counts + service line items). Reality: GuruRMM /api/agents, plus backup/AV/email tooling.

  • Started: 2026-07-03 (Howard)
  • AV STRATEGY (Howard 2026-07-03): migrate Bitdefender -> Datto EDR for ALL clients except Glaztech and Dataforth (those two keep Bitdefender). Target end-state per machine (non-exempt) = GuruRMM agent + Datto EDR + Bitdefender removed. Bitdefender inventory is now only a discovery source (which machines exist), not a coverage target. See memory project_av_migration_bitdefender_to_edr.
  • Scope: 40 active GPS clients (4 paused clients excluded: Marcia Ashton, Tucson Mountain Motors, Richard Pittman, Brenda Lopez)
  • GPS device count = sum of GPS workstation + server SKUs (excludes AntiVirus add-on, discounts, setup)

Per-client verification checklist (each client)

  • 1. RMM org/account exists and is named correctly
  • 2. Machine count in RMM matches GPS devices billed (reconcile every host)
  • 3. Services billed are actually configured + working: Backup / AV / Email / VoIP
  • 4. Client wiki has: host/provider (email, DNS, web — and whether ACG-managed), admin logins (-> vault), key contacts
  • 5. Discrepancies logged + remediation started

Legend: MATCH RMM >= billed · SHORT (n) RMM under billed by n · MISSING no RMM org · ? needs investigation. Svc flags from billing: B=Backup A=AV E=Email V=VoIP.


A. Present in RMM — counts match (verify services + wiki) — 7

done Client Syncro CID GPS billed RMM machines Status Svc Notes
[ ] Dataforth Corp 578095 43 51 MATCH (RMM+8) B A E RMM has more than billed — reconcile extras
[ ] Cascades of Tucson 20149445 29 33 MATCH (RMM+4) A E V
[ ] Valley Wide Plastering 31694734 29 28 MATCH (~) B short 1, within reason
[ ] Len's Auto Brokerage 3289131 8 8 MATCH E
[ ] Arizona Medical Transit 7088349 1 2 MATCH (RMM+1) B E V
[ ] AT Trebesch 238740 1 1 MATCH -
[ ] Russo Law Firm 23331699 3 3 MATCH A E V Renamed 2026-07-03 from mislabeled "Russo, Steve" (Steve Russo owner, Shannon Trionfo contact)

Bucket A findings (discovery 2026-07-03)

  • Dataforth Corp — 51 agents vs 43 billed GPS (+8). Possible under-billing / uncounted machines — several look like personal boxes (DESKTOP-*, LAPTOP-RD47E88A, Test01). Reconcile host-by-host with Mike; confirm which are billable. Wiki: dataforth.md exists.
  • Cascades of Tucson — 33 agents vs 29 billed (+4). RECEPTIONIST-PC appears twice in RMM — likely a duplicate/stale agent record to clean up. Wiki: cascades-tucson.md exists.
  • Valley Wide Plastering — 28 agents vs 29 billed (short 1). Effectively reconciled. Wiki: valleywide.md exists.
  • Len's Auto Brokerage — 8 agents = 8 billed (MATCH). FLAG: LAB-SVR (production Server 2019) agent offline since 2026-06-18 (~2 wks) — verify box/agent health. Email = 1x M365 Apps for Business; email host/provider not documented in wiki (gap). Wiki: lens-auto-brokerage.md thorough.
  • Arizona Medical Transit — 2 agents (AMT-HYPERV + AMT-PC) vs 1 billed. No wiki article exists — create one (host/provider, logins -> vault).
  • AT Trebesch — 1 agent = 1 billed (MATCH). Wiki: attrebesch.md exists.
  • Russo Law Firm — 3 agents = 3 billed (MATCH). Org rename applied today. Sites: Main (has all 3) + empty "Shannon" site — consider moving STRIONFO to the Shannon site. Wiki: russo-law.md exists.

Still to verify per client (services + wiki): backups (none billed for most of A except Dataforth/VWP/AMT), AV coverage vs billed AV seats, email host documented, admin logins in vault.

Backup layer (B2/MSP360) findings

  • DataforthACG-Dataforth bucket present w/ data (billed B) [OK dest exists]
  • Valley WideVWP-Backup bucket present w/ data (billed B) [OK dest exists]
  • Arizona Medical Transitbilled Data Backup but NO dedicated B2 bucket — destination unknown (Datto? shared bucket?). VERIFY where AMT backup lands.
  • CascadesACG-Cascades bucket present w/ data but no Data Backup line item billed — possible unbilled backup / revenue leak, or legacy. Confirm w/ Mike.
  • Len's AutoACG-Lens bucket present w/ data but backup not billed (Svc=E only) — same question as Cascades.
  • Caveat: bucket file lists are name-ordered, not time-ordered — "backup ran today" freshness must be confirmed in the MSP360 console; bucket presence only proves a destination is configured.
  • Other buckets not tied to a bucket-A client: ACG-BST, ACG-Brett, ACG-GLAZTECH, ACG-IX, ACG-PST, ACG-REDNOUR, ACG-Rohrbach, ACG-TCA, Horseshoe, ACG-Internal, MSPBackups20200311 (stale — 2021, ex-client FSG).

AV layer findings (AV split across TWO tools — Datto AV is primary for big clients, Bitdefender for smaller)

  • Dataforth — billed 43 AV. Datto EDR: 51 agents (org 4a2664bf) — covered [OK]. (Bitdefender also has 5 — legacy/partial; Datto is primary.)
  • Cascades — billed 29 AV. Datto EDR: 34 agents (org 2d5ea96e) — covered [OK]. Bitdefender company exists but 0 endpoints — Cascades AV lives entirely in Datto.
  • Russo Law Firm — billed ~5 AV. Bitdefender: 6 endpoints (company 60abfa4c) — covered [OK], but STRIONFO listed twice in Bitdefender (dedupe stale record). Not the primary in Datto.
  • Lesson for the audit: AV coverage is NOT single-tool — must check BOTH Datto EDR and Bitdefender before declaring an AV gap. Bitdefender company names carry the Syncro CID suffix (_NNNNN) which makes mapping exact.
  • Datto "Default RMM Org" (35 agents, 23 sites) is a catch-all — small clients' Datto agents may sit there unsegmented; relevant when we reach buckets B/C.

Email + vault findings

  • Vault: all 7 A clients have entries. Dupes to consolidate: russo + russo-law, and valleywide + vwp. AMT had a vault entry (RMM keys) but no wiki (now created).
  • Email hosts (from billing — several need the actual mail host documented):
    • Dataforth — Pax8 M365 (Exchange Online P1 + M365 Business Std): ACG-managed M365 [OK]
    • Cascades — 45 M365 Business Premium + 235 "Exchange Hosted Email": large hosted-Exchange footprint, host not documented [GAP]
    • Len's Auto — only 1 M365 Apps for Business (no mailbox license): actual email host unknown [GAP]
    • Arizona Medical Transit — 5 "Exchange Hosted Email": host not documented [GAP]
    • Russo Law — 5 "Exchange Hosted Email": host not documented [GAP]
    • AT Trebesch — no email billed
  • "Exchange Hosted Email" is a recurring unknown across A (and likely B/C) — one host to identify (ACG-hosted Exchange vs a third party). Resolve once, apply everywhere.

Bucket A verification rollup (2026-07-03)

  • Machines: reconciled 7/7 (findings above). Backups: mapped 7/7 (3 billing flags held for Winter). AV: verified 3/3 AV-billed clients covered (Datto + Bitdefender). Vault: present 7/7. Wiki: 6 existed + AMT created = 7/7.
  • Remaining open (documentation, not coverage gaps): email host for Cascades/Len's/AMT/Russo; Dataforth +8 billing reconcile; Cascades dup agent + Bitdefender dup (STRIONFO); Len's LAB-SVR offline; vault dupe consolidation. All logged; nothing outbound to Winter until the full list is verified.

B. Present in RMM — SHORT (missing agents to deploy) — 8

done Client Syncro CID GPS billed RMM machines Gap Svc Notes
[ ] Glaz-Tech Industries 143932 159 5 154 B A E ANOMALY — 149x GPS basic + 10x GPS Pro Server billed; verify billing is real vs legacy before treating as 154 missing
[ ] Instrumental Music Center 7088508 20 1 19 A E V
[ ] Jimmy Company 18560272 12 1 11 B A
[ ] Horseshoe Management 625269 9 1 8 B E
[ ] Safesite LLC 26563106 37 31 6 A E
[ ] Stamback Septic 11513046 8 3 5 V
[ ] Grabb & Durando Law Office 14232794 12 9 3 B A E
[ ] Quantum Wealth Management 7088747 3 2 1 B E V

Bucket B coverage matrix (RMM vs Datto AV vs Bitdefender, 2026-07-03)

Client GPS billed RMM Datto Bitdef Read
Glaz-Tech Industries 159 5 (all servers) 5 242 ANOMALY — RMM+Datto = 5 real infra boxes; Bitdefender 242 is years of stale enrollments; 149 GPS-basic billing not backed by real machines. HUMAN review (Mike).
Instrumental Music Center 20 1 0 22 Real gap — ~22 workstations exist (Bitdefender AV) but only IMC1 in RMM. Deploy ~19 RMM agents.
Horseshoe Management 9 1 6 7 Real gap — 6-7 machines exist (Datto+BD), only HSM-NewServer in RMM. Deploy ~5-8 agents.
Safesite LLC 37 31 48 16 Real gap — 48 in Datto, RMM 31. Machines exist; RMM short ~6+. Dedupe RMM MSI (listed twice).
Grabb & Durando 12 9 0 15 Real gap — 15 in Bitdefender, RMM 9. Deploy ~3-6 agents.
Quantum Wealth Mgmt 3 2 0 4 Small gap — BD 4, RMM 2. Add ~1-2 agents.
Jimmy Company 12 1 0 1 BILLING FLAG — only 1 machine managed anywhere (RMM Blaster2 / BD 1). Billed 12 -> either stale billing OR 11 unmanaged+unprotected machines. Investigate.
Stamback Septic 8 3 (2 uniq) 0 2 BILLING FLAG — 2-3 machines managed anywhere, billed 8. Same question as Jimmy. RMM DESKTOP-BTR2AM3 listed twice (dedupe).

Split: Real RMM-deploy gaps -> IMC, Horseshoe, Safesite, Grabb, QWM (~34-52 agents to push where the box already runs Datto/BD AV). Billing/coverage review (for Winter/Mike, document only) -> Glaz-Tech, Jimmy, Stamback. RMM dedupes -> Safesite MSI x2, Stamback DESKTOP-BTR2AM3 x2. Bitdefender companies exist for ALL bucket-B (and nearly all bucket-C) clients with the Syncro CID in the name — AV is broadly deployed even where RMM is not.

IMC deep-dive (template client for the deploy pattern, 2026-07-03)

  • IMC1 = Primary DC for domain IMC.local (192.168.0.2), already in RMM; Domain Admin cred IMC\guru vaulted (clients/imc/imc1.sops.yaml). RMM site: IMCMain / INNER-BRIDGE-8354.
  • True active fleet ~22 (AD objects with 2026 logons == Bitdefender's 22). Billed 20 GPS — legit.
  • RMM has only IMC1 -> 21 active domain machines need the agent.
  • Deploy vehicle: push GuruRMM site MSI (INNER-BRIDGE-8354) from the DC to domain members using the vaulted Domain Admin cred (Invoke-Command or a software-install GPO). This is the reusable pattern for any domain client (DC already in RMM -> AD is the authoritative list -> push from DC).
  • AD hygiene finding: ~24 stale computer objects in IMC.local (Windows 7, last logon 2015-2019) never removed — separate cleanup task.
  • Deploy targets (in Bitdefender, active, not IMC1): IMC-M-EDSERVICE, IMC-SVCSTR, IMC-L1-STATION9, IMC-MINI, IMC-LESSONS, IMC-STATION2, IMC-STATION1, PURCHASINGCOMP, IMC-L1-GRAPHICS, LAPTOP-DCHQ3F92, LAPTOP-PNVA9G51, PHIL2021LAPTOP, IMC-LUIS, DESKTOP-GHG12G3, DESKTOP-JQ0D38J, DESKTOP-URV3UGR, C2B, IMC-PRINTSERVER, DESKTOP-44L80C0, DESKTOP-MR3ALTK, REPAIRADMIN (21).

IMC DEPLOY EXECUTED 2026-07-03 — via ScreenConnect (channel finding: see memory reference_rmm_deploy_via_screenconnect)

  • DC remote-exec is a dead end on IMC's Win10/11 clients: DCOM firewalled (WMI "RPC unavailable"), schtasks/S rejected by Win11 from the 2016 DC ("request not supported"), WinRM off. SYSTEM on the DC also can't create GPOs; SSH to IMC1 blocked (Tailscale route not accepting 192.168.0.0/24 + no local key).
  • Working channel = ScreenConnect send-command (runs as SYSTEM on the guest, no creds, no firewall issue). Every IMC machine has an SC agent.
  • Pushed powershell -enc <base64 of: irm '<site>/windows'|iex> to 20 of 21 targets (2 test + 18 rollout). IMC-L1-GRAPHICS has NO SC session (stale 2025 box — handle separately).
  • Result: RMM IMC agents 1 -> 12 and climbing (online machines enrolled in ~1-3 min; offline ones queued in SC, install on reconnect). Daily check task tracks to completion.
  • DA-password attempts via RMM were scrubbed (DELETE /api/commands/:id, HTTP 204) — no credential persisted. No partial installs from the failed methods.

Bucket B enrollment progress (via ScreenConnect send-command)

  • IMC — 1 -> 12 enrolled (site INNER-BRIDGE-8354); ~8 offline queued in SC; IMC-L1-GRAPHICS no SC session.
  • Horseshoe Management — 1 -> 4-5 enrolled (site GOLD-OCEAN-4982); pushed to hsm-bill/cathy/frank02/server + desktop-jk4e68n; hsm-cathy + desktop-jk4e68n still installing.
  • Grabb & Durando — multi-site (Main LIGHT-PEAK-6399, Bob's House LIGHT-GATE-7086, Jeff's House UPPER-FALCON-8240). Most BD "gap" machines have NO SC session and are likely stale/duplicate BD records (real gap ~3, not 6). Only GND-L-3 had an SC session (pushed). HOMEPC flagged — needs house-site assignment. Grabb needs closer per-machine review, not bulk push.
  • Channel finding: ScreenConnect coverage VARIES per client — universal on IMC/Horseshoe, sparse on Grabb. Check SC session existence per machine before assuming the channel; where SC is absent, the machine may be stale in Bitdefender or need another channel.
  • Quantum Wealth — 2 -> 3 (target met). Pushed QUANTUMSERVER + DESKTOP-K89A8CF (site GREEN-CLOUD-1199).
  • Safesite — 31 -> 34 and climbing (20 gap machines pushed, 3 had no SC). NOTE: Safesite has ~48 real machines in Datto vs 37 billed — likely under-billed AND under-deployed. Deployed to the "Unknown" catch-all site (LIGHT-CLOUD-3585) because the 3-site split (Bell/Glendale/Unknown) can't be mapped from the asset-tag hostnames — needs re-siting in the come-back pass.
  • Jimmy Company / Stamback Septic — billing flags: only 1 / ~2 machines exist anywhere (BD/Datto), nothing to enroll. For Winter/Mike billing review.

For the come-back pass (missing machines + issues to fix)

  • Bucket B stragglers: offline machines queued in SC (install on reconnect) — daily check tracks.
  • IMC-L1-GRAPHICS (no SC), Grabb's ~3 real-gap machines (no SC), Safesite's 3 without SC.
  • Safesite: re-site the ~20 machines from "Unknown" to Bell/Glendale; reconcile 48-Datto-vs-37-billed (under-billing?).
  • Grabb HOMEPC: assign Bob's vs Jeff's house site.
  • Billing flags to Winter: Jimmy (12 billed, 1 real), Stamback (8 billed, ~2 real), Glaz-Tech (159 anomaly), + backup mismatches (AMT/Cascades/Len's).
  • Bucket C (25 clients): no RMM org yet — must /rmm onboard (client+site) BEFORE deploying.

C. MISSING from RMM entirely (no org found) — 25

done Client Syncro CID GPS billed Svc Notes / verify not under an alias
[ ] Reliant Well Drilling and Pump 10736261 9 B V
[ ] Zeus Nestora 1196974 8 -
[ ] Little Hearts Little Hands 1144233 8 E
[ ] PUTT Land Surveying 7180175 7 A E
[ ] Curtis Plumbing 416585 6 B A E
[ ] The Prairie Schooner 3664974 5 B E V
[ ] Mineralogical Record 207770 5 B A V
[ ] T & C Sorensen 344886 4 B E
[ ] MVAN Enterprises Inc 29462761 4 A E
[ ] Ridgetop Group 9413367 3 B
[ ] Multicultural Counseling Center 35483539 3 A E
[ ] Brett Interiors 15726057 3 B
[ ] Heieck, Sheila 12045942 3 E individual-named account
[ ] The Marc Group 869073 2 E
[ ] Residential and Renovation Engineering 7088403 2 A V
[ ] Bill Tedards 487887 2 B E V
[ ] Janet Altschuler 457710 2 B individual-named account
[ ] Business Services of Tucson LLC 29338800 2 B
[ ] Andy's Mobile Fuel 27364453 2 E
[ ] Design and Brand Envoys 26747288 2 B A E
[ ] Pro-Tech Services 23702122 2 A
[ ] Inside Track Productions 3021358 1 -
[ ] Gary A Hartman LLC 29038261 1 B
[ ] Robyn Pittman 17031534 1 - individual-named account
[ ] Marty Ryan 140717 1 A E individual-named account

Daily progress check (automated)

  • Windows scheduled task GPS-RMM-Progress runs daily 8:07am (Howard-Home), script .claude/scripts/gps-rmm-progress-check.sh, targets projects/gps-rmm-audit/targets.json. Compares live RMM agent counts (unique hostnames) to GPS device targets and DMs Howard the remaining gaps; reports COMPLETE when all met (then retire via schtasks /Delete /TN GPS-RMM-Progress). Baseline 2026-07-03: 46/189 devices in RMM, 32 clients short. Glaz-Tech excluded pending billing review.

Rollup

  • 7 clients match on machine count (still need service + wiki verification).
  • 8 clients present but short — ~50 agents to deploy (excl. Glaz-Tech anomaly).
  • 25 clients with no RMM org — ~86 GPS devices billed, zero RMM presence (some may be under an alias / not yet deployed — verify per client).
  • Biggest single flag: Glaz-Tech Industries billed 159 GPS but only 5 RMM agents — confirm the billing is current before acting.

Method notes

  • GPS SKUs matched: GPS basic/monthly, GPS pro/monthly, GPS Workstation, GPS Server, GPS Pro Server (+ variants). Excluded: GPS AntiVirus Add-on, GPS addon, GPS Discount, GPS Set-up, GPS trial.
  • RMM counts from GET /api/agents grouped by client_name, 2026-07-03.
  • "MISSING" = no client_name match in RMM; each must be double-checked for an alias (person name / DBA) before onboarding a duplicate.